qvfps
asked on
Remote Desktop through Cisco ASA
I have a Cisco ASA5505 setup and I need to use remote desktop to access a server behind the firewall. The IP of the internal server is 192.168.31.235. I have tried several differnt ways to get this wokring and I am obviously missing something. Below is the current configuration of the firewall. Any suggestions as to what I have done wrong would be appreciated.
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name MyCoService
enable password oiugfdydtyfyhfhj4 encrypted
passwd odsifjadsopfjds encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.31.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.101 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name MyCoService
object network obj-192.168.31.0
subnet 192.168.31.0 255.255.255.0
object network NETWORK_OBJ_192.168.32.0_2 6
subnet 192.168.32.0 255.255.255.192
object network 192.168.31.235
host 192.168.31.235
object service rdp
service tcp source eq 3389 destination eq 3389
object network 192.168.1.101
host 192.168.1.101
access-list outside_int extended permit tcp any host 192.168.31.235 eq 3389
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside 192.168.31.235
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.32.1-192.168.32.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.32.0_2 6 NETWORK_OBJ_192.168.32.0_2 6
nat (outside,inside) source static any any destination static 192.168.31.235 192.168.1.101 service rdp rdp
!
object network obj-192.168.31.0
nat (inside,outside) dynamic interface
object network 192.168.1.101
nat (any,any) static 192.168.31.235
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.31.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy MyCoVPN internal
group-policy MyCoVPN attributes
vpn-tunnel-protocol ikev1
default-domain value MyCoService
username vpnlogin1 password wuXKtdwWsM7jiiL6 encrypted privilege 0
username vpnlogin1 attributes
vpn-group-policy MyCoVPN
tunnel-group MyCoVPN type remote-access
tunnel-group MyCoVPN general-attributes
address-pool VPNPool
default-group-policy MyCoVPN
tunnel-group MyCoVPN ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable
: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name MyCoService
enable password oiugfdydtyfyhfhj4 encrypted
passwd odsifjadsopfjds encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.31.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.101 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name MyCoService
object network obj-192.168.31.0
subnet 192.168.31.0 255.255.255.0
object network NETWORK_OBJ_192.168.32.0_2
subnet 192.168.32.0 255.255.255.192
object network 192.168.31.235
host 192.168.31.235
object service rdp
service tcp source eq 3389 destination eq 3389
object network 192.168.1.101
host 192.168.1.101
access-list outside_int extended permit tcp any host 192.168.31.235 eq 3389
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside 192.168.31.235
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.32.1-192.168.32.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.32.0_2
nat (outside,inside) source static any any destination static 192.168.31.235 192.168.1.101 service rdp rdp
!
object network obj-192.168.31.0
nat (inside,outside) dynamic interface
object network 192.168.1.101
nat (any,any) static 192.168.31.235
access-group outside_int in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.31.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy MyCoVPN internal
group-policy MyCoVPN attributes
vpn-tunnel-protocol ikev1
default-domain value MyCoService
username vpnlogin1 password wuXKtdwWsM7jiiL6 encrypted privilege 0
username vpnlogin1 attributes
vpn-group-policy MyCoVPN
tunnel-group MyCoVPN type remote-access
tunnel-group MyCoVPN general-attributes
address-pool VPNPool
default-group-policy MyCoVPN
tunnel-group MyCoVPN ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable
Let's see.
First remove:
nat (outside,inside) source static any any destination static 192.168.31.235 192.168.1.101 service rdp rdp
Then add:
object network obj-192.168.31.235
host 192.168.31.235
nat (inside,outside) static 192.168.1.101 service tcp 3389 3389
clear xlate
Then see if that works for you.
First remove:
nat (outside,inside) source static any any destination static 192.168.31.235 192.168.1.101 service rdp rdp
Then add:
object network obj-192.168.31.235
host 192.168.31.235
nat (inside,outside) static 192.168.1.101 service tcp 3389 3389
clear xlate
Then see if that works for you.
ASKER
I get the following error on the NAT command.
Result of the command: "nat (inside,outside) static 192.168.1.101 service tcp 3389 3389"
ERROR: Address 192.168.1.101 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Result of the command: "nat (inside,outside) static 192.168.1.101 service tcp 3389 3389"
ERROR: Address 192.168.1.101 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
ASKER
Internal Interface 192.168.31.1
External Interface 192.168.1.101
IP of server I need to RDP into 192.168.31.235
External Interface 192.168.1.101
IP of server I need to RDP into 192.168.31.235
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried the example above and I see the following lines in the log when I try to connect.
2 Oct 11 2011 12:06:38 192.168.1.7 49171 192.168.31.235 3389 Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN on interface outside
2 Oct 11 2011 12:06:32 192.168.1.7 49171 192.168.31.235 3389 Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN on interface outside
2 Oct 11 2011 12:06:29 192.168.1.7 49171 192.168.31.235 3389 Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN on interface outside
2 Oct 11 2011 12:06:38 192.168.1.7 49171 192.168.31.235 3389 Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN on interface outside
2 Oct 11 2011 12:06:32 192.168.1.7 49171 192.168.31.235 3389 Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN on interface outside
2 Oct 11 2011 12:06:29 192.168.1.7 49171 192.168.31.235 3389 Inbound TCP connection denied from 192.168.1.7/49171 to 192.168.31.235/3389 flags SYN on interface outside
Mmm, first thing that comes to mind is that the access list isn't bound to the interface (anymore). could you check?
ASKER
I think that did it thanks.
You're welcome :)
Just let me know if there is anything else.
Just let me know if there is anything else.
Not so familiar with PIX, but I think you need to allow rdp on natted address of 192.168.31.235
which is 192.168.1.101.