Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT Issue with RDP.

I've got a 501 with v6.3.1 I've got a static ip host on the inside that I'm trying to rdp for the outside interface. See the attachment for my configuration. What am I missing as I'm unable to get this to work. I've got an outside int at 192.168.2.250 and an inside host at 192.168.0.2 I'm unable to get PAT working for this host for RDP port# 3389.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxencrypted

passwd xxxxencrypted

hostname pix501

domain-name ciscopix.com

fixup protocol ftp strict 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list outside_in permit tcp any host 192.168.2.250 eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.250 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.255 outside

pdm location 192.168.2.0 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 192.x.x.253-192.168.2.254 netmask 255.255.255.255

global (outside) 1 192.x.x.252 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.2.250 192.168.0.2 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.1 255.255.255.255 192.168.0.1 1

route inside 192.168.0.2 255.255.255.255 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

pix501(config)#

17 REPLIES
Silver

Re: PAT Issue with RDP.

Hi,

Try not to use interface address in your statics.

Try this:

Change "access-list outside_in permit tcp any host 192.168.2.250 eq 3389" to "access-list outside_in permit tcp any host 192.168.2.249 eq 3389"

Change "static (inside,outside) 192.168.2.250 192.168.0.2 netmask 255.255.255.255 0 0" to "static (inside,outside) 192.168.2.249 192.168.0.2 netmask 255.255.255.255 0 0"

Then RDP to 2.249

Let us know if this makes a difference.

John

New Member

Re: PAT Issue with RDP.

Hi,

As an alternative (if you prefer keeping .250 as the outside address for RDP) you may want to try the following in order to translate only TCP port 3389 instead of the entire external IP of your PIX. Remove your static statement and replace it with the following:

static (inside,outside) tcp 192.168.2.250 tcp 192.168.0.2 netmask 255.255.255.255

Regards,

Simon Laurin

Gold

Re: PAT Issue with RDP.

the static statement should be:

static (inside,outside) tcp 192.168.2.250 3389 192.168.0.2 3389 netmask 255.255.255.255

clear xlate

New Member

Re: PAT Issue with RDP.

I tried Jackko's suggestion as it seem to make the most sense. I still don't have a port 3389 listening on the outside int 192.168.2.250. I can connect the host up to a different network or plug a wireless card into it and start an rdp session with no probles. When I'm on the inside segment for the pix I can browse the web fine. I can't believe I can't get this extremely simple config working. Below is the current config. Thanks for everyone's help.

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 0EPE8Qz3//rg2f5a encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix501

domain-name ciscopix.com

fixup protocol ftp strict 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list rdp_in permit tcp any host 192.168.2.250 eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.250 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.0.2 255.255.255.255 inside

pdm location 192.168.0.0 255.255.255.255 outside

pdm location 192.168.2.0 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 1 192.168.2.253-192.168.2.254 netmask 255.255.255.255

global (outside) 1 192.168.2.252 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 192.168.2.250 3389 192.168.0.2 3389 netmask 255.255.

255.255 0 0

access-group rdp_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.1 255.255.255.255 192.168.0.1 1

route inside 192.168.0.2 255.255.255.255 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:f1413a4c4fe3aeae98b69ef535692ccf

: end

[OK]

Gold

Re: PAT Issue with RDP.

verify the inbound acl by "sh access-l".

verify the translation by "sh xlate".

totally agree that this should be a simple task, and yet i can't identify any error with the codes. i had issues with v6.3.1 before related to nat/pat, so i would suggest you to upgrade the os to v6.3.4 or v.6.3.5.

New Member

Re: PAT Issue with RDP.

Well I upgraded the IOS to 6.3.4 and still have the same problem.I even change the access-list to permit tcp any any and made sure It bound it to the the outside int, inbound. I turned on console logging and each case the outside int was rejecting the request. Even tried it from different clients.Here's the error output.

