We're trying to get a remote access setup for someone who needs to have access from offsite. To make things easy we set it up with a virtual machine running Windows 7 and RDP. Because the "other end" isn't our computer and we've had some difficulties with people using the Cisco VPN client successfully, we were just going to set up a machine as a RDP Gateway and forward the port through the firewall (WebVPN might be nice, but the plugins only do RDP through v5.x). I've tried this on 8.4-1 and after reinstalling the latest 8.2, and supposedly the NAT works and there is a firewall rule allowing access from the outside to the RD-GW server on HTTPS, but the ASA is still blocking those packets. I've looked at 4 howtos and followed them, trying from the console and from ADSM (and one trashed the whole setup, probably related to the reinstall of 8.2) - what am I doing wrong?
Result of the command: "show config"
: Saved : Written by enable_15 at 02:42:50.752 UTC Thu Nov 17 2011 ! ASA Version 8.4(2) ! hostname g(...)
domain-name vinemapleplace.org enable password (...) encrypted passwd (...) encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 126.96.36.199 255.255.255.248 ! boot system disk0:/asa842-k8.bin ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 188.8.131.52 domain-name vinemapleplace.org object network obj_any subnet 0.0.0.0 0.0.0.0 object network VMP-RA1 host 192.168.0.a description VMP-RA1 INSIDE object network VMP-RA1P host 173.10.b.c description VMP-RA3 OUTSIDE object network mail.vinemapleplace.org host 207.97.d.e description mail server at CWW object network VMPDC2 host 192.168.0.f description Secondary DC/Remote Access Gateway object network VMPDC2P host 173.10.g.h description VMPDC2 public IP object-group service RDP tcp description MS RDP service port-object eq 3389 object-group icmp-type DM_INLINE_ICMP_1 icmp-object echo icmp-object echo-reply icmp-object traceroute object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq www service-object tcp destination eq https object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data object-group service DM_INLINE_TCP_2 tcp port-object eq imap4 port-object eq pop2 port-object eq pop3 port-object eq smtp object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list outside_access extended permit tcp any object VMPDC2 eq https access-list outside_access extended permit tcp any object VMP-RA1 object-group RDP inactive access-list inside_access_in remark DNS access-list inside_access_in extended permit object-group TCPUDP any any eq domain access-list inside_access_in remark FTP access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 access-list inside_access_in extended permit tcp any any eq hostname access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any access-list inside_access_in extended permit tcp any any eq ssh access-list inside_access_in extended permit udp any any eq ntp access-list inside_access_in extended permit object-group TCPUDP any any eq echo access-list inside_access_in extended permit udp any any eq nameserver access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 access-list inside_access_in extended permit tcp any object mail.vinemapleplace.org object-group DM_INLINE_TCP_2 access-list inside_access_in extended permit tcp any any object-group RDP access-list inside_access_in extended permit ip any any inactive access-list global_access extended permit tcp any object VMP-RA1 object-group RDP inactive pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-645-206.bin no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface object network VMP-RA1 nat (inside,outside) static VMP-RA1P object network VMPDC2 nat (inside,outside) static VMPDC2P service tcp https https ! nat (inside,outside) after-auto source dynamic any interface access-group inside_access_in in interface inside access-group outside_access in interface outside access-group global_access global ! router rip ! route outside 0.0.0.0 0.0.0.0 173.10.h.i 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server VMP_Users protocol ldap aaa-server VMP_Users (inside) host 192.168.0.j server-type microsoft user-identity default-domain LOCAL http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ca trustpoint _SmartCallHome_ServerCA crl configure crypto ca certificate chain _SmartCallHome_ServerCA certificate ca (...) quit telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh timeout 5 console timeout 0
dhcpd auto_config outside ! dhcpd address 192.168.0.5-192.168.0.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email email@example.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:(...)
Got it to work - I was messing with the ASDM's "Public Servers" thing and somehow, though I wasn't able to get the direct-to-RDP thing to work, I was able to get the more secure RDP-gateway thing over HTTPS to work.
Still can't figure out exactly what I did differently this time...
Well, I did not say to remove that line, just to add the one that I put. The problem is that NAT is read from top to bottom, and the first line you have is the one for internet access (Regular PAT) no other NAT is going to take precedense. The NAT config that I put will be located on the manual NAT section, so it will first hit that one (for that specific host) and then, the rest of the hosts are going to go with the regular PAT.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...