• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1814
  • Last Modified:

RDP threw ASA 5510 not working

I am having an issue getting RDP to work threw a ASA 5510

Inbound IP address is **.**.**.65 forward to 192.168.0.218

I am getting log entries below

2      Feb 16 2009      12:20:42      106001      **.**.**.128      **.**.**.65       Inbound TCP connection denied from **.**.**.128/4831 to **.**.**.75/3389 flags SYN  on interface wan
fw1# show running-config
: Saved
:
ASA Version 8.0(2)
!
hostname fw1
names
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
 management-only
!
interface Redundant1
 member-interface Ethernet0/0
 member-interface Ethernet0/1
 nameif wan
 security-level 0
 ip address ***.***.***.70 255.255.255.192
 ospf cost 10
!
interface Redundant2
 member-interface Ethernet0/2
 member-interface Ethernet0/3
 nameif Lan
 security-level 90
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Redundant2.10
 vlan 10
 nameif Conf_Wireless
 security-level 90
 ip address 192.168.249.1 255.255.255.224
!
interface Redundant2.101
 vlan 101
 nameif Vlan101
 security-level 90
 ip address 192.168.250.17 255.255.255.240
!
interface Redundant2.103
 vlan 103
 nameif Vlan103
 security-level 90
 ip address 192.168.250.49 255.255.255.240
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Lan
dns domain-lookup Vlan101
dns domain-lookup Vlan103
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq 3389
access-list wan_access_in extended permit udp any range 1 65535 host **.**.**.76 eq 3389
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.76 eq 3389
access-list wan_access_in extended permit udp any range 1 65535 host **.**.**.122 eq snmp
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.122 eq 9100
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.122 eq www
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.122 eq 445
access-list wan_access_in extended permit icmp any host **.**.**.122 echo
access-list wan_access_in extended permit ip any host 192.168.0.108
access-list wan_access_in extended permit ip any host **.**.**.123
access-list wan_access_in extended permit icmp any host **.**.**.123 echo
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.123 eq 445
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.123 eq www
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.123 eq 9100
access-list wan_access_in extended permit udp any range 1 65535 host **.**.**.123 eq snmp
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.75 eq www
access-list Cyexx_Support_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.224
access-list management_nat0_outbound extended permit ip any 192.168.2.32 255.255.255.224
access-list Cyexx_Support_splitTunnelAcl_1 standard permit any
access-list RDP extended permit tcp any host 192.168.0.218 eq 3389 log
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host management 192.168.2.10 17/1514
logging debug-trace
logging permit-hostdown
mtu management 1500
mtu wan 1500
mtu Lan 1500
mtu Conf_Wireless 1500
mtu Vlan101 1500
mtu Vlan103 1500
ip local pool Support 192.168.2.40-192.168.2.50 mask 255.255.255.0
ip verify reverse-path interface wan
ip verify reverse-path interface Lan
ip verify reverse-path interface Vlan101
ip verify reverse-path interface Vlan103
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any wan
icmp permit any Lan
icmp permit any Vlan101
asdm image disk0:/asdm-602.bin
asdm history enable
arp Lan 192.168.0.199 001e.c92c.6223
arp Lan 192.168.0.78 001e.c92c.eb54
arp Lan 192.168.0.108 0000.7489.9fbc
arp Lan 192.168.0.145 0000.7487.f130
arp Lan 192.168.0.127 0013.72f8.93a3
arp timeout 14400
global (wan) 101 interface
nat (management) 0 access-list management_nat0_outbound
nat (Lan) 101 192.168.0.0 255.255.255.0
nat (Vlan101) 101 192.168.250.16 255.255.255.240
nat (Vlan103) 101 192.168.250.48 255.255.255.240
static (Lan,wan) tcp **.**.**.75 www 192.168.0.199 www netmask 255.255.255.255
 
