Solved: Remote Desktop not working via ASA

mahesh18 · ‎05-18-2014

Hi Everyone,

ASA has 2 interfaces inside and sales.

There is ACL on interface sales that allow RDP on tcp port 3389 from sales to inside subnet 10.0.0.15.

Interface sales is attached to switch.

I did test from switch

2950A#telnet 10.0.0.15 3389
Trying 10.0.0.15, 3389 ...
% Connection refused by remote host

2950A#ping 10.0.0.15

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
2950A#

logs on firewall show

May 18 2014 18:50:34: %ASA-6-302013: Built inbound TCP connection 313812 for sales:10.12.12.2/24066 (10.12.12.2/24066) to inside:10.0.0.15/3389 (10.0.0.15/3389)

May 18 2014 18:50:34: %ASA-6-302014: Teardown TCP connection 313812 for sales:10.12.12.2/24066 to inside:10.0.0.15/3389 duration 0:00:00 bytes 0 TCP Reset-I

Where 10.0.0.15 is PC and this PC is configured to allow Remote desktop connection coming in.

Any ideas what can i check?

Regards

MAhesh

Jennifer Halim · ‎05-18-2014

are you able to telnet to port 3389 from the machine itself?

eg: from 10.0.0.15 machine, see if you can telnet 10.0.0.15 3389

View solution in original post

Jennifer Halim · ‎05-18-2014

that explains why it's not working.

If you tried to telnet on port 3389 from the machine itself, and it doesn't connect, that means that the RDP server either hasn't been enabled, or the firewall port on the machine hasn't been enabled.

View solution in original post

Jennifer Halim · ‎05-18-2014

is the internal ip 10.0.0.15 configured to allow RDP access?

sometimes firewall is enabled on the machine that prevents access.

mahesh18 · ‎05-18-2014

yes it is configured to allow RDP access and PC firewall is off.

When i check from PC

telnet 10.12.12.2 3389

firewall shows

May 18 2014 20:01:23: %ASA-6-302013: Built outbound TCP connection 318059 for sales:10.12.12.2/3389 (10.12.12.2/3389) to inside:10.0.0.15/49249 (10.0.0.15/49249)
May 18 2014 20:01:24: %ASA-6-302014: Teardown TCP connection 318059 for sales:10.12.12.2/3389 to inside:10.0.0.15/49249 duration 0:00:00 bytes 0 TCP Reset-O

Regards

Mahesh

Jennifer Halim · ‎05-18-2014

The firewall logs is showing that the it initiates the TCP connection, and is receiving a Reset.

Does the internal PC has the route back to the Sales PC going back via the ASA inside interface?

What security level is configured on inside and sales, and also is there any NAT configured?

mahesh18 · ‎05-18-2014

Hi Jennifer,

I tested the RDP in both directions no luck.

Sales has security level

interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0

interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0

Ping works fine in both directions means from switch to PC and PC to switch so this should rule out routing right?

Seems NAT is not configured between inside and sales.

Regards

MAhesh

Jennifer Halim · ‎05-18-2014

are you able to telnet to port 3389 from the machine itself?

eg: from 10.0.0.15 machine, see if you can telnet 10.0.0.15 3389

mahesh18 · ‎05-18-2014

Hi Jeniffer,

I tested from PC

:

C:\Users\manveer>telnet 10.0.0.15 3389
Connecting To 10.0.0.15...Could not open connection to the host, on port 3389: C
onnect failed

C:\Users\manveer>

Jennifer Halim · ‎05-18-2014

that explains why it's not working.

If you tried to telnet on port 3389 from the machine itself, and it doesn't connect, that means that the RDP server either hasn't been enabled, or the firewall port on the machine hasn't been enabled.

mahesh18 · ‎05-18-2014

Hi Jennifer,

I did some search on internet and found that i have to modify some registry settings for RDP to work.Once i did that here is output

2950A#telnet 10.0.0.15 3389
Trying 10.0.0.15, 3389 ... Open

Best regards

MAhesh

Jennifer Halim · ‎05-18-2014

Great stuff, thanks for sharing.

alimovdenis34450 · ‎09-29-2019

mahesh18 ! Hi!
What changes you did? Which registry you modified?