Solved

Can't get outside connectivity using RDP through ASA5510

Posted on 2009-07-08
2
596 Views
Last Modified: 2012-05-07
Hello all,
I am trying to allow an outisde user (xx.33.254.149) connection using remote desktops to a server in our DMZ (named OPTI on the config: xx.xx.42.99). I'm having no luck at the moment and would greatly appreciate any comments/help on the below config.
Many thanks
ASA# sh ru
ASA Version 7.0(8)
!
hostname ASA
domain-name asa.org.uk
enable password xxx encrypted
passwd xxx encrypted
names
name 192.168.99.36 TRUSTHQDATA
name 192.168.99.35 OPTI
name 192.168.99.9 SFTP
name 192.168.99.10 WEBMAIL
name 192.168.0.66 CYH
name 192.168.3.251 EXMS1
name 192.168.3.254 DCHQ1
name 192.168.0.71 TRUSTPROXY
name 192.168.3.228 DUDDLES
name 192.168.0.65 OPTITEST
name 192.168.3.217 DANNY
dns-guard
!
interface Ethernet0/0
 description Link to 10Mb Entanet Router
 nameif Outside
 security-level 0
 ip address xx.xx.42.98 255.255.255.224
!
interface Ethernet0/1
 nameif DMZ
 security-level 50
 ip address 192.168.99.33 255.255.255.224
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 192.168.0.43 255.255.252.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
banner motd &
#############################################################################
ftp mode passive
object-group network OUTLOOK_WEB_ACCESS
 network-object EXMS1 255.255.255.255
 network-object 192.168.3.252 255.255.255.255
 network-object DCHQ1 255.255.255.255
access-list DMZ_ACCESS_IN extended permit tcp any any eq www
access-list DMZ_ACCESS_IN extended permit tcp any eq 3389 any
access-list DMZ_ACCESS_IN extended permit tcp any eq 2179 any
access-list DMZ_ACCESS_IN extended permit icmp any any
access-list DMZ_ACCESS_IN extended permit icmp any any echo-reply
access-list DMZ_ACCESS_IN extended permit tcp any any eq https
access-list DMZ_ACCESS_IN extended permit udp host OPTI gt 1024 any
access-list DMZ_ACCESS_IN extended permit tcp host OPTI gt 1024 any
access-list DMZ_ACCESS_IN extended permit udp host OPTI eq netbios-dgm any
access-list DMZ_ACCESS_IN extended permit udp host OPTI eq netbios-ns any
access-list Inside_nat0_inbound extended permit ip any 192.168.0.52 255.255.255.252
access-list Inside_nat0_inbound_V1 extended permit ip any 192.168.0.48 255.255.255.248
access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
access-list INSIDE_ACCESS_OUT extended permit tcp host EXMS1 any eq smtp
access-list INSIDE_ACCESS_OUT extended permit ip host DUDDLES host 81.137.188.161
access-list INSIDE_ACCESS_OUT extended permit gre host DANNY host 81.137.188.161
access-list INSIDE_ACCESS_OUT extended permit gre any any
access-list INSIDE_ACCESS_OUT extended permit tcp any any eq ftp-data
access-list INSIDE_ACCESS_OUT extended permit tcp any any eq 3389
access-list INSIDE_ACCESS_OUT extended permit udp any any eq 21
access-list OUTSIDE_ACCESS_IN extended permit tcp any host xx.xx.42.100 eq www
access-list OUTSIDE_ACCESS_IN extended permit tcp any host xx.xx.42.100 eq https
access-list OUTSIDE_ACCESS_IN extended permit tcp any host xx.xx.42.101 eq smtp
access-list OUTSIDE_ACCESS_IN extended permit gre host 81.137.188.161 any
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 78.33.42.107 eq ftp-data
access-list OUTSIDE_ACCESS_IN extended permit tcp host xx.33.254.149 host xx.xx.42.108 eq 3389
access-list OUTSIDE_ACCESS_IN extended permit tcp host xx.132.136.215 host xx.xx.xx.107 eq 3389
access-list OUTSIDE_ACCESS_IN extended permit tcp host xx.33.254.149 host xx.xx.42.99 eq 3389
access-list INSIDE_OUTBOUND_NAT0_ACL extended permit ip 192.168.0.0 255.255.0.0 192.168.0.96 255.255.255.252
access-list OUTBOUND_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.52 255.255.255.252
pager lines 50
logging enable
logging asdm debugging
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_Pool 192.168.0.51-192.168.0.54
no failover
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 101 interface
nat (DMZ) 2 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list Inside_nat0_inbound_V1 outside
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.252.0
static (Inside,Outside) xx.xx.42.100 CYH netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.101 EXMS1 netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.102 DCHQ1 netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.103 WEBMAIL netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.104 TRUSTPROXY netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.105 SFTP netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.106 DUDDLES netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.107 DANNY netmask 255.255.255.255
static (Inside,Outside) xx.xx.42.99 OPTI netmask 255.255.255.255
access-group OUTSIDE_ACCESS_IN in interface Outside
access-group DMZ_ACCESS_IN in interface DMZ
access-group INSIDE_ACCESS_OUT out interface Inside
route Outside 0.0.0.0 0.0.0.0 xx.xx.42.97 1
route Inside 192.168.0.0 255.255.0.0 192.198.0.1 1
!
router ospf 1
 network 192.168.99.32 255.255.255.224 area 0
 network 192.168.0.0 255.255.0.0 area 0
 network 0.0.0.0 0.0.0.0 area 0
 area 0
 log-adj-changes
 default-information originate
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (Inside) host 192.168.3.230
 timeout 5
 key xx
group-policy VPN_1 internal
group-policy VPN_1 attributes
 wins-server value 192.138.3.254 192.138.3.244
 dns-server value 192.138.3.254 192.138.3.244
 default-domain value asa.org.uk
 webvpn
group-policy VPN internal
http server enable
http 192.168.0.0 255.255.252.0 Inside
http 192.168.99.64 255.255.255.224 management
snmp-server host Inside 192.168.0.100 community public
snmp-server host Inside 192.168.3.219 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map management_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map management_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
isakmp enable Outside
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN_Pool
 authentication-server-group RADIUS2
 default-group-policy VPN_1
tunnel-group VPN ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.252.0 Inside
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
webvpn
 enable Outside
Cryptochecksum:4cf8084aa4ea38265fc3ca7c4f6f4d67
: end

Open in new window

0
Comment
Question by:DBRushton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Accepted Solution

by:
3nerds earned 250 total points
ID: 24803509
If OPTI is in your DMZ you need to add a NAT translation for it. I currently see not Static translations for the dmz for server .42.99. You have an inside, outside for it but if this server is truely in your dmz then this translation:
static (Inside,Outside) xx.xx.42.99 OPTI netmask 255.255.255.255

needs to become this:

static (DMZ,outside) xx.xx.42.99 OPTI netmask 255.255.255.255

You already have the ACL in place so fix the Static nat and it should work.

Regards,

3nerds
0
 
LVL 1

Author Closing Comment

by:DBRushton
ID: 31601060
Well spotted - schoolboy error! Many thanks
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 102
ip igmp join-group 8 73
Edge switch problems cisco 2960 25 52
Cisco VOIP Question 1 37
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question