?
Solved

Cisco ASA 5505 Access Rule Help

Posted on 2007-10-16
12
Medium Priority
?
768 Views
Last Modified: 2008-01-09
We are trying to learn how to use the Cisco ASA 5505 and I can not figure out what I am doing wrong.
Trying to get a Inbound RDP access rule setup and I can't.
We have two external IP addresses, 69.39.155.236/237.  Our internal IP subnet is 192.168.13.0/24.

The goal is to get RDP (port 3389) setup to work on the external IP 69.39.155.237 to 192.168.13.2.

Here is the config:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XYZ/xI encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.13.1 255.255.255.0
!
interface Vlan2
 no forward interface Vlan1
 nameif outside
 security-level 0
 ip address 69.39.155.236 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp host 69.39.155.237 host 192.168.13.2 eq 3389 log debugging
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 74.93.242.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.13.2-192.168.13.33 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1d6910fba04e3cdefd4988d33ffc8dda
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
0
Comment
Question by:bytecafe
  • 7
  • 5
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20088507
Remove the acl entry. It is incorrect.

no access-list outside_access_in extended permit tcp host 69.39.155.237 host 192.168.13.2 eq 3389

Replace it with this:
 access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389

Remove the acl from the inside  interface. It is not needed and is hurting you.
  no access-group inside_access_out out interface inside

Add this:
 static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255


0
 

Author Comment

by:bytecafe
ID: 20088596
Okay, thanks will try this in just a minute.
Another question that I had is this.

If a customer only has one IP address available, from the ISP or wherever, can we still setup the same access rules?

As we are getting more familuar with these devices we are trying to figure out what the limits are.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 20088652
Sure. If you only have one IP address, then use "interface" as in this example:

access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq smtp

And the static's can be to different internal servers
static (inside,outside) tcp interface www 192.168.11.11 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.11.11 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.11.22 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.11.33 3389 netmask 255.255.255.255

About the only thing you can't do is forward the same public IP to multiple different internal hosts on the same ports.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:bytecafe
ID: 20088840
Okay, the above changes didn't work. Here is an updated config.

I also have the ASDM opened up and can extend access if needed... (:  As this is only a test router.

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xyz/xI encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.13.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 no forward interface Vlan1
 nameif outside
 security-level 0
 ip address 69.39.155.236 255.255.255.248
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389 log debugging
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.39.155.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.50-192.168.13.60 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a292ce7dec8b1254de4446ec0b91559c
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

0
 

Author Comment

by:bytecafe
ID: 20088869
Gret information above on using a single IP.

What would be easier going forward?  Learn how to use single IP or multiple?  We are trying to learn what we can so we can support these for our small shops as a replacement to the Watchguard SOHO devices.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20088942
Check the default gateway setting on the server and make sure remote desktop is enabled.
The default gateway must be the ASA's inside IP
0
 

Author Comment

by:bytecafe
ID: 20089076
The gateway is setup correct:
IP Address. . . . . . . . . . . . : 192.168.13.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.13.1
DNS Servers . . . . . . . . . . . : 192.168.13.2
Primary WINS Server . . . . . . . : 192.168.13.2

And we can RDP to this server on the LAN.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20089119
Do you get any hitcounters on the access-list?
 show access-list

Else, try using just the interface ip:

no static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 3389
0
 

Author Comment

by:bytecafe
ID: 20089146
ciscoasa#   show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 2 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=2) 0x7
1af81e1
access-list outside_access_in line 2 extended permit tcp any host 74.93.242.237
eq 3389 (hitcnt=0) 0x21be1230
access-list inside_access_out; 2 elements
access-list inside_access_out line 1 extended permit icmp any any (hitcnt=6) 0x4
416cbd7
access-list inside_access_out line 2 extended permit tcp any any (hitcnt=0) 0x5e
231c28
0
 

Author Comment

by:bytecafe
ID: 20089152
If you want telnet access I can enable.  This is a testing environment. Email me at rick.cass@bytecafe.net and I can counter with my phone number.
0
 

Author Comment

by:bytecafe
ID: 20089196
Here is an updated config and show access list

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XYZ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.13.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 no forward interface Vlan1
 nameif outside
 security-level 0
 ip address 69.39.155.236 255.255.255.248
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.39.155.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.50-192.168.13.60 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a292ce7dec8b1254de4446ec0b91559c
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=2) 0x7
1af81e1
access-list outside_access_in line 2 extended permit tcp any host 69.39.155.237
eq 3389 (hitcnt=0) 0x21be1230
access-list outside_access_in line 3 extended permit tcp any interface outside e
q 3389 (hitcnt=0) 0xdbdd6542
access-list inside_access_out; 2 elements
access-list inside_access_out line 1 extended permit icmp any any (hitcnt=6) 0x4
416cbd7
access-list inside_access_out line 2 extended permit tcp any any (hitcnt=0) 0x5e
231c28
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20089258
Can this server browse the Internet OK?
Can you do a tracert from the server to 198.6.1.2 ?
Send me an email. my username at experts-exchange dot com
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question