amforem
asked on
CISCO ASA 5505 and RDP out
I have a ASA 5505 that is one of our field offices. I am able to connect to it through CISCO ASDM (v 6). The users need to go through the firewall and do a RDP session on a server on the Internet. I know you need to open a port (believe 3389) but cannot figure out how to open port through ASDM. Everything I have read only discusses how to open ASA for incoming RDP sessions but none for outgoing. Plus everyone wants you to use Command Line, which I have no problem with but was hoping to use the ASDM interface.
Any help will be appreciated.
Any help will be appreciated.
ASKER
The users in the field office are behind the firewall on an inside network. The last time I worked on a Cisco was a 2600 about 7 years ago and have never been trained on the ASDM but from what I see the level is 100.
I have no idea about the remote location except that they do have other users from other offices able to access the RDP server.
I have no idea about the remote location except that they do have other users from other offices able to access the RDP server.
Can you produce a show run ? Log into the firewall CLI and in priv mode enter show run command. copy that into here. I can check your configuration for you. If everything adds up, then permissions are incorrect for remote desktop accessibility for your users or a upstream device or firewall is blocking the port inbound.
ASKER
Thanks for your help. Hopefully the below will help.
Result of the command: "show run"
: Saved
:
ASA Version 8.0(3)
!
hostname Oak-Ridge
domain-name ntlan1.local
enable password uhWqqZ.b7kayfoam encrypted
names
name 10.3.1.10 Corporate1
name 10.3.1.7 Corporate5
name 205.152.37.23 BellSouth_DNS1
name 205.152.132.23 BellSouth_DNS2
name 10.11.2.0 BranchTN description Branch LAN
name xxx.xxx.xxx.xxx Corporate_ISP
name 70.148.202.7 Branch_ISP
name 10.3.1.0 Corporate
!
interface Vlan1
nameif LAN
security-level 100
ip address 10.11.1.1 255.255.255.0
!
interface Vlan2
nameif WAN
security-level 0
pppoe client vpdn group OAKRIDGE-PPOE
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec ************************** ********** ********** *******
banner exec * * * * W A R N I N G * * * *
banner exec * * * * THIS CONNECTION IS BEING LOGGED * * * *
banner exec * * * * UNAUTHORIZED ACCESS IS PROHIBITED * * * *
banner exec ************************** ********** ********** *******
boot system disk0:/asa803.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup LAN
dns server-group DefaultDNS
name-server BellSouth_DNS1
name-server BellSouth_DNS2
domain-name ntlan1.local
object-group service DATAMover
service-object gre
service-object tcp eq pptp
access-list LAN_nat0_outbound extended permit ip 10.11.1.0 255.255.255.0 Corporate 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 10.11.1.0 255.255.255.0 BranchTN 255.255.255.0
access-list WAN_nat0_outbound extended permit ip any Corporate 255.255.255.0
access-list VPNClient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list WAN_cryptomap_1 extended permit ip 10.11.1.0 255.255.255.0 Corporate 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 10.11.1.0 255.255.255.0 BranchTN 255.255.255.0
access-list LAN_access_in extended permit ip any any
access-list Trackit extended permit tcp Corporate 255.255.255.0 10.11.1.0 255.255.255.0
pager lines 24
logging enable
logging list Logs level notifications
logging asdm informational
logging class auth trap notifications
logging class bridge trap notifications
logging class config trap notifications
logging class sys trap notifications
logging class vpdn trap notifications
logging class vpn trap notifications
logging class webfo trap notifications
logging class webvpn trap notifications
logging class ca trap notifications
logging class email trap notifications
logging class eap trap notifications
logging class svc trap notifications
logging class csd trap notifications
logging class ssl trap notifications
logging class dap trap notifications
mtu LAN 1500
mtu WAN 1500
ip local pool VPNPOOL 192.168.1.200-192.168.1.21 0 mask 255.255.255.0
ip verify reverse-path interface LAN
ip verify reverse-path interface WAN
ip audit name IPInfo info action alarm drop
ip audit name IPAttack attack action alarm drop
ip audit interface LAN IPInfo
ip audit interface LAN IPAttack
ip audit interface WAN IPInfo
ip audit interface WAN IPAttack
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm603.bin
asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
nat (WAN) 0 access-list WAN_nat0_outbound
access-group LAN_access_in in interface LAN
route WAN 0.0.0.0 0.0.0.0 68.208.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.11.1.0 255.255.255.0 LAN
http Corporate 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map WAN_map 1 match address WAN_cryptomap_1
crypto map WAN_map 1 set pfs
crypto map WAN_map 1 set peer Corporate_ISP
crypto map WAN_map 1 set transform-set ESP-3DES-SHA
crypto map WAN_map 1 set phase1-mode aggressive
crypto map WAN_map 1 set reverse-route
crypto map WAN_map 2 match address WAN_2_cryptomap
crypto map WAN_map 2 set pfs
crypto map WAN_map 2 set peer Branch_ISP
crypto map WAN_map 2 set transform-set ESP-3DES-SHA
crypto map WAN_map 2 set reverse-route
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.11.1.0 255.255.255.0 LAN
telnet timeout 5
ssh Corporate 255.255.255.0 LAN
ssh Corporate_ISP 255.255.255.255 WAN
ssh timeout 5
console timeout 0
management-access LAN
vpdn group OAKRIDGE-PPOE request dialout pppoe
vpdn group OAKRIDGE-PPOE localname americanforest@bellsouth.n et
vpdn group OAKRIDGE-PPOE ppp authentication pap
vpdn username americanforest@bellsouth.n et password ********* store-local
dhcpd dns Corporate1
dhcpd domain ntlan1.local
!
