?
Solved

ASA 5510 NAT Access Rule help for RDP protocol

Posted on 2008-01-28
5
Medium Priority
?
816 Views
Last Modified: 2013-11-16
Hey all. New to the ASA 5510. I set these up on my PIX 515e for years. And I did this fine the first time on the 5510 before I went back to factory default and flashed the latest 8.03 software. I somehow figured it out fine in the 7.2 software before.

I am just setting up a new office location and its LAN. I have the PAT setup and internet up and running. I simply need to setup a static NAT from the Public IP to the internal for a particular server, then allow RDP traffic coming from the outside interface to port 3389.

On my PIX and old ASA software, it would have the Source Port then the Destination Port. I would set the Source as "= any" and the Destination as 3389 and everything worked fine. Anyone see what I am missing in my config below? Thanks and sorry for my stupidity.

And yes, there is a tunnel setup wth our current office in the config.

Thanks in advance!

User Access Verification

Password:
Type help or '?' for a list of available commands.
WZ-ASA1> en
Password: *********
WZ-ASA1# sh config
: Saved
: Written by enable_15 at 11:38:12.239 EST Mon Jan 28 2008
!
ASA Version 8.0(3)
!
hostname WZ-ASA1
domain-name ************.com
enable password I************************ encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address ************255.255.255.224
!
interface Ethernet0/1
 nameif Inside
 security-level 99
 ip address 10.100.100.1 255.255.240.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd I************ encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ************.com
object-group service RemoteDesktop tcp
 port-object eq 3389
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit icmp 10.100.200.0 255.255.255.0 10
.100.96.0 255.255.240.0
access-list management_nat0_outbound extended permit ip 10.100.96.0 255.255.240.
0 10.100.200.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 10.100.96.0 255.255.240.0 10.
100.200.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.100.96.0 255.255.240.0 10
.100.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location 10.100.200.0 255.255.255.0 management
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
static (Inside,Outside) tcp ************ 3389 10.100.101.1 3389 netmask 255.255
.255.255
static (Outside,Inside) 10.100.101.1 ************netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 70.150.66.223 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.100.96.0 255.255.240.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer ************
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
telnet 10.100.96.0 255.255.240.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group ************type ipsec-l2l
tunnel-group ************ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cdf9b6aeeaa97b579970b2054197ec86
WZ-ASA1#
0
Comment
Question by:miconis
  • 3
  • 2
5 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20762034
  If you are using the public ip that assigned to ASA's outside interface, then do the following modification

no static (Inside,Outside) tcp ************ 3389 10.100.101.1 3389 netmask 255.255
.255.255
no static (Outside,Inside) 10.100.101.1 ************netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 10.100.101.1 3389 netmask 255.255
.255.255
access-list Outside_access_in permit tcp any interface outside eq 3389

Regards
0
 

Author Comment

by:miconis
ID: 20762707
Sorry, maybe I didn't explain it correctly.

I need to add another public IP, not the IP for the outside interface of the ASA. So I need a static NAT for the new Public IP to the Internal IP of this particular server, then a basic Access Rule to allow 3389 traffic from ANY outside source to 3389 of this server.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 20763052
Then...

static (Inside,Outside) tcp x.x.x.x 3389 10.100.101.1 3389 netmask 255.255
.255.255
no static (Outside,Inside) 10.100.101.1 x.x.x.x netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 10.100.101.1 3389 netmask 255.255
.255.255
access-list Outside_access_in permit tcp any host x.x.x.x eq 3389
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20763309
btw, also do the following modification, forgot to mention
no static (Inside,Outside) tcp interface 3389 10.100.101.1 3389 netmask 255.255
.255.255
0
 

Author Comment

by:miconis
ID: 20763424
Thanks, I saw that stray one before I accepted and cleared it up too.

Thanks!

The part I was missing in the ASDM was I was still doing a NAT, but you have to select PAT at the bottom of the rule windows, and set the translation and destination ports, which I got AFTER your CLI commands and I could see it in the ASDM.

Thanks again
0

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question