02-26-2009 07:28 PM - edited 03-11-2019 07:58 AM
Have an ASA 5505. Internet connection is up and active. having an issue with RDP to internal server from outside. I thought the accesslist statement in the config below is all I would need, but RDP fails and packet tracer says its a NAT issue, but cant spot it. Any ideas or suggestions?
Config:
ASA Version 7.2(4)
!
hostname xxxx
domain-name xxxx
enable password Vjqb/b.vPId8dNqo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.15 Server description Remote Connection to Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.203.125.226 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server Server
domain-name xxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
description RDP
port-object eq 3389
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host Server eq 3389 log debugging
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any any eq telnet
access-list outside_access_in extended permit udp any any eq snmp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any eq snmp
access-list inside_access_in extended permit udp any any eq tftp
access-list inside_access_in extended permit udp any any eq snmptrap
access-list inside_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,dmz) 192.168.1.20 64.203.125.227 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 64.203.125.225 1
route dmz 64.203.125.228 255.255.255.255 64.203.125.225 1
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Solved! Go to Solution.
02-26-2009 08:23 PM
your inbound acl for RDP is fine, you just need a static NAT
static (inside,outside)
02-26-2009 08:23 PM
your inbound acl for RDP is fine, you just need a static NAT
static (inside,outside)
02-26-2009 10:18 PM
Hi there,
As an alternative, you can also do a port forward, so that only traffic destined for tcp port 3389 is forwarded to the box.
static (inside, outside)tcp interface 3389 Server netmask 255.255.255.255 0 0
Brad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: