ASA5510 problems with NAT & ssh & RDP & ACl's

vgoradia · ‎11-14-2007

so we have an inside network (172) and an outside network (11) and we want to install a 5510 in between.

basically, I would want to be able to

#1) ssh into the 5510 from the outside network.

#2) I want outside users to be able to use RDC remote desktop connection from the outside to a couple of devices on the inside.

#3) couple of devices on the inside should be able to print to a networked printer on the outside network.

with these requirements, i set out to configure the 5510.

however, I cannot get anything to work.

no ssh, no telnet, no pings, and certainly no RDP.

my guess is that problems abound with the way my acl's are set.

i'm attaching my sh run.

I took off the ssh from the configs and try to atleast get telnet working, but I was unsuccessful.

anyone have any suggestions, I would be so very thankful and appreciative!

also, 11.1.55.1 is the outside router(gateway).

11.1.55.100 is the IP of 5510 (outside)

172.16.4.231 is the IP of 5510 (inside)

some of the inside devices have IP's starting with 172.16.4.1 and I have static NAT configured so some of the inside devices can access the web and maybe print?

thefindjack · ‎11-14-2007

First off do you really need to limit access from your inside network to your outside network? Second for your internet users you should probably not do static NAT unless you only have 1 or 2 machines using the internet. You will also need to add the command "no nat-control", without this command anything that isnt getting NAT'd will not be allowed to pass the firewall. If you dont want to add it you need to NAT every address to itself for them to pass. That could be your biggest problem.

Please rate if this helps!

vgoradia · ‎11-14-2007

yes, I only have about 5 inside machines that need to access the web and an outside server to dump data. so NAT'ing the 5 devices should be ok.

my biggest concern is my ability to ssh into the firewall and for all outside users to be able to RDC into the inside machines. how do I set those two things up?

elparis · ‎11-14-2007

Good point about "no nat-control", thefindjack. Remember that "no nat-control" is the default, though.

NAT control used to be the default in older versions, though, so "nat-control" can show up in the configuration if the device was upgraded from an older version of the software.

Cheers,

Eloy.-

elparis · ‎11-14-2007

Hello,

You can't even ping the outside address of the ASA? You should, based on the configuration.

With regards to SSH access to the ASA, you need to explicitly permit SSH access. You do this with the "ssh" command, as in:

ssh

like:

ssh 1.2.3.0 255.255.255.0 outside

You also need to set the telnet password (which is also used for SSH if no AAA config.) via the command "password". You will then SSH in using the username "pix" and that password. You can also use "aaa authentication ssh console " to set up other authentication methods.

The statics for your Windows machines (which you'll access via RDP) look fine.

A potential problem I see is the ACL applied to the inside interface - it's too restrictive. If that is what you need that is okay, of course, but I recommend that you set the logging level to debug ("logging console debug" if you are at the console) and try to connect - you'll see the debugging messages indicating what traffic has been denied.

For the inside host to get out you need to configure NAT if your printers on the outside can't talk to the RFC 1918 address you are currently using on the inside. You can start with a simple NAT configuration. For example:

nat (inside) 1 0 0

global (outside) 1 interface

This will allow your internal hosts to go out using PAT and the outside interface of the ASA.

Hope this helps.

vgoradia · ‎11-14-2007

i consoled into the firewall and tried to ping my 11.1.55.1 gateway router from the 5510's outside interface, i was not able to ping.

Then, I proceeded to ping one of the inside machines using the 5510 inside interface IP, again, I was not able to ping.

regarding ssh, yes, I had it configured as

ssh 1.2.3.0 255.255.255.0 outside

but this did not work.

i double and triple checked my connections at the back of the 5510.

also, tried all the above via asdm but did not work.

I do remember inserting the no nat control command and then taking it off.....

Also, how can I make my acl's the least restrictive so I can atleast get the ssh/telnet working since the 5510 is in another bldg on my campus

i'm just at a loss of ideas...

elparis · ‎11-14-2007

Does "sh int" on the ASA show the interfaces as up/up? And what about "sh int" on the switch the ASA is connected to? If the ASA is directly connected to a router or cable modem, are you using a crossover cable?

