Good catch!

I made the change but it's still not working.

static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255

So strange. It appears to be correct, but it's not working. Yet if I RDP into the 10.0.0.5:3389 it works, and from there I'm able to RDP into 10.0.0.102

Very strange.

Any other ideas?

Hi Scott,

I think that your ASA config is correct now. Maybe it's the way you're calling mstc, can you please try the following

mstsc /v:7.17.25.9:3390

Regards

Gah.

I just tried what you said and no luck. Same thing. Tries for a few seconds then comes back with error, can't connect.

Yet again, I connect to the 10.0.0.5 server, and from there can RDP into the 10.0.0.102 machine.

I'm at a wall here. This should be a simple setup, right?

Scott,

!

no static (inside,outside) tcp interface 3390 10.10.0.102 3389 netmask 255.255.255.255

!

static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255

If it wasn't then what realtime logging says.

Toshi

Hi Scott,

Where are you trying to connect from? Is TCP 3390 allowed outbound on your test line/network?

I've done this before so I'm sure your ASA config is correct

Do you see anything in your ASA logs?

Regards

Have you had any luck in connecting to the 2nd workstation remotely? Does the workstation have a firewall enabled? type in command clear xlate and then try again.

Hello all,

Sorry for the delay. Another switch project came up with another client so this was put on the back burner. Now I'm back.

As of right now, this is what I have on the firewall:

access-list incoming extended permit tcp any host 7.17.25.9 eq 3389

access-list incoming extended permit tcp any host 7.17.25.9 eq 3390

access-list incoming extended permit tcp any host 7.17.25.9 eq 3391

static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3391 10.0.0.106 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.0.0.5 3389 netmask 255.255.255.255

access-group incoming in interface outside

I'm focusing on the 10.*.102 host for now.

102 is Windows XP Pro SP3. Windows Firewall is enabled, but I've manually allowed 3389 (tcp and udp) to exceptions. It also has Symantec Endpoint Protection with Network Threat Protection, which I've disabled for troubleshooting.

Remote Desktop Connections is enabled under right-click My Computer.

I am able to RDP into 10.*.5 (the server) fine. And from there, I'm able to RDP into 10.*.102 fine.

I've tried "clear xlate"

I've tried "reload"

There is no outbound ACL, all is open.

Ugh! Frustrated!

What else could it be?!

update: just did a capture on the firewall:

faoasa# capture test interface inside

faoasa# sh capture test | grep 3390

faoasa# sh capture test | grep 3389

1: 19:18:27.899535 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192

2: 19:18:30.888442 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192

3: 19:18:36.889648 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192

faoasa#

The 24.* is me at home. It looks like the traffic is being forwarded, right?

Gah.

Update: I made the following changes, and now it works:

no static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3390 10.0.0.102 3390 netmask 255.255.255.255

On host machine:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Changed PortNumber to 3390; restart machine.

Now it works. What the ?

So does this mean it was a problem with the ASA translation from 3390 -> 3389 ?

Theories?