RDP access through ASA 5505

Answered Question
Feb 26th, 2009
User Badges:

Have an ASA 5505. Internet connection is up and active. having an issue with RDP to internal server from outside. I thought the accesslist statement in the config below is all I would need, but RDP fails and packet tracer says its a NAT issue, but cant spot it. Any ideas or suggestions?

Config:

ASA Version 7.2(4)

!

hostname xxxx

domain-name xxxx

enable password Vjqb/b.vPId8dNqo encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.1.15 Server description Remote Connection to Server

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.203.125.226 255.255.255.240

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup dmz

dns server-group DefaultDNS

name-server Server

domain-name xxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

description RDP

port-object eq 3389

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host Server eq 3389 log debugging

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in extended permit tcp any any eq telnet

access-list outside_access_in extended permit udp any any eq snmp

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any eq snmp

access-list inside_access_in extended permit udp any any eq tftp

access-list inside_access_in extended permit udp any any eq snmptrap

access-list inside_access_in extended permit icmp any any

access-list dmz_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit tcp any any eq https

access-list dmz_access_in extended permit ip any any

access-list dmz_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip verify reverse-path interface outside

ip verify reverse-path interface dmz

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,dmz) 192.168.1.20 64.203.125.227 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 64.203.125.225 1

route dmz 64.203.125.228 255.255.255.255 64.203.125.225 1


http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 255.255.255.255 outside


telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside


class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global



Correct Answer by JORGE RODRIGUEZ about 8 years 4 months ago

your inbound acl for RDP is fine, you just need a static NAT


static (inside,outside) 192.168.1.15 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Thu, 02/26/2009 - 20:23
User Badges:
  • Green, 3000 points or more

your inbound acl for RDP is fine, you just need a static NAT


static (inside,outside) 192.168.1.15 netmask 255.255.255.255

bmcginn Thu, 02/26/2009 - 22:18
User Badges:
  • Bronze, 100 points or more

Hi there,


As an alternative, you can also do a port forward, so that only traffic destined for tcp port 3389 is forwarded to the box.


static (inside, outside)tcp interface 3389 Server netmask 255.255.255.255 0 0


Brad

Actions

This Discussion