You can enable a packet capture and see what is going on. For example:

capture mycapture interface outside

Then try to ping and then run "show capture mycapture" to see what the ASA is seeing.

Nothing will work if you don't have basic IP connectivity first, so you need to fix that before you can move on to configuring SSH, NAT, etc.

vgoradia · ‎11-14-2007

ok. this is way too embarassing.

I had the cables plugged incorrectly into the 5510.

i don't know what to say...

now, ssh from outside works fine.

inside the 5510, all devices can ping the 5510.

how to enable asdm from outside?

when I try to launch the asdm, it gives me an error saying the device manager cannot be launched from the IP address 11.1.55.100 (this is the 5510's outside interface IP).

vgoradia · ‎11-14-2007

ok. I finally got the asdm to work on the outside interface also.

but, i'm still stuck with the core problem of RDC.

i'm able to get to the logon screen of the inside devices but cannot successfully RDC in.

my access list 110 is applied to the ingress of interface outside.

maybe I need an access list on the interface inside also? ingress or egress?

this is my sh run

ASA Version 8.0(3)

!

hostname Cisco-5510

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 11.x.x.100 255.255.255.0

!

interface Ethernet0/1

description XYZ Network

nameif inside

security-level 100

ip address 172.16.4.231 255.255.252.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 110 extended permit tcp any host 11.1.55.85 eq 3389

access-list 110 extended permit tcp any host 11.1.55.86 eq 3389

pager lines 24

logging enable

logging asdm informational

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-603.bin

static (inside,outside) 11.1.55.85 172.16.4.53 netmask 255.255.255.255

static (inside,outside) 11.1.55.86 172.16.4.1 netmask 255.255.255.255

access-group 110 in interface outside

route outside 0.0.0.0 0.0.0.0 11.1.55.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 11.1.55.0 255.255.255.0 outside

http 192.168.1.0 255.255.255.0 management

no crypto isakmp nat-traversal

telnet timeout 30

ssh 11.1.55.0 255.255.255.0 outside

ssh 172.16.4.0 255.255.252.0 inside

ssh timeout 15

: end

elparis · ‎11-14-2007

You don't need an ACL applied to the inside interface unless you want to prevent some inside host from going out. This is because traffic from a high security interface (interface inside has a security level of 100) going to a low security interface (interface outside has a security level of 0) is permitted by default. The opposite (from low to high) is not permitted by default, which is why you need an ACL applied to the outside interface.

Anyway, back to the problem at hand - if you get the Windows logon screen things should work just fine. I can't see anything at layer 3 or 4 (on the ASA) that would prevent things from working.

When you say "cannot successfully RDC in", does the RDC window suddenly disappear, or you get some error message there? Can you RDC in successfully from 172.16.4.53 to 172.16.4.1, for example? Any errors in the Windows event log?

vgoradia · ‎11-15-2007

yeah, the rdp is still an issue.

when I try a RDC from an outside device, I get a screen to enter my credentials. This screen DOES NOT mean that there is a valid IP transport present to the inside machine. I verified this with another machine that was switched off and I still got the credential screen.

anyways, once I enter the credentials (i verified that I had the correct username/passwd), the RDC is still blocked.

I fired up my asdm and enabled logging.

I see one error as shown below

6 Nov 15 2007 11:38:45 302014 11.25.4.70 172.16.4.1 Teardown TCP connection 261 for outside:11.252.4.70/1692 to inside:172.16.4.1/3389 duration 0:00:30 bytes 0 SYN Timeout

Also, yes, i can successfully RDC from 172.16.4.53 to 172.16.4.1

elparis · ‎11-14-2007

You need to enable the HTTPS server and configure HTTP access:

http server enable

http 0.0.0.0 0.0.0.0 inside

http 1.2.3.0 255.255.0 outside

This enables the HTTPS server and then provides access from anywhere on the inside, and only from 1.2.3.0/24 on the outside.

Then you need to specify the ASDM image, like:

asdm image flash:/asdm-523.bin

(based on the config. you provided you already have this, so you're good to go there.)