Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RDP access through ASA 5505

Have an ASA 5505. Internet connection is up and active. having an issue with RDP to internal server from outside. I thought the accesslist statement in the config below is all I would need, but RDP fails and packet tracer says its a NAT issue, but cant spot it. Any ideas or suggestions?

Config:

ASA Version 7.2(4)

!

hostname xxxx

domain-name xxxx

enable password Vjqb/b.vPId8dNqo encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.1.15 Server description Remote Connection to Server

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.203.125.226 255.255.255.240

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup dmz

dns server-group DefaultDNS

name-server Server

domain-name xxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service RDP tcp

description RDP

port-object eq 3389

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host Server eq 3389 log debugging

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in extended permit tcp any any eq telnet

access-list outside_access_in extended permit udp any any eq snmp

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any eq snmp

access-list inside_access_in extended permit udp any any eq tftp

access-list inside_access_in extended permit udp any any eq snmptrap

access-list inside_access_in extended permit icmp any any

access-list dmz_access_in extended permit tcp any any eq www

access-list dmz_access_in extended permit tcp any any eq https

access-list dmz_access_in extended permit ip any any

access-list dmz_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip verify reverse-path interface outside

ip verify reverse-path interface dmz

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,dmz) 192.168.1.20 64.203.125.227 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 64.203.125.225 1

route dmz 64.203.125.228 255.255.255.255 64.203.125.225 1

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 255.255.255.255 outside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

1 ACCEPTED SOLUTION

Accepted Solutions

Re: RDP access through ASA 5505

your inbound acl for RDP is fine, you just need a static NAT

static (inside,outside) 192.168.1.15 netmask 255.255.255.255

2 REPLIES

Re: RDP access through ASA 5505

your inbound acl for RDP is fine, you just need a static NAT

static (inside,outside) 192.168.1.15 netmask 255.255.255.255

Bronze

Re: RDP access through ASA 5505

Hi there,

As an alternative, you can also do a port forward, so that only traffic destined for tcp port 3389 is forwarded to the box.

static (inside, outside)tcp interface 3389 Server netmask 255.255.255.255 0 0

Brad

286
Views
0
Helpful
2
Replies
CreatePlease login to create content