08-26-2013 07:54 AM - edited 03-11-2019 07:30 PM
Hi,
I am trying to set up RDP with server 2012. I have set the nat and access rules set properly. I am using Cisco ASDM to configure the router to allow RDP connection, but i am not able to achieve outside connection.
Here is what i have in nat rule
Here is the settings for Access Rules
Let me know what i am doing wrong here guys
Thanks
Solved! Go to Solution.
08-26-2013 08:52 AM
Hi,
The ACL is wrong.
You have specified that the connection would be coming from "any" source address with "eq 3389" source port. This is not true. The connection can come from any source port so you should leave out the source port from the ACL completely.
As I said, the ACL line/rule should be
access-list 101 permit tcp any host
- Jouni
08-26-2013 01:22 PM
Hi,
Do these changes (remember to enter the actual public IP address into the new ACL at the bottom)
Remove old NAT and ACL
no static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static
clear configure access-list outside_nat_static
no access-group 101 in interface outside
clear configure access-list 101
Configure new NAT and ACL
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255
access-list OUTSIDE-IN remark Allow RDP
access-list OUTSIDE-IN permit tcp any host
access-group OUTSIDE-IN in interface outside
- Jouni
08-26-2013 08:01 AM
Hi,
You seem to have the IP addresses and interface the wrong way.
To configure Static PAT the CLI format of the configuration would be
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255
I dont personally use ASDM at all.
But I would guess that you need to have
Also you have to allow the destination TCP/3389 traffic to the public IP address of the ASA "outside" interface in the ACL.
- Jouni
08-26-2013 08:07 AM
Hi,
I changed Nat rule to
original
interface inside
source 192.168.1.3
Translated
Inferface outside
user interface IP address
PAT
3389
3389
08-26-2013 08:18 AM
Hi,
Did you also change the ACL?
Does it work now?
If it doesnt work we might need to look at the configuration in CLI format.
- Jouni
08-26-2013 08:21 AM
Standard-Title# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 5 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit tcp any host 72.215.252.*** eq 3389 inact
ive (hitcnt=0) (inactive) 0x9d035038
access-list 101 line 2 extended permit udp any any object-group DM_INLINE_UDP_1
0xdaf70c35
access-list 101 line 2 extended permit udp any any eq bootpc (hitcnt=0) 0xa854
5454
access-list 101 line 2 extended permit udp any any eq bootps (hitcnt=0) 0xe82e
1f0a
access-list 101 line 3 extended permit icmp any any echo-reply (hitcnt=0) 0x0309
01cd
access-list 101 line 4 extended permit tcp host 74.80.24.** host 192.168.1.3 obj
ect-group RDP 0x2e53a03e
access-list 101 line 4 extended permit tcp host 74.80.24.** host 192.168.1.3 e
q 3389 (hitcnt=0) 0xe317d638
08-26-2013 08:24 AM
Hi,
Seems to me that the ACL at the very top is set "inactive" and that means its not used.
The format used should be
access-list 101 permit tcp any host
Or you can define the source address if you know the IP addresses where the server will be accessed from.
- Jouni
08-26-2013 08:48 AM
Thanksfor catching that. We made the correct and have the NAT rule in plavce. Still doesn't seem to work.
ACCESS LIST
access-list 101 line 3 extended permit tcp any object-group RDP host 74.80.24.***
object-group RDP 0x7646f3fc
access-list 101 line 3 extended permit tcp any eq 3389 host 74.80.24.*** eq 338
NAT
NAT policies on Interface outside:
match tcp outside host 74.80.24.*** eq 3389 inside host 192.168.1.3
static translation to 192.168.1.3/3389
translate_hits = 0, untranslate_hits = 0
08-26-2013 08:52 AM
Hi,
The ACL is wrong.
You have specified that the connection would be coming from "any" source address with "eq 3389" source port. This is not true. The connection can come from any source port so you should leave out the source port from the ACL completely.
As I said, the ACL line/rule should be
access-list 101 permit tcp any host
- Jouni
08-26-2013 09:00 AM
We only want to allow RDP to the server using the standard port 3389. We have added the rule you suggested through cli, but it seems we are still not able to access the server from outside network.
08-26-2013 09:05 AM
Hi,
Yes, the ACL rule above that I mentioned will allow only TCP/3389 destination port connections to your server.
Do notice though that we are still allowing access from "any" source address. If at all possible I would suggest allowing it ONLY from the source address that you know.
If the users source address where he/she connects to the server changes then naturally this isnt possible. In that case it would usually (and generally with RDP) be to configure a VPN Client connection to the network and allow that RDP connection through the VPN rather than from the Internet directly.
Now anyone from anywhere can attempt to connect to your server with RDP and possibly exploit some weakness or just simply attempt to log in.
- Jouni
08-26-2013 09:20 AM
We only want to allow RDP to the server using the standard port 3389. We have added the rule you suggested through cli, but it seems we are still not able to access the server from outside network.
Even with telnet port open to see if we are able to telnet, we are not able to access telnet either.
08-26-2013 09:19 AM
Hi,
It would be best if you could share the ASA configuration and the output of "show access-list". Otherwise it will be hard to see what the current situation and problem might be.
Remember to remove public IP addresses from the configuration if you are going to post it.
- Jouni
08-26-2013 12:04 PM
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list 101; 5 elements; name hash: 0xe7d586b5
access-list 101 line 1 extended permit udp any any object-group DM_INLINE_UDP_1
0xdaf70c35
access-list 101 line 1 extended permit udp any any eq bootpc (hitcnt=0) 0xa854
5454
access-list 101 line 1 extended permit udp any any eq bootps (hitcnt=0) 0xe82e
1f0a
access-list 101 line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x0309
01cd
access-list 101 line 3 extended permit tcp any host 74.80.24.*** object-group RDP
0xb16762cd
access-list 101 line 3 extended permit tcp any host 74.80.24.*** eq 3389 (hitcn
t=0) 0x5531caed
access-list 101 line 4 extended permit ip any any (hitcnt=8454) 0x28676dfa
access-list outside_nat_static; 1 elements; name hash: 0x38af6386
access-list outside_nat_static line 1 extended permit tcp host 74.80.24.*** eq 33
89 host 192.168.1.3 (hitcnt=0) 0xa869f0fe
08-26-2013 12:08 PM
ASA Version 8.2(1)
!
hostname Standard-Title
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service DM_INLINE_UDP_1 udp
port-object eq bootpc
port-object eq bootps
object-group service RDP tcp
port-object eq 3389
access-list 101 extended permit udp any any object-group DM_INLINE_UDP_1
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit tcp any host 74.80.24.*** object-group RDP
access-list 101 extended permit ip any any
access-list outside_nat_static extended permit tcp host 74.80.24.*** eq 3389 host
192.168.1.3
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
prompt hostname context
Thats the running config.
08-26-2013 01:22 PM
Hi,
Do these changes (remember to enter the actual public IP address into the new ACL at the bottom)
Remove old NAT and ACL
no static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static
clear configure access-list outside_nat_static
no access-group 101 in interface outside
clear configure access-list 101
Configure new NAT and ACL
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255
access-list OUTSIDE-IN remark Allow RDP
access-list OUTSIDE-IN permit tcp any host
access-group OUTSIDE-IN in interface outside
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: