Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Remote Desktop not working via ASA

 

Hi Everyone,

ASA has 2 interfaces inside and sales.

There is ACL on interface sales that allow RDP on tcp port 3389 from sales to inside subnet 10.0.0.15.

Interface sales is attached to switch.

I did test from switch


2950A#telnet 10.0.0.15 3389
Trying 10.0.0.15, 3389 ...
% Connection refused by remote host


2950A#ping 10.0.0.15

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
2950A#

 

logs on firewall show

May 18 2014 18:50:34: %ASA-6-302013: Built inbound TCP connection 313812 for sales:10.12.12.2/24066 (10.12.12.2/24066) to inside:10.0.0.15/3389 (10.0.0.15/3389)

May 18 2014 18:50:34: %ASA-6-302014: Teardown TCP connection 313812 for sales:10.12.12.2/24066 to inside:10.0.0.15/3389 duration 0:00:00 bytes 0 TCP Reset-I


Where 10.0.0.15 is PC and this PC is configured to allow Remote desktop connection coming in.

Any ideas what can i check?

 

Regards

MAhesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

are you able to telnet to

are you able to telnet to port 3389 from the machine itself?

eg: from 10.0.0.15 machine, see if you can telnet 10.0.0.15 3389

Cisco Employee

that explains why it's not

that explains why it's not working.

If you tried to telnet on port 3389 from the machine itself, and it doesn't connect, that means that the RDP server either hasn't been enabled, or the firewall port on the machine hasn't been enabled.

9 REPLIES
Cisco Employee

is the internal ip 10.0.0.15

is the internal ip 10.0.0.15 configured to allow RDP access?

sometimes firewall is enabled on the machine that prevents access.

New Member

yes it is configured to allow

yes it is configured to allow RDP access and PC firewall is off.

When i check from PC

telnet 10.12.12.2 3389

firewall shows

 

May 18 2014 20:01:23: %ASA-6-302013: Built outbound TCP connection 318059 for sales:10.12.12.2/3389 (10.12.12.2/3389) to inside:10.0.0.15/49249 (10.0.0.15/49249)
May 18 2014 20:01:24: %ASA-6-302014: Teardown TCP connection 318059 for sales:10.12.12.2/3389 to inside:10.0.0.15/49249 duration 0:00:00 bytes 0 TCP Reset-O

 

Regards

Mahesh

Cisco Employee

The firewall logs is showing

The firewall logs is showing that the it initiates the TCP connection, and is receiving a Reset.

Does the internal PC has the route back to the Sales PC going back via the ASA inside interface?

What security level is configured on inside and sales, and also is there any NAT configured?

New Member

 Hi Jennifer,I tested the RDP

 

Hi Jennifer,

I tested the RDP in both directions no luck.

Sales has security level

interface Vlan3
 nameif sales
 security-level 50
 ip address 10.12.12.1 255.255.255.0

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0

 

Ping works fine in both directions means from switch to PC and PC to switch  so this should rule out routing right?

Seems NAT is not configured between inside and sales.

Regards

MAhesh

Cisco Employee

are you able to telnet to

are you able to telnet to port 3389 from the machine itself?

eg: from 10.0.0.15 machine, see if you can telnet 10.0.0.15 3389

New Member

 Hi Jeniffer, I tested from

 

Hi Jeniffer,

 

I tested from PC

:

C:\Users\manveer>telnet 10.0.0.15 3389
Connecting To 10.0.0.15...Could not open connection to the host, on port 3389: C
onnect failed

C:\Users\manveer>

Cisco Employee

that explains why it's not

that explains why it's not working.

If you tried to telnet on port 3389 from the machine itself, and it doesn't connect, that means that the RDP server either hasn't been enabled, or the firewall port on the machine hasn't been enabled.

New Member

 Hi Jennifer,I did some

 

Hi Jennifer,

I did some search on internet and found that i have to modify some registry settings for RDP to work.Once i did that here is output

2950A#telnet 10.0.0.15 3389
Trying 10.0.0.15, 3389 ... Open

 


Best regards

MAhesh

Cisco Employee

Great stuff, thanks for

Great stuff, thanks for sharing.

976
Views
5
Helpful
9
Replies
CreatePlease to create content