07-22-2014 08:08 AM - edited 03-11-2019 09:31 PM
Hello All,
On ASA 5515 version 8.6, I am trying to create a NAT and access list to allow RDP from outside public to inside private network.
I was able to create it using the ASDM as I am comfortable with it and not a expert with CLI.
When I tested it, it does not work no matter what. I tried to see the packet tracer and it said that the traffic was blocked by implicit rule.
I tried to create an ACL and it said the ACL exists. However, it does not work as the packets are dropped.
Any assistance or ideas is very much appreciated.
Thanks!
Saji
Solved! Go to Solution.
07-23-2014 09:39 AM
07-22-2014 09:42 AM
Hi
Share me your asa show runn configuration .
HTH
Sandy
07-22-2014 11:13 AM
Can I email it to you? I am little hesitant to post the complete run config on the blog.
I can also send you some screenshot of Packet tracer that shows that the packets are dropped at the inside interface because of a implicit rule. I think I have to create an access rule on the inside interface also which I do not see but I am worried to break something.
Thanks Sandy!
07-22-2014 11:33 AM
07-22-2014 09:20 PM
Hi ,
What is your ASA code version ??
share me following output alone
1) show runn access-list
2) show runn access-group
3) show runn static
HTH
Sandy
07-23-2014 05:15 AM
ASA Code is 8.6(1).
I think the issue is we do not have any access list on the internal interface. Bit I am worried to change it because it is a implicit rule to allow everything from less secure networks.
Result of the command: "show run access-list"
access-list 102 extended permit tcp any host 67.208.160.156 eq www
access-list 102 extended permit tcp any host 67.208.160.156 eq 3389
access-list 102 extended permit icmp any any echo-reply
access-list 102 extended permit icmp any any source-quench
access-list 102 extended permit icmp any any unreachable
access-list 102 extended permit icmp any any time-exceeded
access-list 102 extended permit ip any host 67.208.160.155
access-list 102 extended permit tcp any host 67.208.160.158 eq www
access-list 102 extended permit udp any host 67.208.160.158 eq netbios-ns inactive
access-list 102 extended permit udp any host 67.208.160.158 eq netbios-dgm inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq netbios-ssn inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq 445
access-list 102 extended permit tcp any host 67.208.160.158 eq ftp inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq https
access-list 102 extended permit tcp any host 67.208.160.158 eq rtsp inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq domain inactive
access-list 102 extended permit udp any host 67.208.160.158 eq domain inactive
access-list 102 extended permit udp any host 67.208.160.158 eq ntp
access-list 102 extended permit tcp any host 67.208.160.158 eq smtp inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq ldap inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq ldaps inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq ssh inactive
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 445
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 554
access-list 102 extended permit tcp any host 67.208.160.158 object-group DM_INLINE_TCP_1
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 4743
access-list 102 extended permit tcp any host 67.208.160.157 eq www
access-list 102 extended permit tcp any host 67.208.160.159 eq 2011
access-list 102 extended permit udp any host 67.208.160.159 eq 2011
access-list 102 extended permit tcp any host 67.208.160.159 eq 6001
access-list 102 extended permit udp any host 67.208.160.159 eq 6001
access-list 102 extended permit tcp any host 67.208.160.159 eq 22609
access-list 102 extended permit udp any host 67.208.160.159 eq 22609
access-list 102 extended permit tcp any host 67.208.160.160 eq 2011
access-list 102 extended permit udp any host 67.208.160.160 eq 2011
access-list 102 extended permit tcp any host 67.208.160.160 eq 6001
access-list 102 extended permit udp any host 67.208.160.160 eq 6001
access-list aaa standard permit host 0.0.0.0
Result of the command: "show runn access-group"
access-group 102 in interface outside
Result of the command: "show runn static"
show runn static
^
ERROR: % Invalid input detected at '^' marker.
07-23-2014 09:13 AM
Can we check now ?? . I need to check few things
1) NAT
join below webex
https://meetings.webex.com/collabs/meetings/join?uuid=M7EXGIM8ID8WZKIJFTFXAJM5BK-512H
HTH
Sandy
07-23-2014 09:13 AM
Yes.
07-23-2014 09:39 AM
07-23-2014 09:40 AM
Hi ,
Join this webex meeting
https://meetings.webex.com/collabs/meetings/join?uuid=M5G5MMW7PC5GDNDV05Z9VB1N6J-512H
07-23-2014 11:44 AM
On Remote session below configuration is updated on your ASA device
1) mismatch on your ACL
no access-list 102 extended permit tcp any host 67.208.x.x eq www
no access-list 102 extended permit tcp any host 67.208.x.x.x eq 3389
access-list 102 extended permit tcp any host 10.90.230.xe q 3389
2) Mismatch on your NAT config
object network rdp_server
host 10.90.230.x
nat (inside,outside) static 67.208.x.x service tcp 3389 3389
HTH
Sandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide