Having Problems RDPing using External IP but External FQDN works

Unanswered Question
Jun 14th, 2010

Im new to the ASA5520, I have NAT rules setup and

im having some issues allowing RDP traffic from external IP to internal IP. I have one IP/Address that translates fine if you use the FQDN and not the IP

if you use the IP it fails.

When i Use the packet tracer is get NAT-EXEMPT Subtype-rpf-check Action-DROP

Info: (acl-drop) Flow is denied by configured rule.

74.203.134.* are the externals. Im stumped.

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 74.203.134.30 255.255.255.0
!
interface GigabitEthernet0/1
nameif LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name citrus-conn.local
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service RSI
service-object tcp-udp eq 3156
service-object tcp-udp eq 3256
object-group service Satellite_Integrators
service-object tcp-udp eq 3000
service-object tcp eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq aol
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_6 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_7 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_8 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_9 tcp
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_10 tcp
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group service DM_INLINE_TCP_11 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service DM_INLINE_TCP_12 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
access-list WAN_access_in extended permit tcp any host 74.203.134.38 eq pptp
access-list WAN_access_in extended permit tcp any host 74.203.134.38 eq 3389
access-list WAN_access_in remark VIP_Lakeland
access-list WAN_access_in extended permit icmp any host 74.203.134.38
access-list WAN_access_in remark RSI
access-list WAN_access_in extended permit tcp any host 74.203.134.41 eq 3389
access-list WAN_access_in remark ASA Public IP
access-list WAN_access_in extended permit icmp any host 74.203.134.30
access-list WAN_access_in remark DVR
access-list WAN_access_in extended permit tcp any host 74.203.134.31 eq www
access-list WAN_access_in remark DVR
access-list WAN_access_in extended permit tcp any host 74.203.134.32 eq www
access-list WAN_access_in remark DVR
access-list WAN_access_in extended permit tcp any host 74.203.134.33 eq www
access-list WAN_access_in remark MailServer
access-list WAN_access_in extended permit tcp any host 74.203.134.34 eq smtp
access-list WAN_access_in remark MailServer
access-list WAN_access_in extended permit tcp any host 74.203.134.34 eq www
access-list WAN_access_in remark MailServer
access-list WAN_access_in extended permit tcp any host 74.203.134.34 eq https
access-list WAN_access_in remark MailServer
access-list WAN_access_in extended permit tcp any host 74.203.134.34 eq pop3
access-list WAN_access_in remark MailServ Public IP
access-list WAN_access_in extended permit icmp any host 74.203.134.34
access-list WAN_access_in remark TermServ
access-list WAN_access_in extended permit tcp any host 74.203.134.37 eq pptp
access-list WAN_access_in remark TermServ
access-list WAN_access_in extended permit tcp any host 74.203.134.37 eq https
access-list WAN_access_in remark TermServ
access-list WAN_access_in extended permit tcp any host 74.203.134.37 eq 3389
access-list WAN_access_in remark Satellite Integrators
access-list WAN_access_in extended permit tcp any host 74.203.134.40 eq www
access-list WAN_access_in remark Satellite Integrators
access-list WAN_access_in extended permit object-group TCPUDP any host 74.203.134.40 eq 3000
access-list WAN_access_in remark RSI System
access-list WAN_access_in extended permit object-group TCPUDP any host 74.203.134.41 eq 700
access-list WAN_access_in remark RSI System
access-list WAN_access_in extended permit object-group TCPUDP any host 74.203.134.41 eq 3156
access-list WAN_access_in remark RSI System
access-list WAN_access_in extended permit object-group TCPUDP any host 74.203.134.41 eq 3256
access-list WAN_access_in remark MDT Terminal Services
access-list WAN_access_in extended permit tcp any host 74.203.134.42 eq 3389
access-list WAN_access_in remark Cryoserver
access-list WAN_access_in extended permit tcp any host 212.36.41.22 object-group DM_INLINE_TCP_12
access-list WAN_access_in remark Blackberry Inbound
access-list WAN_access_in extended permit tcp any any eq 3101
access-list WAN_access_in remark Wachovia FTPS
access-list WAN_access_in extended permit object-group TCPUDP any any range 1024 65535
access-list WAN_access_in remark Time America Clocks
access-list WAN_access_in extended permit object-group TCPUDP any any eq 3734
access-list WAN_access_in extended permit tcp any any eq imap4
access-list WAN_access_in remark Shoutcast Radio
access-list WAN_access_in extended permit object-group TCPUDP any any eq 8002
access-list WAN_access_in extended permit tcp any any eq pop3
access-list WAN_access_in extended permit udp any any eq 33001
access-list WAN_access_in remark shoretel softphone
access-list WAN_access_in extended permit object-group TCPUDP any any eq 5004
access-list WAN_access_in remark shoretel softphone
access-list WAN_access_in extended permit object-group TCPUDP any any eq 2427
access-list WAN_access_in remark shoretel softphone
access-list WAN_access_in extended permit object-group TCPUDP any any eq 2727
access-list WAN_access_in extended permit udp any any eq 33011
access-list WAN_access_in remark Blackberry Inbound
access-list WAN_access_in extended permit tcp any any eq 3500
access-list WAN_access_in remark POP3/SMTP
access-list WAN_access_in extended permit object-group TCPUDP any any eq 995
access-list WAN_access_in remark POP3/SMTP
access-list WAN_access_in extended permit object-group TCPUDP any any eq 465
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_2
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq ssh
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq telnet
access-list LAN_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 3389
access-list LAN_access_in remark Shoutcast Radio
access-list LAN_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any eq 8002
access-list LAN_access_in remark Wachovia FTPS
access-list LAN_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any range 1024 65535
access-list LAN_access_in remark POP3/SMTP
access-list LAN_access_in extended permit object-group TCPUDP host 192.168.1.15 any eq 995
access-list LAN_access_in remark POP3/SMTP
access-list LAN_access_in extended permit object-group TCPUDP host 192.168.1.15 any eq 465
access-list LAN_access_in remark TEST VIP
access-list LAN_access_in extended permit tcp host 192.168.1.18 any eq 3389
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq aol
access-list LAN_access_in remark BlackBerry outbound
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 3101
access-list LAN_access_in remark BlackBerry Outbound2
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq 3500
access-list LAN_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq imap4
access-list LAN_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq pop3
access-list LAN_access_in remark Time America Clocks
access-list LAN_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any eq 3734
access-list LAN_access_in remark shoretel softphone
access-list LAN_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any eq 5004
access-list LAN_access_in remark shoretel softphone
access-list LAN_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any eq 2427
access-list LAN_access_in remark shoretel softphone
access-list LAN_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any eq 2727
access-list LAN_access_in remark BDR
access-list LAN_access_in extended permit udp host 192.168.1.23 any eq 33001
access-list LAN_access_in remark mailserv
access-list LAN_access_in extended permit tcp host 192.168.1.15 any object-group DM_INLINE_TCP_9
access-list LAN_access_in remark Cryoserver
access-list LAN_access_in extended permit tcp host 192.168.1.219 any object-group DM_INLINE_TCP_11
access-list LAN_access_in remark TLS450
access-list LAN_access_in extended permit tcp host 192.168.1.176 any object-group DM_INLINE_TCP_10
access-list LAN_access_in remark BDR
access-list LAN_access_in extended permit udp host 192.168.1.23 any eq 33011
access-list everyone_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list LAN_nat0_outbound extended permit ip any 172.16.1.0 255.255.255.224
access-list LAN_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.128
access-list DefaultGroup_splitTunnelAcl standard permit any
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_3
access-list global_mpc_1 extended permit tcp any any object-group DM_INLINE_TCP_4
access-list global_mpc_2 extended permit tcp any any object-group DM_INLINE_TCP_5
access-list global_mpc_4 extended permit tcp 74.203.134.0 255.255.255.0 192.168.1.0 255.255.255.0 object-group DM_INLINE_TCP_7
access-list global_mpc_3 extended permit tcp 192.168.1.0 255.255.255.0 74.203.134.0 255.255.255.0 object-group DM_INLINE_TCP_6
access-list global_mpc_5 extended permit tcp any any object-group DM_INLINE_TCP_8
access-list LAMTD_splitTunnelAcl standard permit any
access-list LAMTD_splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging asdm informational
logging mail emergencies
logging from-address

