Help needed with RDP on ASA 5505

Answered Question
Dec 1st, 2009

I recently swapped a PIX 501 out with an ASA 5505.  The configuration's are as identical as they can be.  RDP (TCP port 3389) from outside the network worked on the PIX 501, now that the ASA is in place, RDP (TCP port 3389) from the outside does not work.  We are not using any VPN, just trying to open RDP directly from the Internet inbound.  Once I get it working I plan on changing the default ports.  The outside Internet connection is a wireless bridge, from one building to another and the ISP states they have to put a static MAC address on the CPE equipment at our location for security.  The static MAC they map to our public IP address is the MAC address of VLAN2 interface on our ASA.  What am I missing?  Here is the config:

ASA Version 7.2(4)
!
hostname ********
enable password **************** encrypted
passwd ***************  encrypted
!
names
name 192.168.1.5 NWSRV
name 192.168.1.2 W2K3TS
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.185.6.86 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec This is a private network - authorized access only!
banner login Admin Only
banner motd This is a private network - authorized access only!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ******.***
!
access-list 101 extended permit tcp any host 66.185.6.88 eq 3389
access-list 101 extended permit tcp any host 66.185.6.87 eq 3389
access-list inside_access_in extended permit ip any any
!
pager lines 24
!
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
!
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
!
static (inside,outside) tcp 66.185.6.87 3389 NWSRV 3389 netmask 255.255.255.255
static (inside,outside) tcp 66.185.6.88 3389 W2K3TS 3389 netmask 255.255.255.255
!
access-group inside_access_in in interface inside
access-group 101 in interface outside
!
route outside 0.0.0.0 0.0.0.0 66.185.6.1 1
!
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http *.*.*.* 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh *.*.*.* 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
username **** password ************** encrypted privilege 15
!
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
!
service-policy global_policy global
prompt hostname context
!
Cryptochecksum:255a085d43ca8c941c67c53190d4d0c8

: end

I have this problem too.
0 votes
Correct Answer by cisco24x7 about 7 years 3 hours ago

According to the capture (aka tcpdump), I am seeing RDP traffics SYN packet hitting the firewall outside interface, traverse the firewall going out of the firewall inside interface, but I am NOT seeing any SYN-ACK packet from the server going back to the firewall from the server.

The firewall is doing its job.  Check the server settings and make sure it has the correct default gateway, and the firewall on the server is OFF.

on the server, from the cmd window, "netstat -an | findstr 3389".  is the port listening?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
grillstomper Tue, 12/01/2009 - 20:25

Add a static NAT entry on your inside interface (mine is called home). For the source, enter the IP address of the machine you want to be able to RDP to (mine is named VistaPC as seen below).  Your Translated Interface will be the OUTSIDE interface.  Enable PAT using port 3389.

static (inside,outside) tcp interface 3389 "IP address of RDP host" 3389 netmask 255.255.255.255

Static NAT for RDP.jpg

At this point, write your rule on the OUTSIDE interface with the source of ANY (or whatever IP you want to allow) and the destination of ANY, service TCP 3389.

access-list outside_access_in extended permit tcp "source IP you want to allow" any object-group RDP

That should do the trick!

grillstomper Tue, 12/01/2009 - 20:32

Looks like your static NAT is correct.

static (inside,outside) tcp "Public IP" 3389 "Internal IP address of inside RDP Machine" 3389 netmask 255.255.255.255

Then write your ACL on the outside interface.

access-list outside_access_in extended permit tcp "IP Address(s) you want to allow from outside" "Public IP Address" 3389

That should do it!

jaystanley66 Wed, 12/02/2009 - 06:50

I already have the access list setup in the config:

access-list 101 extended permit tcp any host 66.185.6.88 eq 3389
access-list 101 extended permit tcp any host 66.185.6.87 eq 3389

and

access-group 101 in interface outside

It still doesn't work.  I also see hits on the access list entries when initiating an RDP session from the outside, but it never connects.

