Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RDP Access problem

Hi ,

i am using  Cisco ASA5510  Firewall  on  my  network  at the distrubution  Layer  . The  Private IP Address is  in the network  for  Users  and PAT  is  use.

I have  a  client   who has  configured the RDP on port2000. when  the Users  behind  the Firewall  in my Network  tried RDP  it does not work  it shows  configuring  remote Desktop only. i am  able to telnet  the Client  said server  with port 2000  but  unable  RDP.

Is  any changes  required  on my firewall  as a tesult  the RDP works.

Please advice.

Thanks,

Saroj

8 REPLIES
Silver

RDP Access problem

Saroj,

You most likely want to move you're question over to this forum for your answer.

https://supportforums.cisco.com/community/netpro/security/firewall

Thanks,

Jasbryan

Silver

RDP Access problem

Hi Saroj,

Per Jason's suggestion, I have moved your question into the firewall area so you do not need to repost.

Regards,

Cindy Toy

Cisco Small Business Community Manager

for Cisco Small Business Products

www.cisco.com/go/smallbizsupport

twitter: CiscoSBsupport

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!
New Member

RDP Access problem

Hello Saroj,

Please attach the ASA configuration to the post so I can review it.

Thanks.

New Member

Re: RDP Access problem

Please find the ASA Configuration.

Thanks,

Saroj

Re: RDP Access problem

Hello,

Here is the packet-tracer we used yesterday to troubleshoot this:

Netlink-OS-ASA# packet-tracer input inside tcp 172.16.48.213 1025 74.94.242.13$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_1 in interface inside

access-list inside_access_in_1 extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-skinny

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect skinny

service-policy global_policy global

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 Block_FromASA_ThroughUntangle1 255.255.255.192

  match ip inside Block_FromASA_ThroughUntangle1 255.255.255.192 outside any

    dynamic translation to pool 1 (122.168.191.66 Re: RDP Access problem  through ASA5510 FW)

    translate_hits = 59925, untranslate_hits = 345

Additional Information:

Dynamic translate 172.16.48.213/1025 to 122.168.191.66/29284 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 Block_FromASA_ThroughUntangle1 255.255.255.192

  match ip inside Block_FromASA_ThroughUntangle1 255.255.255.192 outside any

    dynamic translation to pool 1 (122.168.191.66 Re: RDP Access problem  through ASA5510 FW)

    translate_hits = 59925, untranslate_hits = 345

Additional Information:

Phase: 9

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_out out interface outside

access-list outside_access_out extended permit ip any any

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 59535332, packet dispatched to next module

Phase: 12

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 122.168.191.65 using egress ifc outside

adjacency Active

next-hop mac address 0019.2f8e.c639 hits 29742

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Please create some captures to check if the RDP server is responding to the client request!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: RDP Access problem

I have configured the packet capture but unable to find the RDP Server IP in the Capture packet List which is 74.94.242.139

Netlink-OS-ASA(config)# show capture testcap count 20

1145 packets captured

1: 21:01:58.142784 172.16.63.1.22 > 172.16.51.10.49245: P 2967950329:2967950397(68) ack 2868729768 win 8192

2: 21:01:58.142845 76.187.139.64.43075 > 172.16.51.10.14106: udp 1402

3: 21:01:58.143028 172.16.51.10.49245 > 172.16.63.1.22: . ack 2967950397 win 65535

4: 21:01:58.143455 76.187.139.64.43075 > 172.16.51.10.14106: udp 1402

5: 21:01:58.144508 76.127.90.119.52843 > 172.16.51.10.14106: udp 1438

6: 21:01:58.144523 209.104.131.20.443 > 172.16.50.168.52716: udp 85

7: 21:01:58.144630 209.104.131.20.443 > 172.16.51.10.1117: udp 85

8: 21:01:58.146217 172.16.51.10.56443 > 199.71.245.17.443: P 4023407154:4023407192(38) ack 2968440731 win 65535

9: 21:01:58.146766 208.86.251.15.80 > 172.16.51.10.53612: S 191863448:191863448(0) ack 1450255578 win 65535 172.16.48.72.3389: . ack 2709156126 win 258

Re: RDP Access problem

Here is what you need to do:

access-list capin permit tcp host rdp_client_private_ip host server_outside eq 2000

access-list capin permit tcp  host server_outside eq 2000 host rdp_client_private_ip

access-list capout permit tcp host rdp_client_public_ip host server_outside eq 2000

access-list capout permit tcp host server_outside eq 2000 host rdp_client_public_ip

capture capin access-list capin interface inside

capture capout access-list capout interface outside

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: RDP Access problem

As per your instruction I have configured on the ASA the following command to capture packet but no result.

Showing 0 packet captured while trying with RDP On port 2000 ,

Thanks,

Saroj

392
Views
0
Helpful
8
Replies