ASA5505 and RDP Not Working

sscottinandrews
sscottinandrews used Ask the Experts™
on
Experts:
I have an issue that has gotten me puzzles. I have and ASA5505, I have the outside IP address of 99.99.99.99 and an inside server with the IP of 192.168.1.4.
I have the access-list allowing it in on 3389/RDP
I have the static as PUBLIC IP to Servrer
I have it applied to the outside interface

This was working great up until a week ago, and I am just not sure what change. Can someone help me out and point me in the right direction, please?

I have attached my current config and just need RDP into a the server IP listed above.

Thank you!!!
current-config.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Consulting and Network/Security Specialist
Commented:
Assuming really nothing was changed, have you tried turning it off and on? (standard fixes might actually work ...)

Checking the config, this line takes care of permitting the incoming access:

access-list outside_access_in extended permit tcp host Server host 99.61.x.x eq 3389

This looks wrong ... This allows the INTERNAL IP 192.168.1.4 on the OUTSIDE interface to get to some NAT address ... if the ".x.x" is the NAT address of the RDP destination, it makes even less sense ...

Instead of "Server", this ought to be some outside machine(s) that are allowed to access the server (at which point the line would be correct and working in conjunction with the static nat)
a suitably sanitised copy of the configuration would be useful
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
Agree with Garry.

access-list outside_access_in extended permit tcp host Server host 99.61.x.x eq 3389

Will not allow RDP traffic from the outside.

access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
Should do it, or
access-list outside_access_in extended permit tcp any interface outside eq 3389
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
If you want to limit the outside access you can always change the any to certain hosts or ranges.
What version of ASA software are you running ?
Garry GlendownConsulting and Network/Security Specialist

Commented:
According to the config, 8.2(1) ...

Author

Commented:
Garry: well all:
Thank you for the replies!

Are you saying this line is incorrect:
static (inside,outside) 99.61.x.x Server netmask 255.255.255.255

should reverse the IP's. 99.61.x.x is the Public IP within the range that we are alloted, that I give the end user to RDP to, which should then NAT to 192.168.1.4(Server) I can remove the name of Server from the ASA but the ASA eq Server to 192.168.1.4.

Let me know and thank you all!!


Oh and to Arne -- There is a running config attached. Sorry that you don't see it!
Garry GlendownConsulting and Network/Security Specialist

Commented:
no, the static nat is fine ...
the access list is wrong ...

access-list outside_access_in extended permit tcp <Some_IP_or_Network_or_any> host 99.61.x.x eq 3389

So, if you want any arbitrary IP from external to get through to the server's RDP, change the line to:

access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Like Garry (and myself ;) posted: the static is good, you need to only adjust the access list as we pointed out to you.

The name command is only to show names instead of IPs in the configuration of the ASA itself, only there. Some people turn that on because they find it more convenient to use names instead of IPs. I prefer IP addresses.
So you can remove the names or leave them there, just as you like it.

Author

Commented:
Sorry Erniebeek:
You are correct, I did have that stated just the opposite, I added

access-list outside_access_in line 1 extended permit tcp host Server host 99.61.146.X eq 3389

Took out the other one, and still does not work. Any other thoughts...???

Thank you!!

Author

Commented:
I did actually try both statement, I left the one that I listed above in the ASA. Also there is no hit counts on the counter for that either, although I have tried it numerous times.

Thank you!!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
So now you have:
access-list outside_access_in line 1 extended permit tcp host Server host 99.61.146.X eq 3389 ?

That's the wrong one, it should be:
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389

Also check if: access-group outside_access_in in interface outside is stil there. If you first removed the access list, that one might be gone too.

Author

Commented:
I actually added your suggestion, then removed what I had :)

This is my current access-list:
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 99.61.x.x eq 3389 (hitcnt=0) 0xfa4c6f20
access-list MPConInc_splitTunnelAcl; 1 elements; name hash: 0xba71ee91
access-list MPConInc_splitTunnelAcl line 1 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0xb04ca848
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.128 (hitcnt=0) 0x84db8f36
access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xcaaa4637
access-list outside_1_cryptomap; 1 elements; name hash: 0xcf826bcb
access-list outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=2) 0xd15bde0d

Thank you!!
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Mmm, ok. Just to make sure:

In
static (inside,outside) 99.61.x.x Server netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389


The address 99.61.x.x is the same, correct?

But how about the address in:

interface Vlan2
 nameif outside
 security-level 0
 ip address 99.61.x.x 255.255.255.248


Is that also the same public?
Garry GlendownConsulting and Network/Security Specialist

Commented:
You could also go through Packet Tracer (easiest in ASDM) and simulate whether connections from the outside would come through ... select outside interface, source some random IP (1.2.3.4), destination the outside IP 99.61.x.y of the RDP server, some random port incoming (1234) and 3389 as destination port ... then run and see whether the packet is correctly transported through the different stages on the ASA ...
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
That's also a good idea. And even just looking at the (ASDM) logs might give you a clue.

But I'm still curious about the publics though.

Author

Commented:
No the IP's are different, I have a /29 so I have the typical outside interface addressed with one IP and then using another for the RDP session.

I'm not sure I can do that Garry, not sure my knowledge is well enough to simulate that, I guess I could make an RDP request and view if the request is even hitting the Outside Interface ?
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Just to make sure, the RDP server (still) has the ASA as the default gateway? No firewall running there? Terminal services running?
Sometimes windowsupdate might mess things up.

Author

Commented:
I verified that it does -- RDP has the ASA as the gateway 192.168.1.1, and the firewall is turned off, and remote/terminal access is running and is enabled. I can access the server through RDP on the inside, just not Outside In.

Author

Commented:
When I make the request, I do not see anything come across the ASDM Syslog messages area either???

Author

Commented:
The issue was that the Modem MAC address had not been updated in the ATT Router so it would allow Internet Access, but the packets got lots on the way to my outside interface for anything that wasn't and inbound requested initiated from the inside to begin with.<br /><br />Thank you for all the help!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial