Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

How to create a access rule to connect to a system using RDP

Hello,

    Just started using our ASA 5505 v8.2 (1)

Trying to configure the ASA applaince to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).

I have used a static NAT:

static (inside,outside) 100.100.100.2 192.168.1.28 netmask 255.255.255.255

access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389

When I view the logs it is reporting the following:

Inbound TCP connection denied from 206.100.100.1 (external IP) to 100.100.100.2 /3389 flags SYN on interface outside.

Been pulling my hair out with this one as I believe I have everything configured correctly. New to the world of ASA’s so be nice

ZT

5 REPLIES

How to create a access rule to connect to a system using RDP

Brandon,

It may help us if you could post your configuration.  It will help to see all the access-lists and such that could be denying this connection.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

How to create a access rule to connect to a system using RDP

Kimberly,

   Here it is:

ASA Version 8.2(1)
!
hostname Burlington-FW
enable password Adl1Gmm8UmMZT0CS encrypted
passwd U7QyKVyA28TBRwD. encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 100.100.100.3 255.255.255.224
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan4
nameif server
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
description outside
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
description inside
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/2
description server
switchport access vlan 4
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd
banner motd Disconnect IMMEDIATELY if you are not an authorized user!
banner motd
banner motd This system is for the use of Company authorized users only.
banner motd Individuals using this computer system without authority, or in excess of
banner motd their authority, are subject to having all of their activities on this
banner motd system monitored and recorded by system personnel.
banner motd
banner motd Anyone using this system expressly consents to such monitoring and is
banner motd advised that if such monitoring reveals possible evidence of criminal
banner motd activity or conduct, Company system personnel may provide the evidence
banner motd of such monitoring to law enforcement officials.
banner motd
banner motd Users should NOT be using this device to launch denial of service
banner motd attacks or connect unauthorized external networks and systems.
ftp mode passive

clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389

access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq ssh
pager lines 24
logging enable
logging monitor alerts
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu server 1500
no failover
icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 100.100.100.2 192.168.2.70 netmask 255.255.255.255 dns tcp 1000 100
route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh X.X.X.X 255.255.255.255 outside
ssh Y.Y.Y.Y 255.255.255.255 outside
ssh timeout 10
console timeout 0
dhcpd dns 167.69.184.199 167.69.184.107
!
dhcpd address 192.168.2.10-192.168.2.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username dvvc110 password 6lx6srLwcBTxdQZs encrypted
!
!
prompt hostname context
Cryptochecksum:43ebf72f29f9f85a8c21ad2c38d6a84b
: end

New Member

How to create a access rule to connect to a system using RDP

try out by only using the following line.

static (inside,outside) 100.100.100.2 192.168.2.70 netmask 255.255.255.255

remove the DNS keyword and the tcp 1000 100.

chk and reply back.

New Member

How to create a access rule to connect to a system using RDP

Jack,

   Just updated the config. Received the same result when trying to RDP to 100.100.100.2

ZT

New Member

How to create a access rule to connect to a system using RDP

Hello Brandon,

try out the follwing line

static (inside,outside) tcp 100.100.100.2 3389 192.168.2.70 3389 netmask    255.255.255.255.

Thanks

471
Views
0
Helpful
5
Replies
CreatePlease to create content