Cisco ASA5510 Firewall

Answered Question
Dec 18th, 2013
User Badges:

Hi,

 

please  help  me  to  resolve  my  Issue  in the Cisco ASA 5510 firewall.  From  outside   port 3389  is  blocked  but   sitll  accessable  from   LAN IP  natted   with  the private  IP Address. Enclosed the  ASA config file.

 

Regards,

Saroj Pradhan

Correct Answer by Julio Carvajal about 3 years 7 months ago

Hello Saroj,


So to move forward:


You can RDP locally to a server but you cannot from the internet.


What's the NAT you have configured for the server?


Also to get closer to the solution do


packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 3389 (Where x.x.x.x is the outside public IP address of the Server)


Provide the entire output


Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
saroj pradhan Sat, 01/04/2014 - 18:26
User Badges:

The  Server  interface  has   Private  IP Address  and  for   access the server  from  Internet Natted   with  a  Public    IP Address.  Please  help   I want  to  blocked   the  RDP Port  access from Internet.

Marius Gunnerud Fri, 01/03/2014 - 05:06
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

From  outside   port 3389  is  blocked  but   sitll  accessable  from   LAN IP  natted   with  the private  IP Address


You config shows you have permited RDP from the outside


access-list outside_access_in extended permit tcp any any eq 3389


I am not sure what you mean by "still accessable from LAN IP natted with the prive IP address".  Could you please clarify this.


--
Please remember to rate and select a correct answer

Correct Answer
Julio Carvajal Fri, 01/03/2014 - 12:20
User Badges:
  • Purple, 4500 points or more

Hello Saroj,


So to move forward:


You can RDP locally to a server but you cannot from the internet.


What's the NAT you have configured for the server?


Also to get closer to the solution do


packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 3389 (Where x.x.x.x is the outside public IP address of the Server)


Provide the entire output


Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

saroj pradhan Sat, 01/04/2014 - 18:24
User Badges:

plesae find the details.



The  server  private  ip  is  172.16.48.83   and   natted  with  public  ip  address  122.168.191.82.


Please find the report.



Netlink-OS-ASA# packet-tracer input outside tcp 4.2.2.2 1025 122.168.191.82 33$


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255

  match ip inside host Timesheet_Inside_Local outside any

    static translation to Timesheet_Outside_Public

    translate_hits = 35877, untranslate_hits = 2503399

Additional Information:

NAT divert to egress interface inside

Untranslate Timesheet_Outside_Public/0 to Timesheet_Inside_Local/0 using netmask 255.255.255.255


Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any any

Additional Information:


Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:


Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_out out interface inside

access-list inside_access_out extended permit ip any any

Additional Information:


Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255

  match ip inside host Timesheet_Inside_Local outside any

    static translation to Timesheet_Outside_Public

    translate_hits = 35877, untranslate_hits = 2503421

Additional Information:


Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255

  match ip inside host Timesheet_Inside_Local outside any

    static translation to Timesheet_Outside_Public

    translate_hits = 35877, untranslate_hits = 2503430

Additional Information:


Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 277395699, packet dispatched to next module


Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop VPN_AccesssL3 using egress ifc inside

adjacency Active

next-hop mac address 001a.a224.73c2 hits 2236


Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Correct Answer
Julio Carvajal Sat, 01/04/2014 - 20:04
User Badges:
  • Purple, 4500 points or more
Marius Gunnerud Sun, 01/05/2014 - 03:41
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

For the ASA to block/filter all traffic headed for 3389 then all traffic must pass through the ASA.  If it is a windows machine you could use the windows firewall to permit/deny RDP traffic.  If it is not a windows machine you could install a software firewall on it and use that to regulate traffic.


--
Please remember to rate and select a correct answer

Actions

This Discussion