Access List not Working on ASA 5505?

Answered Question
Feb 18th, 2008
User Badges:

I have an ASA 5505 which I need to open a couple of ports from the outside going in for servers. There are two servers, once handling mail and one for remote administrative access using RDP (Windows servers). The port number for RDP is 3389. If I try to RDP into the server from outside the network, it fails. However, if I try to RDP into the server from internally, even from a different site through a VPN tunnel, it works perfectly. When I open port 3389 to the entire network, I can RDP into the mail server, but I still am not able to RDP into the administrative server. Any suggestions would be welcome.



Correct Answer by acomiskey about 9 years 3 months ago

Try clearing the arp on the 1721.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Mon, 02/18/2008 - 08:32
User Badges:
  • Green, 3000 points or more

Jackson, try these ..



If you are using outside interface IP as your outside IP for your static mappings the static entry should be as:


assuming your inside hots for rdp connection is 10.0.2.251



static (inside,outside) tcp interface 3389 10.0.2.251 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 3389

access-group outside_access_in in interface outside


In the case you use a spare IP from your outside ip subnet in the case of 1.1.1.1/28 subnet instead of using outside interface,

the static should be:


e.g spare IP 1.1.1.3


static (inside,outside) 1.1.1.3 10.0.2.251 netmask 255.255.255.0

access-list outside_access_in extended permit tcp any host 1.1.1.3 eq 3389

access-group outside_access_in in interface outside




jbrunsting Mon, 02/18/2008 - 08:35
User Badges:

We do have a spare IP, and it's set in there as well with a static mapping for the two servers. However, what you suggested was the first way I'd had it configured and it still didn't work. Any other ideas?

JORGE RODRIGUEZ Mon, 02/18/2008 - 08:51
User Badges:
  • Green, 3000 points or more

what does firewall logs tells you when trying to rdp from outside anything in logs?

jbrunsting Mon, 02/18/2008 - 08:52
User Badges:

No, that was the strange thing. There was nothing in the logs at all. Which normally would have made me think that RDP was getting stopped before it ever touched the firewall. However, when I opened RDP up for the other server, it worked perfectly.

acomiskey Mon, 02/18/2008 - 09:02
User Badges:
  • Green, 3000 points or more

Sounds like this ip you are trying to use is not being routed to your asa.

JORGE RODRIGUEZ Mon, 02/18/2008 - 09:14
User Badges:
  • Green, 3000 points or more

Adam brought up a good point , who is your outside next hop, who routes 2.2.2.0 and 3.3.3.0 networks from your oustide.

jbrunsting Mon, 02/18/2008 - 09:31
User Badges:

The next outside hop is a Cisco 1721 sitting right underneath the firewall. Here's the odd thing: I'm trying to replace a couple of SonicWall firewalls with these ASA's. And RDP is working perfectly well through the old firewall, but not through the Cisco boxes.

JORGE RODRIGUEZ Mon, 02/18/2008 - 09:47
User Badges:
  • Green, 3000 points or more

I think that is where your problem is, the 1721 is till routing thoses addresses through the sonicwall firewall instead of the asa5505, if I were to migrate I would do it as a hot cutover, if you had an external switch you could build firewall rules from your sonicwall to asa, using same IP scheme allocate a switchport on the switch for the asa as shutdown and plan a hot-cutover, you can always fallback by enabling the switchport sonicwall is and disabling asa outside interface on the switchport outside, atleast this way you can avoid problems and go back on a second migration attempt. I have done it many times and proves to be the easiest way.



Correct Answer
acomiskey Mon, 02/18/2008 - 09:52
User Badges:
  • Green, 3000 points or more

Try clearing the arp on the 1721.

jbrunsting Mon, 02/18/2008 - 09:53
User Badges:

Well, our migration attempts have, so far, consisted of unplugging the interfaces on the SonicWall and plugging them into the asa5505. The SonicWall's not even physically connected to the network at that point, so I don't think that's the issue. The router just sends on the packets to the IP address, which is the asa. I'm beginning to agree with you guys, though, that is seems there might be something strange going on with that IP address.


But then I remember that in our other location, we have the same problem, but with a different server, different IP address, and even a different service! (http)

JORGE RODRIGUEZ Mon, 02/18/2008 - 09:55
User Badges:
  • Green, 3000 points or more

Did you try what Adam suggested by clearing arp on outside router.

jbrunsting Mon, 02/18/2008 - 09:57
User Badges:

I haven't yet, and it's a little difficult to try, since we have to schedule the migration attempts for after regular business hours. I'll try that the next chance I get. Do you have any other suggestions of things I could try?

jbrunsting Thu, 02/21/2008 - 15:53
User Badges:

Okay, we're trying again and we flushed the arp cache, still no go. And actually, now none of the other port forwarding is working either!

Actions

This Discussion