Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
1
Replies

RDP access through ASA

DOUGLAS DRURY
Level 1
Level 1

‎10-02-2013 11:43 PM - edited ‎03-11-2019 07:46 PM

I'm trying to allow remote users RDP access to a server throough the ASA 5505.  I was able to do this with the old Billion router but i can't seem to get it to work curretly on the ASA.  Users will use the microsoft RDP client useing a public IP Address.  I can see the ACL counter going up in ASDM but users are saying that it can't connect.  Could somebody please have a look at my config give me an idea where i'm going wrong.

Thanks

Doug

FYI i've removed my public IP from the config and replaced them with (Public IP Removed)

: Saved
: Written by drurydd1 at 07:29:25.198 GMT Thu Oct 3 2013
!
ASA Version 8.4(5)
!
hostname Thames-House
domain-name idrury
enable password JCdTyvBk.ia9GKSj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
  switchport access vlan 2
!
interface Ethernet0/1
  switchport access vlan 10
!
interface Ethernet0/2
  switchport access vlan 10
!
interface Ethernet0/3
  switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
  switchport access vlan 15
!
interface Vlan2
  nameif IDNET
  security-level 0
  pppoe client vpdn group ppp
  ip address (Public IP Removed) 255.255.255.255 pppoe setroute
!
interface Vlan10
  nameif inside
  security-level 100
  ip address 192.168.10.1 255.255.255.0
!
interface Vlan15
  description Used for LAB access and misc
  no forward interface Vlan10
  nameif DMZ
  security-level 50
  ip address 192.168.15.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns server-group DefaultDNS
  name-server 192.168.10.201
  name-server 8.8.8.8
  domain-name idrury
object network obj_Inside
  subnet 192.168.10.0 255.255.255.0
object network obj-Embankment
  host 192.168.10.199
object service RDP
  service tcp destination eq 3389
object network NETWORK_OBJ_192.168.20.0_27
  subnet 192.168.20.0 255.255.255.224
object network NETWORK_OBJ_192.168.10.0_24
  subnet 192.168.10.0 255.255.255.0
object network obj-Stratford
  host 192.168.10.253
access-list IDNET_access_in extended permit tcp any object obj-Embankment eq telnet inactive
access-list IDNET_access_in remark Permits HTTPS access to ESX host
access-list IDNET_access_in extended permit object RDP any object obj-Stratford
access-list Home_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.10.0_24 any
pager lines 24
logging asdm informational
mtu IDNET 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPN-POLL 192.168.20.1-192.168.20.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,IDNET) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,IDNET) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network obj-Embankment
  nat (inside,IDNET) static (Public IP Removed)
object network obj-Stratford
  nat (inside,IDNET) static (Public IP Removed) service tcp 3389 3389
!
nat (inside,IDNET) after-auto source dynamic any interface
access-group IDNET_access_in in interface IDNET
access-group inside_access_in in interface inside
!
router eigrp 10
  network 192.168.10.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 IDNET
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IDNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IDNET_map interface IDNET
crypto ikev1 enable IDNET
crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 IDNET
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ppp request dialout pppoe
vpdn group ppp localname 01771622598@idnet.gw6
vpdn group ppp ppp authentication chap
vpdn username 01771622598@idnet.gw6 password 0baf1fc1 store-local

dhcpd auto_config IDNET
!
dhcpd address 192.168.10.20-192.168.10.100 inside
dhcpd dns 192.168.10.201 8.8.8.8 interface inside
dhcpd lease 43200 interface inside
dhcpd domain idrury interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
  enable IDNET
  anyconnect-essentials
  anyconnect enable
  tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
  wins-server none
  dns-server value 192.168.10.201 8.8.8.8
  vpn-tunnel-protocol ssl-client
  default-domain value idrury
group-policy Home internal
group-policy Home attributes
  dns-server value 192.168.10.201 8.8.8.8
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Home_splitTunnelAcl
  default-domain value idrury
username drurydd1 password NvNqxNowycPPpt.J encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
  address-pool VPN-POLL
  default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
  group-alias AnyConnect enable
tunnel-group Home type remote-access
tunnel-group Home general-attributes
  address-pool VPN-POLL
  default-group-policy Home
tunnel-group Home ipsec-attributes
  ikev1 pre-shared-key Rockets2
!
class-map inspection_default
  match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum client auto
   message-length maximum 512
policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny 
   inspect sunrpc
   inspect xdmcp
   inspect sip 
   inspect netbios
   inspect tftp
   inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d8c2899f95569c47761739595fce9c02
: end

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-03-2013 12:00 AM

Hello Douglas,

So you have the right NAT configured,

The right ACL

the access-group correctly

I can see the RDP server is directly connected to the Inside interface,

What happens if you RDP locally? does it work?

Do the following

cap capin interface inside match tcp any host 192.168.10.253 eq 3389

cap capout interface outside match tcp any host OUTSIDE_IP eq 3389

cap asp type asp-drop all circular-buffer

Then try to connect  only once and finally share the following output

show cap capin

show cap capout

show cap asp  | include 192.168.10.253

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card