Simple ASA port forwarding question

Unanswered Question
Apr 5th, 2009
User Badges:

I have a very simple config. I'm trying to forward custom RDP ports. The default 3389 port is forwarding fine and I'm able to get into the 10.0.0.5


I cannot, however, get to 10.0.0.102

The machine is up (I can RDP into the x.5 server, and from there RDP into the x.102 machine).


Anything I'm missing?


access-list incoming extended permit tcp any host 7.17.25.9 eq 3389

access-list incoming extended permit tcp any host 7.17.25.9 eq 3390


static (inside,outside) tcp interface 3389 10.0.0.5 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3390 10.10.0.102 3390 netmask 255.255.255.255




edit: I'm launching 'mstsc' and connecting to "7.17.25.9:3390" for the custom port (not actual IP). This is correct?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JamesLuther Mon, 04/06/2009 - 00:34
User Badges:
  • Silver, 250 points or more

Hi,


I think that your second static NAT statement should be


static (inside,outside) tcp interface 3390 10.10.0.102 3389 netmask 255.255.255.255


ie. on the outside you connect to port 3390, but it connects through to 3389 on the inside.



Regards

scott.bridges Mon, 04/06/2009 - 04:44
User Badges:

Good catch!


I made the change but it's still not working.


static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255



So strange. It appears to be correct, but it's not working. Yet if I RDP into the 10.0.0.5:3389 it works, and from there I'm able to RDP into 10.0.0.102


Very strange.


Any other ideas?

JamesLuther Mon, 04/06/2009 - 05:44
User Badges:
  • Silver, 250 points or more

Hi Scott,


I think that your ASA config is correct now. Maybe it's the way you're calling mstc, can you please try the following


mstsc /v:7.17.25.9:3390



Regards

scott.bridges Mon, 04/06/2009 - 11:12
User Badges:

Gah.


I just tried what you said and no luck. Same thing. Tries for a few seconds then comes back with error, can't connect.


Yet again, I connect to the 10.0.0.5 server, and from there can RDP into the 10.0.0.102 machine.


I'm at a wall here. This should be a simple setup, right?



thotsaphon Mon, 04/06/2009 - 12:22
User Badges:
  • Gold, 750 points or more

Scott,

!

no static (inside,outside) tcp interface 3390 10.10.0.102 3389 netmask 255.255.255.255

!

static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255


If it wasn't then what realtime logging says.


Toshi


JamesLuther Mon, 04/06/2009 - 23:44
User Badges:
  • Silver, 250 points or more

Hi Scott,


Where are you trying to connect from? Is TCP 3390 allowed outbound on your test line/network?


I've done this before so I'm sure your ASA config is correct


Do you see anything in your ASA logs?



Regards

scott.bridges Tue, 04/21/2009 - 18:34
User Badges:

Hello all,


Sorry for the delay. Another switch project came up with another client so this was put on the back burner. Now I'm back.


As of right now, this is what I have on the firewall:


access-list incoming extended permit tcp any host 7.17.25.9 eq 3389

access-list incoming extended permit tcp any host 7.17.25.9 eq 3390

access-list incoming extended permit tcp any host 7.17.25.9 eq 3391


static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3391 10.0.0.106 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.0.0.5 3389 netmask 255.255.255.255


access-group incoming in interface outside



I'm focusing on the 10.*.102 host for now.

102 is Windows XP Pro SP3. Windows Firewall is enabled, but I've manually allowed 3389 (tcp and udp) to exceptions. It also has Symantec Endpoint Protection with Network Threat Protection, which I've disabled for troubleshooting.

Remote Desktop Connections is enabled under right-click My Computer.


I am able to RDP into 10.*.5 (the server) fine. And from there, I'm able to RDP into 10.*.102 fine.


I've tried "clear xlate"

I've tried "reload"

There is no outbound ACL, all is open.



Ugh! Frustrated!

What else could it be?!



update: just did a capture on the firewall:


faoasa# capture test interface inside

faoasa# sh capture test | grep 3390

faoasa# sh capture test | grep 3389

1: 19:18:27.899535 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192

2: 19:18:30.888442 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192

3: 19:18:36.889648 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192

faoasa#




The 24.* is me at home. It looks like the traffic is being forwarded, right?


Gah.



scott.bridges Tue, 04/21/2009 - 20:48
User Badges:

Update: I made the following changes, and now it works:


no static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3390 10.0.0.102 3390 netmask 255.255.255.255


On host machine:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Changed PortNumber to 3390; restart machine.




Now it works. What the ?


So does this mean it was a problem with the ASA translation from 3390 -> 3389 ?


Theories?





Actions

This Discussion