710005: TCP request discarded from 192.168.2.4/4548 to outside:192.168.2.250/3389

710005: TCP request discarded from 192.168.2.4/4548 to outside:192.168.2.250/3389

710005: TCP request discarded from 192.168.2.4/4552 to outside:192.168.2.250/3389

710005: TCP request discarded from 192.168.2.4/4552 to outside:192.168.2.250/3389

710005: TCP request discarded from 192.168.2.5/4594 to outside:192.168.2.250/3389

710005: TCP request discarded from 192.168.2.5/4595 to outside:192.168.2.250/3389

710005: TCP request discarded from 192.168.2.5/4595 to outside:192.168.2.250/3389

Oh ya I made sure I cleared the xlate as well.

New Member

Re: PAT Issue with RDP.

Ok I'm going to assume the ASA is dropping the rdp packets as I've created an access-list the permits tcp to any any applied to the outside interface. When I send packets at the interface they are getting dropped but the hit count on the acl never increments. Again this is a 501 with v634 See below with console logging turned on.

pix501(config)# access-list rdp_in permit tcp any any

pix501(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list rdp_in; 1 elements

access-list rdp_in line 1 permit tcp any any (hitcnt=0)

pix501(config)# access-group rdp_in in int outside

pix501(config)# sh access-g

access-group rdp_in in interface outside

pix501(config)# wr m

Building configuration...

Cryptochecksum: babc73d6 7918b71d 75d23838 f22c7ea9

[OK]

pix501(config)# logging on

pix501(config)# 111008: User 'enable_15' executed the 'logging on' command.

pix501(config)# 710005: TCP request discarded from 192.168.2.4/3955 to outside:192.

168.2.250/3389

710005: TCP request discarded from 192.168.2.4/3955 to outside:192.168.2.250/3389

pix501(config)# no logging on

pix501(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list rdp_in; 1 elements

access-list rdp_in line 1 permit tcp any any (hitcnt=0)

New Member

Re: PAT Issue with RDP.

you're right. Sorry for the typo, must have been sleeping when I wrote that...

New Member

Re: PAT Issue with RDP.

That being said, I suggest you verify your route statements. You have

1) route inside 192.168.0.1/32 through 192.168.0.1

2) route inside 192.168.0.2/32 through 192.168.0.1

and you are trying to translate host 192.168.0.2.

I suggest you try removing these two route statements.

Regards, and sorry again for the previous typo.

Simon Laurin

New Member

Re: PAT Issue with RDP.

Ok I've changed that, this is my current config, its' still not working. I can pin host on either the outside or the inside from the console?

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxxx

hostname pix501

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list rdp-in permit tcp any any eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.250 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

static (inside,outside) tcp 192.168.2.250 3389 192.168.0.2 3389 netmask 255.255.

255.255 0 0

access-group rdp-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

route inside 192.168.0.1 255.255.255.255 192.168.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:xxxxx

: end

[OK]

pix501(config)# ping 192.168.2.1

192.168.2.1 response received -- 10ms

192.168.2.1 response received -- 0ms

192.168.2.1 response received -- 0ms

pix501(config)# ping 192.168.0.2

192.168.0.2 response received -- 0ms

192.168.0.2 response received -- 0ms

192.168.0.2 response received -- 0ms

pix501(config)#

New Member

Re: PAT Issue with RDP.

Hi,

Could you please take out the other route statement as well:

"route inside 192.168.0.1 255.255.255.255 192.168.0.2 1"

muchas gracias,

Simon Laurin

Gold

Re: PAT Issue with RDP.

let's get back to the begining and troubleshoot the issue by pinging in order to test the connectivity between the outside host and the inside host.

on the pix,

access-list rdp-in permit tcp any any eq 3389

access-list rdp-in permit icmp any any

debug ic t

and then ping from 192.168.2.4 to 192.168.2.250. the output of the debug command would isolate the connectivity and the translation issue.

New Member

Re: PAT Issue with RDP.

