Link to home
Start Free TrialLog in
Avatar of chezbrgrs
chezbrgrsFlag for United States of America

asked on

RDP between interfaces on a Cisco ASA 5510

Hello Experts!

I apologize that this is sort of a duplicate post but my initial question has gone dormant.  I need immediate assistance so please throw out any guesses or ideas!

I have a Cisco ASA 5510 firewall with several interfaces (outside, inside, classrooms_inside, dmz, wireless).  The outside interface is security-level 0, the inside interface is security-level 100 and the classrooms_inside is security-level 50).  From the inside interface, I can ping clients successfully on the classrooms_inside interface; however, I cannot rdp to any of them.  It is not a software firewall issue - I can rdp to them while on the classrooms_inside interface and while traversing a site-to-site tunnel (from my home).  I just can't get any traffic (besides icmp) to flow between the inside and the classrooms_inside interfaces.  Pertinent configuration information is below.  Please help!

More info:
classroom_administration is on 192.168.19.x/24 subnet and is on the classrooms_inside interface.
business_network is on 10.98.0.0/20 subnet and is on the inside interface.

If you need anything else, please let me know.  Thank you in advance for any help you can provide!

chezbrgrs



access-list classrooms_inside_nat0_outbound extended permit ip classroom_administration 255.255.255.0 business_network 255.255.240.0

access-list inside_nat0_outbound extended permit ip business_network 255.255.240.0 classroom_administration 255.255.255.0

global (outside) 1 interface
global (classrooms_inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (classrooms_inside) 0 access-list classrooms_inside_nat0_outbound
nat (classrooms_inside) 1 0.0.0.0 0.0.0.0

Open in new window

Avatar of chezbrgrs
chezbrgrs
Flag of United States of America image

ASKER

This is the error I'm getting in the asdm log:

6      Apr 24 2011      01:29:07            10.98.8.21      53435      192.168.19.253      3389      Deny TCP (no connection) from 10.98.8.21/53435 to 192.168.19.253/3389 flags RST  on interface inside
Avatar of QuietFrank
QuietFrank

Is the asa the gateway for those networks? Where are your ACL's to these networks? Post those here.

Are you seeing any of these errors? %PIX-6-302014: ~~~~TCP Reset-I or-O's?

Collect the log filtered to your IP and post here.

Quoted from random webpage:
Notice that the first of the messages was RST ACK: that implies that
 the other end sent a RST. The PIX closed the connection then, and
 the RST ACK sent by the inside host is being logged. Then the inside
 host closes the connection from its end, generating a RST of its own.

Frank
The ICMP(stateless) traffic is working fine, but RDP(statefull) is not working.
This might be an asymetric routing issue. Does the classroom_administration and the business_network have the asa as their gateway or is there any other route they can utilize to reach each other.

Let me know which software version you are running on the ASA and also paste  the output of 'show run policy-map'
Are there any access-lists on classroom_administration and business_network that might interfere with the RDP traffic?

Is it necessary to do NAT between both inside interfaces? It is much simpler if you allow the traffic to traverse without address translation, for example:

static (business_network, classroom_administration) 10.98.0.0 10.98.0.0 netmask 255.255.240.0    

It will be easier to assist you if you place the entire config file here (remove all public addresses and passwords first)  
Thanks so much for the help!  

@QuietFrank:  The ASA is the gateway for those networks.  The running config is below which has all the ACLs.  The only error that I am seeing is the one I posted.  Would it help to enable some other logging other than ASDM?

@Mystique_87:  The ASA is running 8.2(3).  I attached a partial config to a 3560G Catalyst switch which has some default routes on it.  Here is the output from 'sho run policy-map':

!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ip-options
  inspect icmp
!

@spaperov:  I don't think it's necessary to do NAT between both inside interfaces but I'm reasonably new to this ASA world.  I tried the static command and it didn't seem to make a difference.  The censored running config of the ASA is attached.  

