We help IT Professionals succeed at work.

Cisco ASA 5505 RDP

Medium Priority
965 Views
Last Modified: 2013-11-29
Hi,

I have recently purchased a asa 5505 and I am trying permit rdp on the outside interface to a host on the inside (10.15.1.50) I am also trying Nat a dhcp range on the outside to my inside interface. THe dhcp range 192.168.2.128/27

Any help would be much-appreciatied  

hostname PIX
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.1 External
name 192.168.2.128 Client_DHCP
!
interface Vlan1
nameif inside
security-level 100
ip address 10.15.3.254 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address External 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Outside_IN extended permit tcp any eq 3389 host 10.15.1.50 log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
asdm location External 255.255.255.255 inside
asdm location 192.168.100.2 255.255.255.255 inside
asdm location Client_DHCP 255.255.255.224 inside
no asdm history enable
arp timeout 14400
global (inside) 1 interface
nat (outside) 1 Client_DHCP 255.255.255.224 outside
access-group Outside_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.15.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.15.0.0 255.255.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:373120c7d52d738318bd920989538288
Comment
Watch Question

Top Expert 2009

Commented:
Close but make these changes:

conf t
no access-list Outside_IN extended permit tcp any eq 3389 host 10.15.1.50 log
no global (inside) 1 interface
no nat (outside) 1 Client_DHCP 255.255.255.224 outside

global (outside) 1 interface
nat (inside) 1 Client_DHCP 255.255.255.224
static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255
access-list Outside_IN extended permit tcp any any eq 3389
access-group Outside_IN in interface outside

x.x.x.x is the real/private IP of the RDP server.

Author

Commented:
Hi,

The DHCP Range is the external network which I am look to NAT.  I want the Client DHCP Range to be able to NAT/PAT to the inside network.
nat (inside) 1 Client_DHCP 255.255.255.224

Author

Commented:
hi,
Looks like the problem lie with no NAT on the outside interface

No translation group found for tcp src outside:192.168.2.131/3479 dst inside:10.15.1.50/3389
Top Expert 2009
Commented:
So, you added this, right:

static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
access-list Outside_IN extended permit tcp any any eq 3389
access-group Outside_IN in interface outside

You don't need to NAT the outside to the inside but rather inside/out which the static statement above covers for the RDP server.  I don't see a default route on the ASA:

route outside 0.0.0.0 0.0.0.0 192.168.100.2

The 192.168.100.2 router has a route to the 10.15.0.0/16 subnet via 192.168.100.1, right?

The 10.15.1.50 server has a default gateway of this ASA (10.15.3.254)?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2009

Commented:
Forget the route on the outside to 10.15.0.0/16 since the RDP server will appear as 192.168.100.1 to the outside.

Author

Commented:
hi,

I have made changes and the Inside network will be coming from 192.168.2.128/27 to outside (10.15.1.50)

I checked the logs via the asdm  Routing failed to locate hop for TCP from outside: 10.15.1.50/3389 to inside:192.168.2.131/1501

ciscoasa# sh config
: Saved
: Written by enable_15 at 12:50:30.023 UTC Mon Feb 16 2009
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.1 Inside
name 10.15.3.254 Outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address Inside 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 100
 ip address Outside 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list Outside_IN extended permit tcp any any eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.128 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
access-group Outside_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.15.0.0 255.255.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1119e0cca59c08cbba0721cbb7049969
ciscoasa#


Top Expert 2009

Commented:
Okay, it is a routing issue now.

Add this route:

conf t
route inside 192.168.2.128 255.255.255.224 192.168.100.2

Author

Commented:
All client connections will be initiated from 192.168.2.x network (the IP addresses are allocated via vpn dhcp range)
I want to connect to a destination address IP 10.15.1.50 this is actual address of the rdp server, rather than the inside (192.168.100.1) interface and natd the traffic through.
I am starting with a single IP address and will be adding more addresses in the 10.15.x.x subnet.
Top Expert 2009

Commented:
So, is 192.168.100.2 the VPN device?  Did you add the route?  You don't need to connect to the inside interface, connect to the real IP address (10.15.x.x).The 192.168.100.2 device also needs a route to 10.15.0.0/16 via 192.168.100.1 (this ASA).

Author

Commented:
OK the 192.168.100.2 is the vpn device, I  have made the config changes and now I am able to connect rdp server inside the lan by point to the real IP 10.15.x.x, I have also added a ststic route to the servers on the 172.x.x.x subnet which is also working. However I have sinced remove all the acl and the traffic is still getting through.  I need to be able to filter the traffic ?

hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.100.1 Inside
name 10.15.3.254 Outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address Inside 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 100
 ip address Outside 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.17.2.68 3389 netmask 255.255.255.
255
route inside 192.168.2.128 255.255.255.224 192.168.100.2 1
route outside 172.17.2.68 255.255.255.255 Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.15.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.15.0.0 255.255.0.0 outside
telnet timeout 5
ssh 10.15.0.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:91c877ab17abae243bb11398bb066ebb
: end
ciscoasa# sh access
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
ciscoasa#
















Top Expert 2009

Commented:
Yeah, all traffic is allowed by default from the inside to outside but you can use an access-list to restrict traffic.

conf t
access-list inside_access_in extended permit tcp any host 10.15.1.50 eq 3389

access-group inside_access_in in interface inside

You need to allow other traffic.  The above will only allow RDP to 10.15.1.50 and deny everything else.  Simply add additional rules to the inside_access_in access-list to allow other traffic.

Author

Commented:
Yea Dude that work thanks
Just one more question what the following command do ? Does this affect rdp to other servers i.e. 172.17.x.x

 static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
Top Expert 2009

Commented:
You don't need this anymore since you switched the inside and outside.

conf t
no  static (inside,outside) tcp interface 3389 10.15.1.50 3389 netmask 255.255.255.255
Top Expert 2009

Commented:
Looks like you are closing the question instead of accepting one of my comments as the answer.  Can you cancel the close request and accept an answer.  It's faster/cleaner and less work for the moderators. Thanks.
Top Expert 2009

Commented:
I'm not sure why I would only be assigned 70 points out of the 500.  I believe the asker was satisfied with the solution but perhaps wasn't quite sure on how to accept an answer and close the question properly.   Can you please assist?  Thanks!

Author

Commented:
JFrederick, sorry about  that I was not quite sure how to close
Top Expert 2009

Commented:
No problem at all.  Thanks!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.