dhcpd address 10.11.1.50-10.11.1.70 LAN
!
vpnclient server 71.75.196.246
vpnclient mode client-mode
vpnclient vpngroup TestGroup password ********
vpnclient username UserTest password ********
vpnclient management tunnel 192.168.1.0 255.255.255.0
threat-detection basic-threat
threat-detection statistics
ntp server 10.11.1.5 source LAN prefer
webvpn
enable WAN
csd image disk0:/SD_asa-3.3.0.188-k9 .pkg
csd enable
svc image disk0:/sslclient-win-2.2.0 133-k9.pkg 1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy WebVPNAdminPolicy internal
group-policy WebVPNAdminPolicy attributes
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value ntlan1.local
webvpn
customization value DfltCustomization
group-policy AFMVPNTunnel internal
group-policy AFMVPNTunnel attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username XXXXXXXXXX password .OGfR0JjwOsrQE90 encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy AFMVPNTunnel
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group AFMVPNClient type remote-access
tunnel-group AFMVPNClient general-attributes
dhcp-server 192.168.1.2
authorization-required
tunnel-group AFMWebAdmin type remote-access
tunnel-group AFMWebAdmin general-attributes
address-pool VPNPOOL
default-group-policy WebVPNAdminPolicy
tunnel-group 70.148.202.7 type ipsec-l2l
tunnel-group 70.148.202.7 general-attributes
default-group-policy AFMVPNTunnel
tunnel-group 70.148.202.7 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6e3b279ad4a 4634117564 3da3f8c529 2
: end
Result of the command: "show run"
: Saved
:
ASA Version 8.0(3)
!
hostname Oak-Ridge
domain-name ntlan1.local
enable password uhWqqZ.b7kayfoam encrypted
names
name 10.3.1.10 Corporate1
name 10.3.1.7 Corporate5
name 205.152.37.23 BellSouth_DNS1
name 205.152.132.23 BellSouth_DNS2
name 10.11.2.0 BranchTN description Branch LAN
name xxx.xxx.xxx.xxx Corporate_ISP
name 70.148.202.7 Branch_ISP
name 10.3.1.0 Corporate
!
interface Vlan1
nameif LAN
security-level 100
ip address 10.11.1.1 255.255.255.0
!