logging recipient-address  level errors
logging class auth mail emergencies
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool RemoteClientPool 172.16.1.2-172.16.1.255 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (WAN) 101 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 101 0.0.0.0 0.0.0.0
static (LAN,WAN) 74.203.134.37 192.168.1.10 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.38 192.168.1.18 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.31 192.168.1.12 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.32 192.168.1.13 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.33 192.168.1.14 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.34 192.168.1.15 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.42 192.168.1.33 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.41 192.168.1.253 netmask 255.255.255.255
static (LAN,WAN) 74.203.134.40 192.168.1.254 netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
route WAN 0.0.0.0 0.0.0.0 74.203.134.1 1
route LAN 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server my_authent_grp protocol kerberos
aaa-server my_authent_grp (LAN) host 192.168.1.16
timeout 30
kerberos-realm CITRUS-CONN.LOCAL
aaa-server my_author_grp protocol ldap
aaa-server my_author_grp (LAN) host 192.168.1.16
ldap-base-dn dc=citrus-conn;dc=local
ldap-group-base-dn dc=citrus-conn;dc=local
ldap-scope subtree
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto map LAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map LAN_map interface LAN
crypto isakmp enable WAN
crypto isakmp enable LAN
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultGroup internal
group-policy DefaultGroup attributes
dns-server value 192.168.1.16
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultGroup_splitTunnelAcl
default-domain value citrus-conn
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.16
group-policy LAMTD internal
group-policy LAMTD attributes
dns-server value 192.168.1.16
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value everyone_splitTunnelAcl
default-domain value citrus-conn.local
address-pools value RemoteClientPool
tunnel-group LAMTD type remote-access
tunnel-group LAMTD general-attributes
address-pool RemoteClientPool
authentication-server-group my_authent_grp
authentication-server-group (LAN) my_authent_grp
authorization-server-group my_author_grp
default-group-policy LAMTD
tunnel-group LAMTD ipsec-attributes
pre-shared-key *
!
class-map global-class
match access-list global_mpc_5
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
class global-class
  csc fail-close
!
service-policy global_policy global
smtp-server 192.168.1.15
prompt hostname context
Cryptochecksum:368e12bbcbfb9b5dcaa73b2dbb70d4fa
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 06/14/2010 - 13:22