Thanks again.  Let me know if you need anything else.
ASA Version 8.2(3) 
!
hostname firewall
domain-name example.com
enable password password encrypted
passwd password encrypted
names
name 10.98.0.0 business_network
name 10.98.17.0 dmz
name 192.168.11.0 classroom_1
name 192.168.12.0 classroom_2
name 192.168.13.0 classroom_3
name 192.168.14.0 classroom_4
name 192.168.15.0 classroom_5
name 192.168.16.0 classroom_6
name 192.168.17.0 classroom_7
name 192.168.18.0 classroom_8
name 192.168.19.0 classroom_administration
name 192.168.32.0 home_network
name 192.168.99.0 classroom_wireless
dns-guard
!
interface Ethernet0/0
 no nameif    
 no security-level
 no ip address
!
interface Ethernet0/0.1
 vlan 1000
 nameif outside
 security-level 0
 ip address w.x.y.z 255.255.255.224 
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.1
 vlan 10
 nameif inside
 security-level 100
 ip address 10.98.4.1 255.255.240.0 
!
interface Ethernet0/1.2
 vlan 19
 nameif classrooms_inside
 security-level 50
 ip address 192.168.19.254 255.255.255.0 
!
interface Ethernet0/1.3
 vlan 99
 nameif wireless
 security-level 50
 ip address 192.168.99.254 255.255.255.0 
!
interface Ethernet0/1.4
 vlan 9
 nameif dmz
 security-level 25
 ip address 10.98.17.1 255.255.255.248 
!
interface Ethernet0/2
 description failover interface
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name example.com
same-security-traffic permit intra-interface
object-group network classrooms
 network-object classroom_1 255.255.255.0
 network-object classroom_2 255.255.255.0
 network-object classroom_3 255.255.255.0
 network-object classroom_4 255.255.255.0
 network-object classroom_5 255.255.255.0
 network-object classroom_6 255.255.255.0
 network-object classroom_7 255.255.255.0
 network-object classroom_8 255.255.255.0
object-group service rdp tcp
 port-object eq 3389
object-group service ultravnc tcp
 port-object eq 5900
 port-object eq 5901
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object business_network 255.255.240.0
 network-object classroom_administration 255.255.255.0
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any host w.x.y.b object-group ultravnc 
access-list classrooms_inside_nat0_outbound extended permit ip classroom_administration 255.255.255.0 business_network 255.255.240.0 
access-list classrooms_inside_nat0_outbound extended permit ip classroom_administration 255.255.255.0 home_network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip business_network 255.255.240.0 home_network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip business_network 255.255.240.0 classroom_administration 255.255.255.0 
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 home_network 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu classrooms_inside 1500
mtu wireless 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (classrooms_inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (classrooms_inside) 0 access-list classrooms_inside_nat0_outbound
nat (classrooms_inside) 1 0.0.0.0 0.0.0.0
nat (wireless) 1 0.0.0.0 0.0.0.0
static (classrooms_inside,classrooms_inside) w.x.y.b 192.168.19.245 netmask 255.255.255.255 
static (classrooms_inside,outside) w.x.y.b 192.168.19.245 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.c 1
route classrooms_inside classroom_1 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_2 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_3 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_4 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_5 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_6 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_7 255.255.255.0 192.168.19.250 1
route classrooms_inside classroom_8 255.255.255.0 192.168.19.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http business_network 255.255.240.0 inside
http home_network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer a.b.c.d 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh business_network 255.255.240.0 inside
ssh home_network 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 216.136.95.2 64.132.94.250
!
dhcpd address 192.168.99.1-192.168.99.200 wireless
dhcpd enable wireless
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username username password password encrypted privilege 15
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b2ee793a5aa8a6ae372d019acd5fbcdd
: end


Current configuration : 9866 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname switch
!
enable secret 5 password
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip telnet quiet
no ip domain-lookup
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!

interface GigabitEthernet0/9
 description classroom_administration vlan 19 feed
 switchport access vlan 19
 switchport mode access
!
interface GigabitEthernet0/14
 description business_network switch 1 vlan 10 feed
 switchport access vlan 10
 switchport mode access
!
interface Vlan10
 description business_network vlan 10
 ip address 10.98.1.2 255.255.240.0
!
interface Vlan19
 description classroom_administration vlan 19
 ip address 192.168.19.251 255.255.255.0
 ip access-group vlan19_filter in
 standby 19 ip 192.168.19.250
 standby 19 timers 5 15
 standby 19 preempt
!
ip default-gateway 10.98.4.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.19.254
no ip http server
!
ip access-list extended vlan19_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.8.0 0.0.0.255
 permit ip any 10.98.17.0 0.0.0.255
 permit ip any 192.168.11.0 0.0.0.255
 permit ip any 192.168.12.0 0.0.0.255
 permit ip any 192.168.13.0 0.0.0.255
 permit ip any 192.168.14.0 0.0.0.255
 permit ip any 192.168.15.0 0.0.0.255
 permit ip any 192.168.16.0 0.0.0.255
 permit ip any 192.168.17.0 0.0.0.255
 permit ip any 192.168.18.0 0.0.0.255
 permit ip any any

Open in new window

I hate the way ASDM configures the firewall, it does that by the most complex way.