static (Lan,wan) tcp **.**.**.76 3398 192.168.0.218 3389 netmask 255.255.255.255
static (Lan,wan) udp **.**.**.76 3389 192.168.0.218 3389 netmask 255.255.255.255
static (Lan,wan) **.**.**.122 192.168.0.108 netmask 255.255.255.255
static (Lan,wan) **.**.**.123 192.168.0.145 netmask 255.255.255.255
access-group wan_access_in in interface wan
!
router rip
 version 1
!
route wan 0.0.0.0 0.0.0.0 **.**.**.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.2.0 255.255.255.0 management
no snmp-server location
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
ssh 192.168.2.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.50-192.168.0.252 Lan
dhcpd dns 208.67.222.222 192.228.79.201 interface Lan
dhcpd domain ceocenters.com interface Lan
dhcpd enable Lan
!
dhcpd address 192.168.249.10-192.168.249.30 Conf_Wireless
dhcpd dns 208.67.222.222 208.67.220.220 interface Conf_Wireless
dhcpd ping_timeout 100 interface Conf_Wireless
dhcpd domain ceocenters.com interface Conf_Wireless
dhcpd enable Conf_Wireless
!
dhcpd address 192.168.250.19-192.168.250.29 Vlan101
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan101
dhcpd domain ceocenters.com interface Vlan101
dhcpd enable Vlan101
!
dhcpd address 192.168.250.50-192.168.250.60 Vlan103
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan103
dhcpd domain ceocenters.com interface Vlan103
dhcpd enable Vlan103
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map type inspect im match-all MSN
 match protocol msn-im
class-map type inspect im match-all Yahoo
 match protocol yahoo-im
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect ftp FTP_Map
 parameters
  mask-banner
  mask-syst-reply
policy-map type inspect esmtp PreSet_ESMTP_Map
 parameters
  no mask-banner
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
policy-map type inspect im Instant-Message-Inspection
 parameters
 class MSN
  log
 class Yahoo
  log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect im Instant-Message-Inspection
policy-map type inspect h323 h323_Map
 parameters
policy-map type inspect netbios NetBios_Map
 parameters
  protocol-violation action drop log
policy-map type inspect http Http_Inspect_Map
 description Http Inspect Map
 parameters
  protocol-violation action drop-connection
!
service-policy global_policy global
ntp server 74.53.198.146 source wan
ntp server 209.132.176.4 source wan
ntp server 24.20.30.232 source wan
group-policy Cyexx_Support internal
group-policy Cyexx_Support attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 default-domain value ceocenters.com
 address-pool Support
 default-group-policy Cyexx_Support
 pre-shared-key *
smtp-server 192.168.0.128
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
: end
fw1#

Open in new window

0
cyexx
Asked:
cyexx
  • 3
  • 3
1 Solution
 
JFrederick29Commented:
You setup the static NAT with the **.**.**.76 IP address.  You should be connecting to **.**.**.76 (not **.**.**.75).
0
 
cyexxAuthor Commented:
these are the lines that I am having an issue with, sorry fat fingered when i was masking out

access-list wan_access_in extended permit udp any range 1 65535 host **.**.**.76 eq 3389
access-list wan_access_in extended permit tcp any range 1 65535 host **.**.**.76 eq 3389


static (Lan,wan) tcp **.**.**.76 3398 192.168.0.218 3389 netmask 255.255.255.255
static (Lan,wan) udp **.**.**.76 3389 192.168.0.218 3389 netmask 255.255.255.255


log

2      Feb 16 2009      13:16:24      106001      **.**.**.128      **.**.**.76       Inbound TCP connection denied from **.**.**.128/3707 to **.**.**.76/3389 flags SYN  on interface wan
0
 
JFrederick29Commented:
Okay, looks like another typo :)

conf t
no static (Lan,wan) tcp **.**.**.76 3398 192.168.0.218 3389 netmask 255.255.255.255
static (Lan,wan) tcp **.**.**.76 3389 192.168.0.218 3389 netmask 255.255.255.255

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
JFrederick29Commented:
3398 instead of 3389...
0
 
cyexxAuthor Commented:
Looks like that was it,

long day just needed a fresh pair of eyes, thanks for the help
0
 
cyexxAuthor Commented:
Always good to have a fresh set of eyes
 thanks
0
 
DonbooCommented:
Remember to clear xlates if you reconfigure NAT statements that has been in use.

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now