[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 RDP

Posted on 2009-02-15
18
Medium Priority
?
929 Views
Last Modified: 2013-11-29
Hi,

I have recently purchased a asa 5505 and I am trying permit rdp on the outside interface to a host on the inside (10.15.1.50) I am also trying Nat a dhcp range on the outside to my inside interface. THe dhcp range 192.168.2.128/27

Any help would be much-appreciatied  

hostname PIX
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.1 External
name 192.168.2.128 Client_DHCP
!
interface Vlan1
nameif inside
security-level 100
ip address 10.15.3.254 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address External 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Outside_IN extended permit tcp any eq 3389 host 10.15.1.50 log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
asdm location External 255.255.255.255 inside
asdm location 192.168.100.2 255.255.255.255 inside
asdm location Client_DHCP 255.255.255.224 inside
no asdm history enable
arp timeout 14400
global (inside) 1 interface
nat (outside) 1 Client_DHCP 255.255.255.224 outside
access-group Outside_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.15.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.15.0.0 255.255.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:373120c7d52d738318bd920989538288
0
Comment
Question by:keithclayton
  • 10
  • 7
17 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23644558
Close but make these changes:

conf t
no access-list Outside_IN extended permit tcp any eq 3389 host 10.15.1.50 log
no global (inside) 1 interface
no nat (outside) 1 Client_DHCP 255.255.255.224 outside

global (outside) 1 interface
nat (inside) 1 Client_DHCP 255.255.255.224
static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255
access-list Outside_IN extended permit tcp any any eq 3389
access-group Outside_IN in interface outside

x.x.x.x is the real/private IP of the RDP server.
0
 

Author Comment

by:keithclayton
ID: 23644813
Hi,

The DHCP Range is the external network which I am look to NAT.  I want the Client DHCP Range to be able to NAT/PAT to the inside network.
nat (inside) 1 Client_DHCP 255.255.255.224
0
 

Author Comment

by:keithclayton
ID: 23644970
hi,
Looks like the problem lie with no NAT on the outside interface

No translation group found for tcp src outside:192.168.2.131/3479 dst inside:10.15.1.50/3389
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23646480
So, you added this, right:

static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
access-list Outside_IN extended permit tcp any any eq 3389
access-group Outside_IN in interface outside

You don't need to NAT the outside to the inside but rather inside/out which the static statement above covers for the RDP server.  I don't see a default route on the ASA:

route outside 0.0.0.0 0.0.0.0 192.168.100.2

The 192.168.100.2 router has a route to the 10.15.0.0/16 subnet via 192.168.100.1, right?

The 10.15.1.50 server has a default gateway of this ASA (10.15.3.254)?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23646482
Forget the route on the outside to 10.15.0.0/16 since the RDP server will appear as 192.168.100.1 to the outside.
0
 

Author Comment

by:keithclayton
ID: 23649482
hi,

I have made changes and the Inside network will be coming from 192.168.2.128/27 to outside (10.15.1.50)

I checked the logs via the asdm  Routing failed to locate hop for TCP from outside: 10.15.1.50/3389 to inside:192.168.2.131/1501

ciscoasa# sh config
: Saved
: Written by enable_15 at 12:50:30.023 UTC Mon Feb 16 2009
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.1 Inside
name 10.15.3.254 Outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address Inside 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 100
 ip address Outside 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list Outside_IN extended permit tcp any any eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.128 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
access-group Outside_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.15.0.0 255.255.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1119e0cca59c08cbba0721cbb7049969
ciscoasa#


0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23649525
Okay, it is a routing issue now.

Add this route:

conf t
route inside 192.168.2.128 255.255.255.224 192.168.100.2
0
 

Author Comment

by:keithclayton
ID: 23649624
All client connections will be initiated from 192.168.2.x network (the IP addresses are allocated via vpn dhcp range)
I want to connect to a destination address IP 10.15.1.50 this is actual address of the rdp server, rather than the inside (192.168.100.1) interface and natd the traffic through.
I am starting with a single IP address and will be adding more addresses in the 10.15.x.x subnet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23649681
So, is 192.168.100.2 the VPN device?  Did you add the route?  You don't need to connect to the inside interface, connect to the real IP address (10.15.x.x).The 192.168.100.2 device also needs a route to 10.15.0.0/16 via 192.168.100.1 (this ASA).
0
 

Author Comment

by:keithclayton
ID: 23652324
OK the 192.168.100.2 is the vpn device, I  have made the config changes and now I am able to connect rdp server inside the lan by point to the real IP 10.15.x.x, I have also added a ststic route to the servers on the 172.x.x.x subnet which is also working. However I have sinced remove all the acl and the traffic is still getting through.  I need to be able to filter the traffic ?

hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.1 Inside
name 10.15.3.254 Outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address Inside 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 100
 ip address Outside 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.17.2.68 3389 netmask 255.255.255.
255
route inside 192.168.2.128 255.255.255.224 192.168.100.2 1
route outside 172.17.2.68 255.255.255.255 Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.15.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.15.0.0 255.255.0.0 outside
telnet timeout 5
ssh 10.15.0.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:91c877ab17abae243bb11398bb066ebb
: end
ciscoasa# sh access
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
ciscoasa#
















0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23652398
Yeah, all traffic is allowed by default from the inside to outside but you can use an access-list to restrict traffic.

conf t
access-list inside_access_in extended permit tcp any host 10.15.1.50 eq 3389

access-group inside_access_in in interface inside

You need to allow other traffic.  The above will only allow RDP to 10.15.1.50 and deny everything else.  Simply add additional rules to the inside_access_in access-list to allow other traffic.
0
 

Author Comment

by:keithclayton
ID: 23653013
Yea Dude that work thanks
Just one more question what the following command do ? Does this affect rdp to other servers i.e. 172.17.x.x

 static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23653022
You don't need this anymore since you switched the inside and outside.

conf t
no  static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23653073
Looks like you are closing the question instead of accepting one of my comments as the answer.  Can you cancel the close request and accept an answer.  It's faster/cleaner and less work for the moderators. Thanks.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23661368
I'm not sure why I would only be assigned 70 points out of the 500.  I believe the asker was satisfied with the solution but perhaps wasn't quite sure on how to accept an answer and close the question properly.   Can you please assist?  Thanks!
0
 

Author Closing Comment

by:keithclayton
ID: 31547076
JFrederick, sorry about  that I was not quite sure how to close
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23684626
No problem at all.  Thanks!
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question