OK, the way that I suggest is more CLI oriented, but you can get the idea and try to perform the same with ASDM. If you are more familiar with ASDM stay with it; generally it is no a god idea to mix ADSM and CLI configuration methods but you could do that too. Personally, I use CLI for the basic configurations and ACL, and ASDM for more complex stuff as VPN.

Having sad that:
First you need to remote nat-control command – it enforces NAT from inside to low security interfaces. Then, remote global (classrooms_inside) 1 interface too and apply the static command.

So, it should be something like:
no nat-control
no global (classrooms_inside) 1 interface
static (inside, classroom_administration) 10.98.4.0 10.98.4.0 netmask 255.255.240.0

Open in new window


This will break the configuration done by ASDM but it should work. The error you have points a problem with NAT.

Please, let me know the result of the above command with the related debug messages from ASDM.  
Thanks spaperov!  I put the global (classrooms_inside) 1 interface command in there to allow hairpinning for the ip address in the command static (classrooms_inside,classrooms_inside) w.x.y.b 192.168.19.245 netmask 255.255.255.255.  Is there a different way to do that?

Also, when I tried to enter static (inside,classrooms_inside) 10.98.4.0 10.98.4.0 netmask 255.255.240.0, I get the error 'global address overlaps with mask'.
My mistake sorry. It should be 10.98.0.0 10.98.0.0

You don't need the global command: your static should be:  static (classrooms_inside,outside) w.x.y.b 192.168.19.245 netmask 255.255.255.255.
Same results:

6      Apr 24 2011      12:37:54            10.98.8.21      50715      192.168.19.253      3389      Deny TCP (no connection) from 10.98.8.21/50715 to 192.168.19.253/3389 flags RST  on interface inside


%ASA-6-106015: Deny TCP (no connection) from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name.

Thanks for your persistence.
I did a small research on the error you have and found the following explanation:
The security appliance discarded a TCP packet that has no associated connection in the security appliance connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
Recommended Action:   None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

Source: http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html

On different post I found a solution for similar problem: add the following command to Cisco ASA configuration:sysopt connection timewait
sysopt connection timewait: Force each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence.
The sysopt connection timewait command is necessary for end host applications whose default TCP terminating sequence is a simultaneous close instead of the normal shutdown sequence (see RFC 793). In a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence.
Source: http://www.cisco.com/en/US/docs/security/pix/pix61/command/reference/s.html#wp1026942

I hope this will help. It seams the problem is not with the configuration of Cisco ASA.
Thanks spaperov.  I really appreciate all the time you've put into this problem.  For the last six or so questions I've asked on Experts-Exchange, I've gotten very little response and most have gone unanswered.  So thank you for renewing my faith in this service.

Unfortunately, the sysopt connection timewait command didn't help.  Could it be an asymmetric routing issue as Mystique_87 mentioned above?  As I mentioned, I am not a Cisco expert by any means and when I tried to connect to 192.168.19.253 from 10.98.8.21, I fat fingered it and typed 192.168.18.253 and it worked!  192.168.18.253 is also an address of the server with IP address 192.168.19.253 (it's multihomed and hands out DHCP addresses to all of the different VLANs).

Here's how traffic flows on the classrooms_inside interface:

VLANs 11-18 - PC with DG of 192.168.(11-18).254 to Cisco 3560 switch with VLAN IP addresses of 192.168.(11-18).254
VLAN 19 - PC with DG of 192.168.19.250 to Cisco 3560 switch with VLAN IP address of 192.168.19.250

The route on the Cisco 3560 switch is ip route 0.0.0.0 0.0.0.0 192.168.19.254 (the classrooms_inside interface) but the ip default-gateway is 10.98.4.1 (the inside interface).

Lastly, the route on the ASA are below:

route outside 0.0.0.0 0.0.0.0 w.x.y.c 1
route classrooms_inside 192.168.11.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.12.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.13.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.14.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.15.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.16.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.17.0 255.255.255.0 192.168.19.250 1
route classrooms_inside 192.168.18.0 255.255.255.0 192.168.19.250 1

All of the classrooms point back to the VLAN IP address of VLAN 19.  I don't know if this is a best practice approach.

Anyhow, I can connect to one of the servers on the 192.168.19.x/24 subnet but I really need to connect to several which aren't multihomed.  Does any of this make a difference?