interface Vlan2
nameif WAN
security-level 0
pppoe client vpdn group OAKRIDGE-PPOE
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec **************************
banner exec * * * * W A R N I N G * * * *
banner exec * * * * THIS CONNECTION IS BEING LOGGED * * * *
banner exec * * * * UNAUTHORIZED ACCESS IS PROHIBITED * * * *
banner exec **************************
boot system disk0:/asa803.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup LAN
dns server-group DefaultDNS
name-server BellSouth_DNS1
name-server BellSouth_DNS2
domain-name ntlan1.local
object-group service DATAMover
service-object gre
service-object tcp eq pptp
access-list LAN_nat0_outbound extended permit ip 10.11.1.0 255.255.255.0 Corporate 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 10.11.1.0 255.255.255.0 BranchTN 255.255.255.0
access-list WAN_nat0_outbound extended permit ip any Corporate 255.255.255.0
access-list VPNClient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list WAN_cryptomap_1 extended permit ip 10.11.1.0 255.255.255.0 Corporate 255.255.255.0
access-list WAN_2_cryptomap extended permit ip 10.11.1.0 255.255.255.0 BranchTN 255.255.255.0
access-list LAN_access_in extended permit ip any any
access-list Trackit extended permit tcp Corporate 255.255.255.0 10.11.1.0 255.255.255.0
pager lines 24
logging enable
logging list Logs level notifications
logging asdm informational
logging class auth trap notifications
logging class bridge trap notifications
logging class config trap notifications
logging class sys trap notifications
logging class vpdn trap notifications
logging class vpn trap notifications
logging class webfo trap notifications
logging class webvpn trap notifications
logging class ca trap notifications
logging class email trap notifications
logging class eap trap notifications
logging class svc trap notifications
logging class csd trap notifications
logging class ssl trap notifications
logging class dap trap notifications
mtu LAN 1500
mtu WAN 1500
ip local pool VPNPOOL 192.168.1.200-192.168.1.21
ip verify reverse-path interface LAN
ip verify reverse-path interface WAN
ip audit name IPInfo info action alarm drop
ip audit name IPAttack attack action alarm drop
ip audit interface LAN IPInfo
ip audit interface LAN IPAttack
ip audit interface WAN IPInfo
ip audit interface WAN IPAttack
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm603.bin
asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
nat (WAN) 0 access-list WAN_nat0_outbound
access-group LAN_access_in in interface LAN
route WAN 0.0.0.0 0.0.0.0 68.208.254.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.11.1.0 255.255.255.0 LAN
http Corporate 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map WAN_map 1 match address WAN_cryptomap_1
crypto map WAN_map 1 set pfs
crypto map WAN_map 1 set peer Corporate_ISP
crypto map WAN_map 1 set transform-set ESP-3DES-SHA
crypto map WAN_map 1 set phase1-mode aggressive
crypto map WAN_map 1 set reverse-route
crypto map WAN_map 2 match address WAN_2_cryptomap
crypto map WAN_map 2 set pfs
crypto map WAN_map 2 set peer Branch_ISP
crypto map WAN_map 2 set transform-set ESP-3DES-SHA
crypto map WAN_map 2 set reverse-route
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.11.1.0 255.255.255.0 LAN
telnet timeout 5
ssh Corporate 255.255.255.0 LAN
ssh Corporate_ISP 255.255.255.255 WAN
ssh timeout 5
console timeout 0
management-access LAN
vpdn group OAKRIDGE-PPOE request dialout pppoe
vpdn group OAKRIDGE-PPOE localname americanforest@bellsouth.n
vpdn group OAKRIDGE-PPOE ppp authentication pap
vpdn username americanforest@bellsouth.n
dhcpd dns Corporate1
dhcpd domain ntlan1.local
!
dhcpd address 10.11.1.50-10.11.1.70 LAN
!
vpnclient server 71.75.196.246
vpnclient mode client-mode
vpnclient vpngroup TestGroup password ********
vpnclient username UserTest password ********
vpnclient management tunnel 192.168.1.0 255.255.255.0
threat-detection basic-threat
threat-detection statistics
ntp server 10.11.1.5 source LAN prefer
webvpn
enable WAN
csd image disk0:/SD_asa-3.3.0.188-k9
csd enable
svc image disk0:/sslclient-win-2.2.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy WebVPNAdminPolicy internal
group-policy WebVPNAdminPolicy attributes
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value ntlan1.local
webvpn
customization value DfltCustomization
group-policy AFMVPNTunnel internal
group-policy AFMVPNTunnel attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
username XXXXXXXXXX password .OGfR0JjwOsrQE90 encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy AFMVPNTunnel
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group AFMVPNClient type remote-access
tunnel-group AFMVPNClient general-attributes
dhcp-server 192.168.1.2
authorization-required
tunnel-group AFMWebAdmin type remote-access
tunnel-group AFMWebAdmin general-attributes
address-pool VPNPOOL
default-group-policy WebVPNAdminPolicy
tunnel-group 70.148.202.7 type ipsec-l2l
tunnel-group 70.148.202.7 general-attributes
default-group-policy AFMVPNTunnel
tunnel-group 70.148.202.7 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6e3b279ad4a
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have no idea. All I know is that the user clicks on the RDP client icon on their desktop, it sends them to an IP address on the web where they should be able to login to the server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Let me say first that I screwed up and have wasted your time. It seems that I did not know about one step. The user has to do a VPN connection to the external site then do the RDP. It is the VPN connection that is messing up. When he tries to connect through the VPN he is getting: Error Message 305006: regular translation creation failed for protocol 47 src LAN: 10.11.1.64 dst 10.11.1.64 dst WAN: 69.85.230.4
What I have found so far is for the PIX firewall so do not want to use unless am sure it will work for the ASA 5505.
Thanks and sorry again
What I have found so far is for the PIX firewall so do not want to use unless am sure it will work for the ASA 5505.
Thanks and sorry again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there a firewall at the remote location? Is it allowing Port 3389 inbound?