Cisco ASA 5506 - how to publish a server behind a router?

M

Maxim Grishin2017-11-03 17:27:32

network hardware

Maxim Grishin, 2017-11-03 17:27:32

Is Cisco ASA 5506 which costs in a firewall mode with one internal network 192.168.4.0/24. Behind the router (there is a route) there is another network, .5.0/24, it has a server, I need access to it via RDP. I publish on a cisco by creating a server object, adding automatic NAT rules to it, writing a published service (tcp-udp/3389). I add the desired servers to the external access list. I start packet-tracer - it writes me a reverse-path check error:

Type - NAT Subtype - rpf-check Action - DROP
Config
object network DVCAP-DC nat (any,outside) static interface no-proxy-arp service tcp 3389 3389

Question - from what fig? Where did rpf-check come from, if the tsiska has a route to the network, and is it tied to the internal interface?

# sh route 
....
S        192.168.5.0 255.255.255.0 [1/0] via 192.168.4.4, inside

PS: the problem was in the packet tracer, so I returned the tag to its place.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

Maxim Grishin, 2017-11-16
@vesper-bot

The problem turned out to be that in the packet tracer, when checking the configured port forwarding, I set the destination IP immediately to the target, and rpf-check found that a packet with such a target IP: port had to go through nat first, and gave an error. That is, the publication was correct, but the verification methodology was not. Correctly in such cases to check, specifying IP:port to nata (ie IP of a tsiska and forwarded port).

R

Rinat Garipov, 2017-11-16
@ragent

Maxim Grishin has little initial data. you need a network diagram and aces config.