Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco ASA 5505 RDP Access

Hi,

I am trying to set up RDP with server 2012. I have set the nat and access rules set properly. I am using Cisco ASDM to configure the router to allow RDP connection, but i am not able to achieve outside connection.

Here is what i have in nat rule

NAT Rule.png

Here is the settings for Access Rules

Access Rules.png

Let me know what i am doing wrong here guys

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Cisco ASA 5505 RDP Access

Hi,

The ACL is wrong.

You have specified that the connection would be coming from "any" source address with "eq 3389" source port. This is not true. The connection can come from any source port so you should leave out the source port from the ACL completely.

As I said, the ACL line/rule should be

access-list 101 permit tcp any host eq 3389

- Jouni

Super Bronze

Cisco ASA 5505 RDP Access

Hi,

Do these changes (remember to enter the actual public IP address into the new ACL at the bottom)

Remove old NAT and ACL

no static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static

clear configure access-list outside_nat_static

no access-group 101 in interface outside

clear configure access-list 101

Configure new NAT and ACL

static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow RDP

access-list OUTSIDE-IN permit tcp any host eq 3389

access-group OUTSIDE-IN in interface outside

- Jouni

15 REPLIES
Super Bronze

Cisco ASA 5505 RDP Access

Hi,

You seem to have the IP addresses and interface the wrong way.

To configure Static PAT the CLI format of the configuration would be

static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255

I dont personally use ASDM at all.

But I would guess that you need to have

  • Original
    • Interface: inside
    • Source: 192.168.1.3
  • Translated
    • Interface: outside
    • Use Interface IP address
  • Enable Port Address Translation (PAT)
    • Protocol: TCP
    • Original Port: 3389
    • Translated Port: 3389

Also you have to allow the destination TCP/3389 traffic to the public IP address of the ASA "outside" interface in the ACL.

- Jouni

New Member

Cisco ASA 5505 RDP Access

Hi,

I changed Nat rule to

original

interface inside

source 192.168.1.3

Translated

Inferface outside

user interface IP address

PAT

3389

3389

Super Bronze

Cisco ASA 5505 RDP Access

Hi,

Did you also change the ACL?

Does it work now?

If it doesnt work we might need to look at the configuration in CLI format.

- Jouni

New Member

Re: Cisco ASA 5505 RDP Access

Standard-Title# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list 101; 5 elements; name hash: 0xe7d586b5

access-list 101 line 1 extended permit tcp any host 72.215.252.*** eq 3389 inact

ive (hitcnt=0) (inactive) 0x9d035038

access-list 101 line 2 extended permit udp any any object-group DM_INLINE_UDP_1

0xdaf70c35

  access-list 101 line 2 extended permit udp any any eq bootpc (hitcnt=0) 0xa854

5454

  access-list 101 line 2 extended permit udp any any eq bootps (hitcnt=0) 0xe82e

1f0a

access-list 101 line 3 extended permit icmp any any echo-reply (hitcnt=0) 0x0309

01cd

access-list 101 line 4 extended permit tcp host 74.80.24.** host 192.168.1.3 obj

ect-group RDP 0x2e53a03e

  access-list 101 line 4 extended permit tcp host 74.80.24.** host 192.168.1.3 e

q 3389 (hitcnt=0) 0xe317d638

Super Bronze

Cisco ASA 5505 RDP Access

Hi,

Seems to me that the ACL at the very top is set "inactive" and that means its not used.

The format used should be

access-list 101 permit tcp any host eq 3389

Or you can define the source address if you know the IP addresses where the server will be accessed from.

- Jouni

New Member

Re: Cisco ASA 5505 RDP Access

Thanksfor catching that.  We made the correct and have the NAT rule in plavce.  Still doesn't seem to work.

ACCESS LIST

access-list 101 line 3 extended permit tcp any object-group RDP host 74.80.24.***

object-group RDP 0x7646f3fc

  access-list 101 line 3 extended permit tcp any eq 3389 host 74.80.24.*** eq 338

NAT

NAT policies on Interface outside:

  match tcp outside host 74.80.24.*** eq 3389 inside host 192.168.1.3

    static translation to 192.168.1.3/3389

    translate_hits = 0, untranslate_hits = 0

Super Bronze

Re: Cisco ASA 5505 RDP Access

Hi,

The ACL is wrong.

