Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
0
Helpful
7
Replies

Cisco ASA5510 Firewall

Go to solution
saroj pradhan
Level 1
Level 1

‎12-18-2013 08:14 AM - edited ‎03-11-2019 08:20 PM

Hi,

 

please  help  me  to  resolve  my  Issue  in the Cisco ASA 5510 firewall.  From  outside   port 3389  is  blocked  but   sitll  accessable  from   LAN IP  natted   with  the private  IP Address. Enclosed the  ASA config file.

 

Regards,

Saroj Pradhan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-03-2014 12:20 PM

Hello Saroj,

So to move forward:

You can RDP locally to a server but you cannot from the internet.

What's the NAT you have configured for the server?

Also to get closer to the solution do

packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 3389 (Where x.x.x.x is the outside public IP address of the Server)

Provide the entire output

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to saroj pradhan

‎01-04-2014 08:04 PM

Hello Saroj,

So you mean you want to block it even locally???

From where are you trying to RDP using the local IP address?

For the ASA to block it the traffic must traverse the ASA

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Tariq Bader
Cisco Employee
Cisco Employee

‎01-03-2014 04:13 AM

Please specify what is that IP Address

0 Helpful

Go to solution
saroj pradhan
Level 1
Level 1
In response to Tariq Bader

‎01-04-2014 06:26 PM

The  Server  interface  has   Private  IP Address  and  for   access the server  from  Internet Natted   with  a  Public    IP Address.  Please  help   I want  to  blocked   the  RDP Port  access from Internet.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-03-2014 05:06 AM 

From  outside   port 3389  is  blocked  but   sitll  accessable  from   LAN IP  natted   with  the private  IP Address

You config shows you have permited RDP from the outside

access-list outside_access_in extended permit tcp any any eq 3389

I am not sure what you mean by "still accessable from LAN IP natted with the prive IP address".  Could you please clarify this.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-03-2014 12:20 PM

Hello Saroj,

So to move forward:

You can RDP locally to a server but you cannot from the internet.

What's the NAT you have configured for the server?

Also to get closer to the solution do

packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 3389 (Where x.x.x.x is the outside public IP address of the Server)

Provide the entire output

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
saroj pradhan
Level 1
Level 1
In response to Julio Carvajal

‎01-04-2014 06:24 PM

plesae find the details.

The  server  private  ip  is  172.16.48.83   and   natted  with  public  ip  address  122.168.191.82.

Please find the report.

Netlink-OS-ASA# packet-tracer input outside tcp 4.2.2.2 1025 122.168.191.82 33$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255

  match ip inside host Timesheet_Inside_Local outside any

    static translation to Timesheet_Outside_Public

    translate_hits = 35877, untranslate_hits = 2503399

Additional Information:

NAT divert to egress interface inside

Untranslate Timesheet_Outside_Public/0 to Timesheet_Inside_Local/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_out out interface inside

access-list inside_access_out extended permit ip any any

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255

  match ip inside host Timesheet_Inside_Local outside any

    static translation to Timesheet_Outside_Public

    translate_hits = 35877, untranslate_hits = 2503421

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255

  match ip inside host Timesheet_Inside_Local outside any

    static translation to Timesheet_Outside_Public

    translate_hits = 35877, untranslate_hits = 2503430

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 277395699, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop VPN_AccesssL3 using egress ifc inside

adjacency Active

next-hop mac address 001a.a224.73c2 hits 2236

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to saroj pradhan

‎01-04-2014 08:04 PM

Hello Saroj,

So you mean you want to block it even locally???

From where are you trying to RDP using the local IP address?

For the ASA to block it the traffic must traverse the ASA

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-05-2014 03:41 AM

For the ASA to block/filter all traffic headed for 3389 then all traffic must pass through the ASA.  If it is a windows machine you could use the windows firewall to permit/deny RDP traffic.  If it is not a windows machine you could install a software firewall on it and use that to regulate traffic.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card