• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1365
  • Last Modified:

Remote Desktop through Cisco ASA

I have a Cisco ASA5505 setup and I need to use remote desktop to access a server behind the firewall.    The IP of the internal server is 192.168.31.235.  I have tried several differnt ways to get this wokring and I am obviously missing something.   Below is the current configuration of the firewall.   Any suggestions as to what I have done wrong would be appreciated.

: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name MyCoService
enable password oiugfdydtyfyhfhj4 encrypted
passwd odsifjadsopfjds encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.31.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.101 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name MyCoService
object network obj-192.168.31.0
 subnet 192.168.31.0 255.255.255.0
object network NETWORK_OBJ_192.168.32.0_26
 subnet 192.168.32.0 255.255.255.192
object network 192.168.31.235
 host 192.168.31.235
object service rdp
 service tcp source eq 3389 destination eq 3389
object network 192.168.1.101
 host 192.168.1.101
access-list outside_int extended permit tcp any host 192.168.31.235 eq 3389
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside 192.168.31.235
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.32.1-192.168.32.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.32.0_26 NETWORK_OBJ_192.168.32.0_26
nat (outside,inside) source static any any destination static 192.168.31.235 192.168.1.101 service rdp rdp
!
object network obj-192.168.31.0
 nat (inside,outside) dynamic interface
object network 192.168.1.101
 nat (any,any) static 192.168.31.235
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.31.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy MyCoVPN internal
group-policy MyCoVPN attributes
 vpn-tunnel-protocol ikev1
 default-domain value MyCoService
username vpnlogin1 password wuXKtdwWsM7jiiL6 encrypted privilege 0
username vpnlogin1 attributes
 vpn-group-policy MyCoVPN
tunnel-group MyCoVPN type remote-access
tunnel-group MyCoVPN general-attributes
 address-pool VPNPool
 default-group-policy MyCoVPN
tunnel-group MyCoVPN ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context

: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable
0
qvfps
Asked:
qvfps
  • 4
  • 4
1 Solution
 
khairilCommented:
Hi,

Not so familiar with PIX, but I think you need to allow rdp on natted address of 192.168.31.235
which is 192.168.1.101.
0
 
Ernie BeekCommented:
Let's see.
First remove:
nat (outside,inside) source static any any destination static 192.168.31.235 192.168.1.101 service rdp rdp

Then add:

object network obj-192.168.31.235
host 192.168.31.235
nat (inside,outside) static 192.168.1.101 service tcp 3389 3389
clear xlate

Then see if that works for you.
0
 
qvfpsAuthor Commented:
I get the following error on the NAT command.

Result of the command: "nat (inside,outside) static 192.168.1.101 service tcp 3389 3389"

ERROR: Address 192.168.1.101 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
qvfpsAuthor Commented:
Internal Interface 192.168.31.1
External Interface 192.168.1.101
IP of server I need to RDP into  192.168.31.235
0
 
Ernie BeekCommented:
Ok, then try:

object network obj-192.168.31.235
host 192.168.31.235
nat (inside,outside) static interface service tcp 3389 3389
clear xlate
0
 
qvfpsAuthor Commented:
I tried the example above and I see the following lines in the log when I try to connect.

2      Oct 11 2011      12:06:38            192.168.1.7      49171      192.168.31.235      3389      Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN  on interface outside
2      Oct 11 2011      12:06:32            192.168.1.7      49171      192.168.31.235      3389      Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN  on interface outside
2      Oct 11 2011      12:06:29            192.168.1.7      49171      192.168.31.235      3389      Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN  on interface outside
0
 
Ernie BeekCommented:
Mmm, first thing that comes to mind is that the access list isn't bound to the interface (anymore). could you check?
0
 
qvfpsAuthor Commented:
I think that did it thanks.
0
 
Ernie BeekCommented:
You're welcome :)
Just let me know if there is anything else.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now