You have specified that the connection would be coming from "any" source address with "eq 3389" source port. This is not true. The connection can come from any source port so you should leave out the source port from the ACL completely.

As I said, the ACL line/rule should be

access-list 101 permit tcp any host eq 3389

- Jouni

New Member

Re: Cisco ASA 5505 RDP Access

We only want to allow RDP to the server using the standard port 3389. We have added the rule you suggested through cli, but it seems we are still not able to access the server from outside network.

Super Bronze

Cisco ASA 5505 RDP Access

Hi,

Yes, the ACL rule above that I mentioned will allow only TCP/3389 destination port connections to your server.

Do notice though that we are still allowing access from "any" source address. If at all possible I would suggest allowing it ONLY from the source address that you know.

If the users source address where he/she connects to the server changes then naturally this isnt possible. In that case it would usually (and generally with RDP) be to configure a VPN Client connection to the network and allow that RDP connection through the VPN rather than from the Internet directly.

Now anyone from anywhere can attempt to connect to your server with RDP and possibly exploit some weakness or just simply attempt to log in.

- Jouni

New Member

Re: Cisco ASA 5505 RDP Access

We only want to allow RDP to the server using the standard port 3389. We  have added the rule you suggested through cli, but it seems we are  still not able to access the server from outside network.

Even with telnet port open to see if we are able to telnet, we are not able to access telnet either.

Super Bronze

Cisco ASA 5505 RDP Access

Hi,

It would be best if you could share the ASA configuration and the output of "show access-list". Otherwise it will be hard to see what the current situation and problem might be.

Remember to remove public IP addresses from the configuration if you are going to post it.

- Jouni

New Member

Cisco ASA 5505 RDP Access

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list 101; 5 elements; name hash: 0xe7d586b5

access-list 101 line 1 extended permit udp any any object-group DM_INLINE_UDP_1

0xdaf70c35

  access-list 101 line 1 extended permit udp any any eq bootpc (hitcnt=0) 0xa854

5454

  access-list 101 line 1 extended permit udp any any eq bootps (hitcnt=0) 0xe82e

1f0a

access-list 101 line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x0309

01cd

access-list 101 line 3 extended permit tcp any host 74.80.24.*** object-group RDP

0xb16762cd

  access-list 101 line 3 extended permit tcp any host 74.80.24.*** eq 3389 (hitcn

t=0) 0x5531caed

access-list 101 line 4 extended permit ip any any (hitcnt=8454) 0x28676dfa

access-list outside_nat_static; 1 elements; name hash: 0x38af6386

access-list outside_nat_static line 1 extended permit tcp host 74.80.24.*** eq 33

89 host 192.168.1.3 (hitcnt=0) 0xa869f0fe

New Member

Cisco ASA 5505 RDP Access

ASA Version 8.2(1)

!

hostname Standard-Title

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object-group service DM_INLINE_UDP_1 udp

port-object eq bootpc

port-object eq bootps

object-group service RDP tcp

port-object eq 3389

access-list 101 extended permit udp any any object-group DM_INLINE_UDP_1

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit tcp any host 74.80.24.*** object-group RDP

access-list 101 extended permit ip any any

access-list outside_nat_static extended permit tcp host 74.80.24.*** eq 3389 host

192.168.1.3

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.132 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect http

!

service-policy global_policy global

prompt hostname context

Thats the running config.

Super Bronze

Cisco ASA 5505 RDP Access

Hi,

Do these changes (remember to enter the actual public IP address into the new ACL at the bottom)

Remove old NAT and ACL

no static (outside,inside) tcp 192.168.1.3 3389 access-list outside_nat_static

clear configure access-list outside_nat_static

no access-group 101 in interface outside

clear configure access-list 101

Configure new NAT and ACL

static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow RDP

access-list OUTSIDE-IN permit tcp any host eq 3389

access-group OUTSIDE-IN in interface outside

- Jouni

New Member

Re: Cisco ASA 5505 RDP Access

It Worked, thank you very much for your help.

Thanks

5080
Views
0
Helpful
15
Replies
CreatePlease to create content