Thanks again for all your help.
One more piece of information that may be good to know...

I can ping 192.168.19.x/24 from 10.98.0.0/20 and receive a response.  I do not, however, receive a reply if I ping 10.98.0.0/20 from 192.168.19.x/24.
The ping command behaves exactly as it should: when the traffic in initiated from a higher security interface to a lower one the connection is made; on other hand when it is initiated from a lower to a higher, you need explicit access-list to allow it.

I didn’t pay enough attention to the switch configuration. Both networks go through the switch and you have a trunk between the switch and the firewall, right? I am not sure that ip default-gateway and ip route 0.0.0.0 0.0.0.0 could cause a problem. Try to remove ip default-gateway.

Can you run show ip route on the router?

Yes, your setup is not something simple, I can tell that. I think I will have to see both physical and logical network diagrams of the connections between the switch and the firewall in order to understand it.
I removed the default-gateway reference and it didn't seem to make a difference on the network.  The sho route results from both devices are below.

sho route from ASA:

S    classroom_2 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
S    classroom_3 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
S    classroom_4 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
S    classroom_5 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
C    x.y.z.z 255.255.255.224 is directly connected, outside
S    classroom_1 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
C    classroom_wireless 255.255.255.0 is directly connected, wireless
C    business_network 255.255.240.0 is directly connected, inside
C    dmz 255.255.255.248 is directly connected, dmz
S    classroom_7 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
S    classroom_6 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
C    classroom_administration 255.255.255.0
           is directly connected, classrooms_inside
S    classroom_8 255.255.255.0 [1/0] via 192.168.19.250, classrooms_inside
S*   0.0.0.0 0.0.0.0 [1/0] via x.y.z.a, outside

sho ip route from switch:

C    192.168.12.0/24 is directly connected, Vlan12
C    192.168.13.0/24 is directly connected, Vlan13
C    192.168.14.0/24 is directly connected, Vlan14
C    192.168.15.0/24 is directly connected, Vlan15
C    192.168.11.0/24 is directly connected, Vlan11
     10.0.0.0/20 is subnetted, 1 subnets
C       10.98.0.0 is directly connected, Vlan10
C    192.168.17.0/24 is directly connected, Vlan17
     192.168.16.0/29 is subnetted, 1 subnets
C       192.168.16.0 is directly connected, Vlan16
C    192.168.19.0/24 is directly connected, Vlan19
C    192.168.18.0/24 is directly connected, Vlan18
S*   0.0.0.0/0 [1/0] via 192.168.19.254

ASKER CERTIFIED SOLUTION
Avatar of Mystique_87
Mystique_87

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry mate, I think you have a design problem somewhere.

You could try one last thing on the firewall: same-security-traffic permit intra-interface this allows traffic to enter and exit on the same interface.

If it doesn’t work you could set the security-level of classrooms_inside interface to 100, add same-security-traffic permit inter-interface to disable the firewall functions between the inside and classrooms_inside interfaces and review the design.
It worked!  It worked!  Please let me know how I can figure out the asymmetric routing issue.  

Thanks very much Mystique_87!



Thanks to you too spaperov for all your help.  I really appreciate all your time.
I am glad it worked :)

Asymetric routing is a issue where the request and the return traffic are not following the same path.

We need to carefully trace the path the hosts in both the networks are taking. Try tracerouting from a PC on one network to a PC on another network and check what are the devices it traverses.

The traffic from the classroom_administration to the business_network should reach the classrooms_inside interface or a hop before it.
The traffic from the business_network to the classroom_administration should reach the inside interface or a hop before it.

Also please try the following commands and paste the output:
1) packet tracer in inside tcp <ip address of host in the business_network> 5555 <ip address of host in classroom_administration> <rdp port number>
2)  packet tracer in inside tcp ip address of host in classroom_administration> <rdp port number> <ip address of host in the business_network> 5555
This will help us figure out if it is a config issue on the ASA or the network that we would need to take a look at
Trace route from the business_network to classroom_administration was one hop.
Trace route from classroom_administration to business_network looked like this...

