Access List not Working on ASA 5505?

Answered Question
Feb 18th, 2008

I have an ASA 5505 which I need to open a couple of ports from the outside going in for servers. There are two servers, once handling mail and one for remote administrative access using RDP (Windows servers). The port number for RDP is 3389. If I try to RDP into the server from outside the network, it fails. However, if I try to RDP into the server from internally, even from a different site through a VPN tunnel, it works perfectly. When I open port 3389 to the entire network, I can RDP into the mail server, but I still am not able to RDP into the administrative server. Any suggestions would be welcome.

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 11 months ago

Try clearing the arp on the 1721.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JORGE RODRIGUEZ Mon, 02/18/2008 - 08:32

Jackson, try these ..

If you are using outside interface IP as your outside IP for your static mappings the static entry should be as:

assuming your inside hots for rdp connection is

static (inside,outside) tcp interface 3389 3389 netmask

access-list outside_access_in extended permit tcp any host eq 3389

access-group outside_access_in in interface outside

In the case you use a spare IP from your outside ip subnet in the case of subnet instead of using outside interface,

the static should be:

e.g spare IP

static (inside,outside) netmask

access-list outside_access_in extended permit tcp any host eq 3389

access-group outside_access_in in interface outside

jbrunsting Mon, 02/18/2008 - 08:35

We do have a spare IP, and it's set in there as well with a static mapping for the two servers. However, what you suggested was the first way I'd had it configured and it still didn't work. Any other ideas?

JORGE RODRIGUEZ Mon, 02/18/2008 - 08:51

what does firewall logs tells you when trying to rdp from outside anything in logs?

jbrunsting Mon, 02/18/2008 - 08:52

No, that was the strange thing. There was nothing in the logs at all. Which normally would have made me think that RDP was getting stopped before it ever touched the firewall. However, when I opened RDP up for the other server, it worked perfectly.

acomiskey Mon, 02/18/2008 - 09:02

Sounds like this ip you are trying to use is not being routed to your asa.

JORGE RODRIGUEZ Mon, 02/18/2008 - 09:14

Adam brought up a good point , who is your outside next hop, who routes and networks from your oustide.

jbrunsting Mon, 02/18/2008 - 09:31

The next outside hop is a Cisco 1721 sitting right underneath the firewall. Here's the odd thing: I'm trying to replace a couple of SonicWall firewalls with these ASA's. And RDP is working perfectly well through the old firewall, but not through the Cisco boxes.

JORGE RODRIGUEZ Mon, 02/18/2008 - 09:47

I think that is where your problem is, the 1721 is till routing thoses addresses through the sonicwall firewall instead of the asa5505, if I were to migrate I would do it as a hot cutover, if you had an external switch you could build firewall rules from your sonicwall to asa, using same IP scheme allocate a switchport on the switch for the asa as shutdown and plan a hot-cutover, you can always fallback by enabling the switchport sonicwall is and disabling asa outside interface on the switchport outside, atleast this way you can avoid problems and go back on a second migration attempt. I have done it many times and proves to be the easiest way.

jbrunsting Mon, 02/18/2008 - 09:53

Well, our migration attempts have, so far, consisted of unplugging the interfaces on the SonicWall and plugging them into the asa5505. The SonicWall's not even physically connected to the network at that point, so I don't think that's the issue. The router just sends on the packets to the IP address, which is the asa. I'm beginning to agree with you guys, though, that is seems there might be something strange going on with that IP address.

But then I remember that in our other location, we have the same problem, but with a different server, different IP address, and even a different service! (http)

jbrunsting Mon, 02/18/2008 - 09:57

I haven't yet, and it's a little difficult to try, since we have to schedule the migration attempts for after regular business hours. I'll try that the next chance I get. Do you have any other suggestions of things I could try?

jbrunsting Thu, 02/21/2008 - 15:53

Okay, we're trying again and we flushed the arp cache, still no go. And actually, now none of the other port forwarding is working either!


This Discussion