Hi,

Could it has to do with the NAT ordering?
NAT 0 access-list takes precedence over the STATIC NAT.

So, if the IP that you're trying to reach from outside, is included in the NAT0, the NAT0 will take precedence.

Federico.

robertmehrer Mon, 06/14/2010 - 13:46

What would i do to correct this?

and why would it let the FQDN pass through?

if you rdp remote.ridecitrus.com it connects if you use the ip 74.203.134.37 it doesnt.

Federico Coto F... Mon, 06/14/2010 - 13:53

Check if the internal IP is part of the ACL applied to the NAT 0.

If so, create a deny statement for that IP.

Please post ''sh run | i x.x.x.x ''

Where x.x.x.x is the internal IP.

Federico.

robertmehrer Mon, 06/14/2010 - 14:06

Result of the command: "sh run | i 192.168.1.18"

access-list LAN_access_in extended permit tcp host 192.168.1.18 any eq 3389
static (LAN,WAN) 74.203.134.38 192.168.1.18 netmask 255.255.255.255

Panos Kampanakis Mon, 06/14/2010 - 14:32

You had said

if you rdp remote.ridecitrus.com it 
connects if you use the ip 
74.203.134.37 it doesnt.

How about if you RDP to 74.203.134.38? I see that is the ip the host 192.168.1.18 is translated to.

I hope it helps.

PK

robertmehrer Tue, 06/15/2010 - 06:39

I cant RDP any external IP they arnt being translated internally. I can see the counter going up in the ACL list but they wont connect.

and I was using the FQDN as an example any IP 30-45 i cannot RDP on even with the rules in place. Only if i use the FQDN it rdps. I only have one server with a FQDN.

Panos Kampanakis Tue, 06/15/2010 - 07:39

It doesn't make sense for RDP because as soon as the RDP host is resolved it should be a simple TCP connection destined to 74.203.134.37on port 3389 which is the same as RDP-ing to 74.203.134.37 from the beginning.

Only packet captures will show you what is happening. remote.ridecitrus.com resolves to 74.203.134.3, so RDP-ing to the hostname or ip should be the same. You can capture packets sourced from your external ip that is rdp-ing on the inside and outside interface and try to see what is happening.

I hope it helps.

PK

robertmehrer Wed, 06/16/2010 - 06:17

thats what i mean... its odd that it lets it pass the one with the FQDN and nothing else...

robertmehrer Wed, 06/16/2010 - 06:24

I just tried again outside the network and it finally worked with the IP address. I tested with my iPhone iPad and Laptop via Cellular and it finally connected. Only when inside the network i cant RDP using the public IP only the FQDN which still is weird...

Panos Kampanakis Wed, 06/16/2010 - 07:08

Check what ip you get for the FQDN name. Your internal DNS server is probably giving you a local ip and you can RDP. But when you use the global it does not work because the ASA does not hair-pin the traffic on the outside interface.

I hope it helps.

PK

Actions

This Discussion