  1    <1 ms    <1 ms    <1 ms  192.168.19.252
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *     ^C  (obviously a problem!)

packet in inside tcp 10.98.8.21 5555 192.168.19.253 3389:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   classroom_administration 255.255.255.0   classrooms_inside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
  match ip inside business_network 255.255.240.0 classrooms_inside classroom_administration 255.255.255.0
    NAT exempt
    translate_hits = 67, untranslate_hits = 0
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any classrooms_inside any
    dynamic translation to pool 1 (192.168.19.254 [Interface PAT])
    translate_hits = 34, untranslate_hits = 0
Additional Information:

Phase: 6
Type: NAT    
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any outside any
    dynamic translation to pool 1 (censored external public address [Interface PAT])
    translate_hits = 10391, untranslate_hits = 3964
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (classrooms_inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip classrooms_inside any outside any
    dynamic translation to pool 1 (censored external public address [Interface PAT])
    translate_hits = 6177, untranslate_hits = 2326
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1673926, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: classrooms_inside
output-status: up
output-line-status: up
Action: allow

packet in inside tcp 192.168.19.253 3389 10.98.8.21 5555:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   business_network 255.255.240.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
             
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
nat-control
  match ip inside business_network 255.255.240.0 inside classroom_administration 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Sorry about the previous command:
packet-tracer in classroom_inside tcp 192.168.19.253 3389 10.98.8.21 5555

However the outputs show that the ASA is pointing out to the right interfaces for the traffic destined the the Route Lookup step.

We should take a look at the network to see where things are going wrong
The config on the ASA looks good.
The only other piece of equipment that is involved is a Cisco switch.  The full configuration is below.

Is it odd that I don't have a trunk port to the classrooms_inside interface on the firewall?


