Hi,

I changed Nat rule to

original

interface inside

source 192.168.1.3

Translated

Inferface outside

user interface IP address

PAT

3389

3389

Hi,

Did you also change the ACL?

Does it work now?

If it doesnt work we might need to look at the configuration in CLI format.

- Jouni

Standard-Title# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list 101; 5 elements; name hash: 0xe7d586b5

access-list 101 line 1 extended permit tcp any host 72.215.252.*** eq 3389 inact

ive (hitcnt=0) (inactive) 0x9d035038

access-list 101 line 2 extended permit udp any any object-group DM_INLINE_UDP_1

0xdaf70c35

  access-list 101 line 2 extended permit udp any any eq bootpc (hitcnt=0) 0xa854

5454

  access-list 101 line 2 extended permit udp any any eq bootps (hitcnt=0) 0xe82e

1f0a

access-list 101 line 3 extended permit icmp any any echo-reply (hitcnt=0) 0x0309

01cd

access-list 101 line 4 extended permit tcp host 74.80.24.** host 192.168.1.3 obj

ect-group RDP 0x2e53a03e

  access-list 101 line 4 extended permit tcp host 74.80.24.** host 192.168.1.3 e

q 3389 (hitcnt=0) 0xe317d638

Hi,

Seems to me that the ACL at the very top is set "inactive" and that means its not used.

The format used should be

access-list 101 permit tcp any host eq 3389

Or you can define the source address if you know the IP addresses where the server will be accessed from.

- Jouni

Thanksfor catching that.  We made the correct and have the NAT rule in plavce.  Still doesn't seem to work.

ACCESS LIST

access-list 101 line 3 extended permit tcp any object-group RDP host 74.80.24.***

object-group RDP 0x7646f3fc

  access-list 101 line 3 extended permit tcp any eq 3389 host 74.80.24.*** eq 338

NAT

NAT policies on Interface outside:

  match tcp outside host 74.80.24.*** eq 3389 inside host 192.168.1.3

    static translation to 192.168.1.3/3389

    translate_hits = 0, untranslate_hits = 0

We only want to allow RDP to the server using the standard port 3389. We have added the rule you suggested through cli, but it seems we are still not able to access the server from outside network.

Hi,

Yes, the ACL rule above that I mentioned will allow only TCP/3389 destination port connections to your server.

Do notice though that we are still allowing access from "any" source address. If at all possible I would suggest allowing it ONLY from the source address that you know.

If the users source address where he/she connects to the server changes then naturally this isnt possible. In that case it would usually (and generally with RDP) be to configure a VPN Client connection to the network and allow that RDP connection through the VPN rather than from the Internet directly.

Now anyone from anywhere can attempt to connect to your server with RDP and possibly exploit some weakness or just simply attempt to log in.

- Jouni

We only want to allow RDP to the server using the standard port 3389. We  have added the rule you suggested through cli, but it seems we are  still not able to access the server from outside network.

Even with telnet port open to see if we are able to telnet, we are not able to access telnet either.

Hi,

It would be best if you could share the ASA configuration and the output of "show access-list". Otherwise it will be hard to see what the current situation and problem might be.

Remember to remove public IP addresses from the configuration if you are going to post it.

- Jouni

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list 101; 5 elements; name hash: 0xe7d586b5

access-list 101 line 1 extended permit udp any any object-group DM_INLINE_UDP_1

0xdaf70c35

  access-list 101 line 1 extended permit udp any any eq bootpc (hitcnt=0) 0xa854

5454

  access-list 101 line 1 extended permit udp any any eq bootps (hitcnt=0) 0xe82e

1f0a

access-list 101 line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x0309

01cd

access-list 101 line 3 extended permit tcp any host 74.80.24.*** object-group RDP

0xb16762cd

  access-list 101 line 3 extended permit tcp any host 74.80.24.*** eq 3389 (hitcn

t=0) 0x5531caed

access-list 101 line 4 extended permit ip any any (hitcnt=8454) 0x28676dfa

access-list outside_nat_static; 1 elements; name hash: 0x38af6386

access-list outside_nat_static line 1 extended permit tcp host 74.80.24.*** eq 33

89 host 192.168.1.3 (hitcnt=0) 0xa869f0fe

ASA Version 8.2(1)

!

hostname Standard-Title

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object-group service DM_INLINE_UDP_1 udp

port-object eq bootpc

port-object eq bootps

object-group service RDP tcp

port-object eq 3389

access-list 101 extended permit udp any any object-group DM_INLINE_UDP_1

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit tcp any host 74.80.24.*** object-group RDP

access-list 101 extended permit ip any any

access-list outside_nat_static extended permit tcp host 74.80.24.*** eq 3389 host

192.168.1.3

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.132 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect http

!

service-policy global_policy global

prompt hostname context

Thats the running config.