bytecafe
asked on
Cisco ASA 5505 Access Rule Help
We are trying to learn how to use the Cisco ASA 5505 and I can not figure out what I am doing wrong.
Trying to get a Inbound RDP access rule setup and I can't.
We have two external IP addresses, 69.39.155.236/237. Our internal IP subnet is 192.168.13.0/24.
The goal is to get RDP (port 3389) setup to work on the external IP 69.39.155.237 to 192.168.13.2.
Here is the config:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XYZ/xI encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 69.39.155.236 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp host 69.39.155.237 host 192.168.13.2 eq 3389 log debugging
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 74.93.242.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.13.2-192.168.13.33
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1d6910fba04
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
Trying to get a Inbound RDP access rule setup and I can't.
We have two external IP addresses, 69.39.155.236/237. Our internal IP subnet is 192.168.13.0/24.
The goal is to get RDP (port 3389) setup to work on the external IP 69.39.155.237 to 192.168.13.2.
Here is the config:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XYZ/xI encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 69.39.155.236 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp host 69.39.155.237 host 192.168.13.2 eq 3389 log debugging
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 74.93.242.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.13.2-192.168.13.33
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1d6910fba04
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
ASKER
Okay, thanks will try this in just a minute.
Another question that I had is this.
If a customer only has one IP address available, from the ISP or wherever, can we still setup the same access rules?
As we are getting more familuar with these devices we are trying to figure out what the limits are.
Another question that I had is this.
If a customer only has one IP address available, from the ISP or wherever, can we still setup the same access rules?
As we are getting more familuar with these devices we are trying to figure out what the limits are.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, the above changes didn't work. Here is an updated config.
I also have the ASDM opened up and can extend access if needed... (: As this is only a test router.
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xyz/xI encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
ospf cost 10
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 69.39.155.236 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389 log debugging
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.39.155.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.50-192.168.13.6
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a292ce7dec8
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
I also have the ASDM opened up and can extend access if needed... (: As this is only a test router.
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xyz/xI encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
ospf cost 10
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 69.39.155.236 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389 log debugging
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.39.155.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.50-192.168.13.6
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a292ce7dec8
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
ASKER
Gret information above on using a single IP.
What would be easier going forward? Learn how to use single IP or multiple? We are trying to learn what we can so we can support these for our small shops as a replacement to the Watchguard SOHO devices.
What would be easier going forward? Learn how to use single IP or multiple? We are trying to learn what we can so we can support these for our small shops as a replacement to the Watchguard SOHO devices.
Check the default gateway setting on the server and make sure remote desktop is enabled.
The default gateway must be the ASA's inside IP
The default gateway must be the ASA's inside IP
ASKER
The gateway is setup correct:
IP Address. . . . . . . . . . . . : 192.168.13.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.13.1
DNS Servers . . . . . . . . . . . : 192.168.13.2
Primary WINS Server . . . . . . . : 192.168.13.2
And we can RDP to this server on the LAN.
IP Address. . . . . . . . . . . . : 192.168.13.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.13.1
DNS Servers . . . . . . . . . . . : 192.168.13.2
Primary WINS Server . . . . . . . : 192.168.13.2
And we can RDP to this server on the LAN.
Do you get any hitcounters on the access-list?
show access-list
Else, try using just the interface ip:
no static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 3389
show access-list
Else, try using just the interface ip:
no static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 3389
ASKER
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 2 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=2) 0x7
1af81e1
access-list outside_access_in line 2 extended permit tcp any host 74.93.242.237
eq 3389 (hitcnt=0) 0x21be1230
access-list inside_access_out; 2 elements
access-list inside_access_out line 1 extended permit icmp any any (hitcnt=6) 0x4
416cbd7
access-list inside_access_out line 2 extended permit tcp any any (hitcnt=0) 0x5e
231c28
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 2 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=2) 0x7
1af81e1
access-list outside_access_in line 2 extended permit tcp any host 74.93.242.237
eq 3389 (hitcnt=0) 0x21be1230
access-list inside_access_out; 2 elements
access-list inside_access_out line 1 extended permit icmp any any (hitcnt=6) 0x4
416cbd7
access-list inside_access_out line 2 extended permit tcp any any (hitcnt=0) 0x5e
231c28
ASKER
If you want telnet access I can enable. This is a testing environment. Email me at rick.cass@bytecafe.net and I can counter with my phone number.
ASKER
Here is an updated config and show access list
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XYZ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
ospf cost 10
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 69.39.155.236 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.39.155.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.50-192.168.13.6
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a292ce7dec8
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=2) 0x7
1af81e1
access-list outside_access_in line 2 extended permit tcp any host 69.39.155.237
eq 3389 (hitcnt=0) 0x21be1230
access-list outside_access_in line 3 extended permit tcp any interface outside e
q 3389 (hitcnt=0) 0xdbdd6542
access-list inside_access_out; 2 elements
access-list inside_access_out line 1 extended permit icmp any any (hitcnt=6) 0x4
416cbd7
access-list inside_access_out line 2 extended permit tcp any any (hitcnt=0) 0x5e
231c28
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XYZ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.13.1 255.255.255.0
ospf cost 10
!
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 69.39.155.236 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.13.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.39.155.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.13.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.13.50-192.168.13.6
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a292ce7dec8
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 extended permit icmp any any (hitcnt=2) 0x7
1af81e1
access-list outside_access_in line 2 extended permit tcp any host 69.39.155.237
eq 3389 (hitcnt=0) 0x21be1230
access-list outside_access_in line 3 extended permit tcp any interface outside e
q 3389 (hitcnt=0) 0xdbdd6542
access-list inside_access_out; 2 elements
access-list inside_access_out line 1 extended permit icmp any any (hitcnt=6) 0x4
416cbd7
access-list inside_access_out line 2 extended permit tcp any any (hitcnt=0) 0x5e
231c28
Can this server browse the Internet OK?
Can you do a tracert from the server to 198.6.1.2 ?
Send me an email. my username at experts-exchange dot com
Can you do a tracert from the server to 198.6.1.2 ?
Send me an email. my username at experts-exchange dot com
no access-list outside_access_in extended permit tcp host 69.39.155.237 host 192.168.13.2 eq 3389
Replace it with this:
access-list outside_access_in extended permit tcp any host 69.39.155.237 eq 3389
Remove the acl from the inside interface. It is not needed and is hurting you.
no access-group inside_access_out out interface inside
Add this:
static (inside,outside) tcp 69.39.155.237 3389 192.168.13.2 3389 netmask 255.255.255.255