version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname switch
!
enable secret 5 password
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
ip telnet quiet
no ip domain-lookup
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
 description classroom_1 vlan 11 feed
 switchport access vlan 11
 switchport mode access
!
interface GigabitEthernet0/2
 description classroom_2 vlan 12 feed
 switchport access vlan 12
 switchport mode access
!
interface GigabitEthernet0/3
 description classroom_3 vlan 13 feed
 switchport access vlan 13
 switchport mode access
!
interface GigabitEthernet0/4
 description classroom_4 vlan 14 feed
 switchport access vlan 14
 switchport mode access
!
interface GigabitEthernet0/5
 description classroom_5 vlan 15 feed
 switchport access vlan 15
 switchport mode access
!
interface GigabitEthernet0/6
 description classroom_6 vlan 16 feed
 switchport access vlan 16
 switchport mode access
!
interface GigabitEthernet0/7
 description classroom_7 vlan 17 feed
 switchport access vlan 17
 switchport mode access
!
interface GigabitEthernet0/8
 description classroom_8 vlan 18 feed
 switchport access vlan 18
 switchport mode access
!
interface GigabitEthernet0/9
 description classroom_administration vlan 19 feed
 switchport access vlan 19
 switchport mode access
!
interface GigabitEthernet0/10
 description classroom_wireless vlan 99 feed
 switchport access vlan 99
 switchport mode access
!
interface GigabitEthernet0/11
 description dmz vlan 9 feed
 switchport access vlan 9
 switchport mode access
!
interface GigabitEthernet0/12
 description dmz vlan 9 feed
 switchport access vlan 9
 switchport mode access
!
interface GigabitEthernet0/13
 description dmz vlan 9 feed
 switchport access vlan 9
 switchport mode access
!
interface GigabitEthernet0/14
 description business_network switch 1 vlan 10 feed
 switchport access vlan 10
 switchport mode access
!         
interface GigabitEthernet0/15
 description business_network switch 2 vlan 10 feed
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/16
 description business_network switch 3 vlan 10 feed
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/17
 description business_servers switch 1 vlan 10 feed
 switchport access vlan 10
 switchport mode access
!
interface GigabitEthernet0/18
 switchport mode access
!
interface GigabitEthernet0/19
 description isp pass-through vlan 1000 feed
 switchport access vlan 1000
 switchport mode access
 bandwidth 16384
!
interface GigabitEthernet0/20
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11-18
 switchport mode trunk
!
interface GigabitEthernet0/21
 description isp pass-through vlan 1000 feed
 switchport access vlan 1000
 switchport mode access
!
interface GigabitEthernet0/22
 description trunk to firewall outside interface
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/23
 description trunk to firewall inside interface
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree link-type point-to-point
!         
interface GigabitEthernet0/25
 switchport mode access
!
interface GigabitEthernet0/26
 switchport mode access
!
interface GigabitEthernet0/27
 switchport mode access
!
interface GigabitEthernet0/28
 switchport mode access
!
interface Vlan1
 no ip address
!
interface Vlan10
 description business_network vlan 10
 ip address 10.98.1.1 255.255.240.0
!
interface Vlan11
 description classroom_1 vlan 11
 ip address 192.168.11.252 255.255.255.0
 ip access-group vlan11_filter in
 standby 11 ip 192.168.11.254
 standby 11 timers 5 15
 standby 11 preempt
!
interface Vlan12
 description classroom_2 vlan 12
 ip address 192.168.12.252 255.255.255.0
 ip access-group vlan12_filter in
 standby 12 ip 192.168.12.254
 standby 12 timers 5 15
 standby 12 preempt
!
interface Vlan13
 description classroom_3 vlan 13
 ip address 192.168.13.252 255.255.255.0
 ip access-group vlan13_filter in
 standby 13 ip 192.168.13.254
 standby 13 timers 5 15
 standby 13 preempt
!
interface Vlan14
 description classroom_4 vlan 14
 ip address 192.168.14.252 255.255.255.0
 ip access-group vlan14_filter in
 standby 14 ip 192.168.14.254
 standby 14 timers 5 15
 standby 14 preempt
!
interface Vlan15
 description classroom_5 vlan 15
 ip address 192.168.15.252 255.255.255.0
 ip access-group vlan15_filter in
 standby 15 ip 192.168.15.254
 standby 15 timers 5 15
 standby 15 preempt
!
interface Vlan16
 description classroom_6 vlan 16
 ip address 192.168.16.3 255.255.255.248
 ip access-group vlan16_filter in
 standby 16 ip 192.168.16.1
 standby 16 timers 5 15
 standby 16 preempt
!
interface Vlan17
 description classroom_7 vlan 17
 ip address 192.168.17.252 255.255.255.0
 ip access-group vlan17-18_filter in
 standby 17 ip 192.168.17.254
 standby 17 timers 5 15
 standby 17 preempt
!
interface Vlan18
 description classroom_8 vlan 18
 ip address 192.168.18.252 255.255.255.0
 ip access-group vlan17-18_filter in
 standby 18 ip 192.168.18.254
 standby 18 timers 5 15
 standby 18 preempt
!
interface Vlan19
 description classroom_administration vlan 19
 ip address 192.168.19.252 255.255.255.0
 standby 19 ip 192.168.19.250
 standby 19 timers 5 15
 standby 19 preempt
!
interface Vlan99
 description classroom_wireless vlan 99
 no ip address
 ip access-group vlan99_filter in
!
ip default-gateway 10.98.4.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.19.254
no ip http server
!
ip access-list extended vlan11_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan12_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan13_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan14_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan15_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan16_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan17-18_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.17.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 permit ip any 192.168.19.0 0.0.0.255
 permit ip any any
ip access-list extended vlan19_filter
 permit ip any host 10.98.5.198
 permit ip any 10.98.8.0 0.0.0.255
 permit ip any 10.98.17.0 0.0.0.255
 permit ip any 192.168.11.0 0.0.0.255
 permit ip any 192.168.12.0 0.0.0.255
 permit ip any 192.168.13.0 0.0.0.255
 permit ip any 192.168.14.0 0.0.0.255
 permit ip any 192.168.15.0 0.0.0.255
 permit ip any 192.168.16.0 0.0.0.255
 permit ip any 192.168.17.0 0.0.0.255
 permit ip any 192.168.18.0 0.0.0.255
 permit ip any any
ip access-list extended vlan99_filter
 deny   ip any 10.98.0.0 0.0.255.255
 deny   ip any 192.168.11.0 0.0.0.255
 deny   ip any 192.168.12.0 0.0.0.255
 deny   ip any 192.168.13.0 0.0.0.255
 deny   ip any 192.168.14.0 0.0.0.255
 deny   ip any 192.168.15.0 0.0.0.255
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.18.0 0.0.0.255
 permit ip any any
!
!
control-plane
!
!
line con 0
 exec-timeout 30 0
 password 7 password
 logging synchronous
 login
line vty 0 4
 password 7 password
 login
line vty 5 15
 password 7 password
 login
!
end

Open in new window

Here's the result from the other packet-tracer command:


packet-tracer in classrooms_inside tcp 192.168.19.253 3389 10.98.8.21 5555

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   business_network 255.255.240.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
             
Result:
input-interface: classrooms_inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks so much Mystique_87 (and the others who provided ideas for solving this issue).  It was an asymmetric routing issue.  It turns out the default gateway on the server was incorrect and all traffic was bouncing off the switch and then going to the classrooms_inside interface of the ASA.  That extra step wasn't necessary.