Ok here it is, thanks for your help again.

this is a the ping output to the outside int.

pix501(config)# 1: ICMP echo request (len 32 id 2 seq 26625) 192.168.2.4 > 192.1

68.2.250

2: ICMP echo reply (len 32 id 2 seq 26625) 192.168.2.250 > 192.168.2.4

3: ICMP echo request (len 32 id 2 seq 26881) 192.168.2.4 > 192.168.2.250

4: ICMP echo reply (len 32 id 2 seq 26881) 192.168.2.250 > 192.168.2.4

5: ICMP echo request (len 32 id 2 seq 27137) 192.168.2.4 > 192.168.2.250

6: ICMP echo reply (len 32 id 2 seq 27137) 192.168.2.250 > 192.168.2.4

7: ICMP echo request (len 32 id 2 seq 27393) 192.168.2.4 > 192.168.2.250

8: ICMP echo reply (len 32 id 2 seq 27393) 192.168.2.250 > 192.168.2.4

9: ICMP echo-request from outside:192.168.2.4 to 192.168.0.1 ID=512 seq=29185 le

ngth=40

Then I also pinged to 192.168.0.1 and 2

10: ICMP echo-request from outside:192.168.2.4 to 192.168.0.1 ID=512 seq=29441 l

ength=40

11: ICMP echo-request from outside:192.168.2.4 to 192.168.0.1 ID=512 seq=29697 l

ength=40

12: ICMP echo-request from outside:192.168.2.4 to 192.168.0.1 ID=512 seq=29953 l

ength=40

13: ICMP echo-request from outside:192.168.2.4 to 192.168.0.2 ID=512 seq=30209 l

ength=40

14: ICMP echo-request from outside:192.168.2.4 to 192.168.0.2 ID=512 seq=30465 l

ength=40

15: ICMP echo-request from outside:192.168.2.4 to 192.168.0.2 ID=512 seq=30721 l

ength=40

16: ICMP echo-request from outside:192.168.2.4 to 192.168.0.2 ID=512 seq=30977 l

ength=40

Then I pinged 192.168.0.2 from the console

pix501(config)# ping 192.168.0.2

192.168.0.2 response received -- 0ms

192.168.0.2 response received -- 0ms

192.168.0.2 response received -- 0ms

Here's the config

pix501(config)# sh access-l

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)

alert-interval 300

access-list rdp_in; 2 elements

access-list rdp_in line 1 permit tcp any any eq 3389 (hitcnt=0)

access-list rdp_in line 2 permit icmp any any (hitcnt=8)

pix501(config)# sh access-g

access-group rdp_in in interface outside

pix501(config)# sh static

static (inside,outside) tcp 192.168.2.250 3389 192.168.0.2 3389 netmask 255.255.

255.255 0 0

Gold

Re: PAT Issue with RDP.

please excuse me for my stupidity.

the "debug ic t" output doesn't prove anything since it's also the pix outside interface.

try "telnet 192.168.2.250 3389" from 192.168.2.4. further, you may try disabling the proxy arp. sometime the pix may act funny with this enabled.

New Member

Re: PAT Issue with RDP.

I was pinging from an external host inbound, it's the only thing that made any sense to try. I tryed to telnet to the outside int on port 3389 and I've been using a port scanner on it as well. So far port 3389 on the outside int is completely stealthed. The hit count on the access-list isn't incrementing either. I did issue the sysopt noproxyarp command, port 3389 on the outside int is still not in a listening state and request are still being refused by I'm assuming the ASA.

New Member

Re: PAT Issue with RDP.

Not that makes a hill of a beans of a difference, but I have got the same problem, although I am running 6.5

I have tried everything I could possibly think of, so H E Lp!!!

does someone Know?

New Member

Re: PAT Issue with RDP.

I've had this working on this same piece of hardware before. The only thing I can think of is that I'm currently testing this behind another cheapo firewall. It's a netgear fvs318. I think I'll try configuring it to my modem directly on the wan circuit.

393
Views
0
Helpful
17
Replies
CreatePlease login to create content