Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access List not Working on ASA 5505?

I have an ASA 5505 which I need to open a couple of ports from the outside going in for servers. There are two servers, once handling mail and one for remote administrative access using RDP (Windows servers). The port number for RDP is 3389. If I try to RDP into the server from outside the network, it fails. However, if I try to RDP into the server from internally, even from a different site through a VPN tunnel, it works perfectly. When I open port 3389 to the entire network, I can RDP into the mail server, but I still am not able to RDP into the administrative server. Any suggestions would be welcome.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Access List not Working on ASA 5505?

Try clearing the arp on the 1721.

13 REPLIES

Re: Access List not Working on ASA 5505?

Jackson, try these ..

If you are using outside interface IP as your outside IP for your static mappings the static entry should be as:

assuming your inside hots for rdp connection is 10.0.2.251

static (inside,outside) tcp interface 3389 10.0.2.251 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 3389

access-group outside_access_in in interface outside

In the case you use a spare IP from your outside ip subnet in the case of 1.1.1.1/28 subnet instead of using outside interface,

the static should be:

e.g spare IP 1.1.1.3

static (inside,outside) 1.1.1.3 10.0.2.251 netmask 255.255.255.0

access-list outside_access_in extended permit tcp any host 1.1.1.3 eq 3389

access-group outside_access_in in interface outside

New Member

Re: Access List not Working on ASA 5505?

We do have a spare IP, and it's set in there as well with a static mapping for the two servers. However, what you suggested was the first way I'd had it configured and it still didn't work. Any other ideas?

Re: Access List not Working on ASA 5505?

what does firewall logs tells you when trying to rdp from outside anything in logs?

New Member

Re: Access List not Working on ASA 5505?

No, that was the strange thing. There was nothing in the logs at all. Which normally would have made me think that RDP was getting stopped before it ever touched the firewall. However, when I opened RDP up for the other server, it worked perfectly.

Green

Re: Access List not Working on ASA 5505?

Sounds like this ip you are trying to use is not being routed to your asa.

Re: Access List not Working on ASA 5505?

Adam brought up a good point , who is your outside next hop, who routes 2.2.2.0 and 3.3.3.0 networks from your oustide.

New Member

Re: Access List not Working on ASA 5505?

The next outside hop is a Cisco 1721 sitting right underneath the firewall. Here's the odd thing: I'm trying to replace a couple of SonicWall firewalls with these ASA's. And RDP is working perfectly well through the old firewall, but not through the Cisco boxes.

Re: Access List not Working on ASA 5505?

I think that is where your problem is, the 1721 is till routing thoses addresses through the sonicwall firewall instead of the asa5505, if I were to migrate I would do it as a hot cutover, if you had an external switch you could build firewall rules from your sonicwall to asa, using same IP scheme allocate a switchport on the switch for the asa as shutdown and plan a hot-cutover, you can always fallback by enabling the switchport sonicwall is and disabling asa outside interface on the switchport outside, atleast this way you can avoid problems and go back on a second migration attempt. I have done it many times and proves to be the easiest way.

Green

Re: Access List not Working on ASA 5505?

Try clearing the arp on the 1721.

New Member

Re: Access List not Working on ASA 5505?

Well, our migration attempts have, so far, consisted of unplugging the interfaces on the SonicWall and plugging them into the asa5505. The SonicWall's not even physically connected to the network at that point, so I don't think that's the issue. The router just sends on the packets to the IP address, which is the asa. I'm beginning to agree with you guys, though, that is seems there might be something strange going on with that IP address.

But then I remember that in our other location, we have the same problem, but with a different server, different IP address, and even a different service! (http)

Re: Access List not Working on ASA 5505?

Did you try what Adam suggested by clearing arp on outside router.

New Member

Re: Access List not Working on ASA 5505?

I haven't yet, and it's a little difficult to try, since we have to schedule the migration attempts for after regular business hours. I'll try that the next chance I get. Do you have any other suggestions of things I could try?

New Member

Re: Access List not Working on ASA 5505?

Okay, we're trying again and we flushed the arp cache, still no go. And actually, now none of the other port forwarding is working either!

189
Views
0
Helpful
13
Replies