Any more ideas?

Kureli Sankar Wed, 12/02/2009 - 07:02

Does RDP to these server work internally? If it does then, pls. check the logs on the ASA to see what might be going on.

enable logging:

conf t

loggin enable

logging buffered 7

exit

sh logg | i 66.185.6.87

sh logg | i 66.185.6.88

Also, you can collect captures on the RDP server to see if it sees the packets and whether it responds back.

-KS

cisco24x7 Wed, 12/02/2009 - 07:39

access-list debug permit tcp any any eq 3389 log
access-list debug permit tcp any eq 3389 any log

capture external access-list debug interface outside
capture internal access-list debug interface inside

"show capture external" and show capture internal and see if the
traffics actually make it to and through the firewall

Easy right?

jaystanley66 Wed, 12/02/2009 - 07:42

I enabled the logging, and tried the RDP, here is the output of log file:

Dec 02 2009 02:32:11: %ASA-6-302013: Built inbound TCP connection 240450 for outside:65.28.70.151/56700 (65.28.70.151/56700) to inside:NWSRV/3389 (66.185.6.87/3389)
Dec 02 2009 02:32:23: %ASA-2-106001: Inbound TCP connection denied from 86.196.80.185/56633 to 66.185.6.87/34565 flags SYN  on interface outside

What is this telling me?

jaystanley66 Wed, 12/02/2009 - 07:46

Here is the out put of the show capture external and internal:

Johnson-ASA01# sho capture external
3 packets captured
   1: 02:36:51.750861 802.1Q vlan#2 P0 65.28.70.151.56762 > 66.185.6.87.3389: S 1264497058:1264497058(0) win 8192
   2: 02:36:54.740348 802.1Q vlan#2 P0 65.28.70.151.56762 > 66.185.6.87.3389: S 1264497058:1264497058(0) win 8192
   3: 02:37:00.747336 802.1Q vlan#2 P0 65.28.70.151.56762 > 66.185.6.87.3389: S 1264497058:1264497058(0) win 8192
3 packets shown


Johnson-ASA01# sho capture internal
3 packets captured
   1: 02:36:51.751151 802.1Q vlan#1 P0 65.28.70.151.56762 > 192.168.1.5.3389: S 1268227278:1268227278(0) win 8192
   2: 02:36:54.740379 802.1Q vlan#1 P0 65.28.70.151.56762 > 192.168.1.5.3389: S 1268227278:1268227278(0) win 8192
   3: 02:37:00.747367 802.1Q vlan#1 P0 65.28.70.151.56762 > 192.168.1.5.3389: S 1268227278:1268227278(0) win 8192
3 packets shown

Correct Answer
cisco24x7 Wed, 12/02/2009 - 07:59

According to the capture (aka tcpdump), I am seeing RDP traffics SYN packet hitting the firewall outside interface, traverse the firewall going out of the firewall inside interface, but I am NOT seeing any SYN-ACK packet from the server going back to the firewall from the server.

The firewall is doing its job.  Check the server settings and make sure it has the correct default gateway, and the firewall on the server is OFF.

on the server, from the cmd window, "netstat -an | findstr 3389".  is the port listening?

Kureli Sankar Wed, 12/02/2009 - 09:06

Does the RDP server have another route to the internet besides this ASA? Wireshark on the RDP will show you whether it is sending a syn ack back and to which mac address it is sending the response.

Are you sure the server is listening on tcp 3389 and it accepts rdp connections internally?

jaystanley66 Wed, 12/02/2009 - 09:16

Thanks for all your help.  The problem was the servers.  Default gateway was not correct on either server.  DUH!  I am not the server guy, and had conferred with the server guy several times, gave him the default gateway etc, but evidently it was not set correct.  After I changed the default gateway on each server, RDP works flawlessly.  This was a great learning experience with the captures and logs.  Again, thanks to everyone who replied.

Actions

This Discussion