sscottinandrews
asked on
ASA5505 and RDP Not Working
Experts:
I have an issue that has gotten me puzzles. I have and ASA5505, I have the outside IP address of 99.99.99.99 and an inside server with the IP of 192.168.1.4.
I have the access-list allowing it in on 3389/RDP
I have the static as PUBLIC IP to Servrer
I have it applied to the outside interface
This was working great up until a week ago, and I am just not sure what change. Can someone help me out and point me in the right direction, please?
I have attached my current config and just need RDP into a the server IP listed above.
Thank you!!!
current-config.txt
I have an issue that has gotten me puzzles. I have and ASA5505, I have the outside IP address of 99.99.99.99 and an inside server with the IP of 192.168.1.4.
I have the access-list allowing it in on 3389/RDP
I have the static as PUBLIC IP to Servrer
I have it applied to the outside interface
This was working great up until a week ago, and I am just not sure what change. Can someone help me out and point me in the right direction, please?
I have attached my current config and just need RDP into a the server IP listed above.
Thank you!!!
current-config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a suitably sanitised copy of the configuration would be useful
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to limit the outside access you can always change the any to certain hosts or ranges.
What version of ASA software are you running ?
According to the config, 8.2(1) ...
ASKER
Garry: well all:
Thank you for the replies!
Are you saying this line is incorrect:
static (inside,outside) 99.61.x.x Server netmask 255.255.255.255
should reverse the IP's. 99.61.x.x is the Public IP within the range that we are alloted, that I give the end user to RDP to, which should then NAT to 192.168.1.4(Server) I can remove the name of Server from the ASA but the ASA eq Server to 192.168.1.4.
Let me know and thank you all!!
Oh and to Arne -- There is a running config attached. Sorry that you don't see it!
Thank you for the replies!
Are you saying this line is incorrect:
static (inside,outside) 99.61.x.x Server netmask 255.255.255.255
should reverse the IP's. 99.61.x.x is the Public IP within the range that we are alloted, that I give the end user to RDP to, which should then NAT to 192.168.1.4(Server) I can remove the name of Server from the ASA but the ASA eq Server to 192.168.1.4.
Let me know and thank you all!!
Oh and to Arne -- There is a running config attached. Sorry that you don't see it!
no, the static nat is fine ...
the access list is wrong ...
access-list outside_access_in extended permit tcp <Some_IP_or_Network_or_any > host 99.61.x.x eq 3389
So, if you want any arbitrary IP from external to get through to the server's RDP, change the line to:
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
the access list is wrong ...
access-list outside_access_in extended permit tcp <Some_IP_or_Network_or_any
So, if you want any arbitrary IP from external to get through to the server's RDP, change the line to:
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
Like Garry (and myself ;) posted: the static is good, you need to only adjust the access list as we pointed out to you.
The name command is only to show names instead of IPs in the configuration of the ASA itself, only there. Some people turn that on because they find it more convenient to use names instead of IPs. I prefer IP addresses.
So you can remove the names or leave them there, just as you like it.
The name command is only to show names instead of IPs in the configuration of the ASA itself, only there. Some people turn that on because they find it more convenient to use names instead of IPs. I prefer IP addresses.
So you can remove the names or leave them there, just as you like it.
ASKER
Sorry Erniebeek:
You are correct, I did have that stated just the opposite, I added
access-list outside_access_in line 1 extended permit tcp host Server host 99.61.146.X eq 3389
Took out the other one, and still does not work. Any other thoughts...???
Thank you!!
You are correct, I did have that stated just the opposite, I added
access-list outside_access_in line 1 extended permit tcp host Server host 99.61.146.X eq 3389
Took out the other one, and still does not work. Any other thoughts...???
Thank you!!
ASKER
I did actually try both statement, I left the one that I listed above in the ASA. Also there is no hit counts on the counter for that either, although I have tried it numerous times.
Thank you!!
Thank you!!
So now you have:
access-list outside_access_in line 1 extended permit tcp host Server host 99.61.146.X eq 3389 ?
That's the wrong one, it should be:
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
Also check if: access-group outside_access_in in interface outside is stil there. If you first removed the access list, that one might be gone too.
access-list outside_access_in line 1 extended permit tcp host Server host 99.61.146.X eq 3389 ?
That's the wrong one, it should be:
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
Also check if: access-group outside_access_in in interface outside is stil there. If you first removed the access list, that one might be gone too.
ASKER
I actually added your suggestion, then removed what I had :)
This is my current access-list:
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 99.61.x.x eq 3389 (hitcnt=0) 0xfa4c6f20
access-list MPConInc_splitTunnelAcl; 1 elements; name hash: 0xba71ee91
access-list MPConInc_splitTunnelAcl line 1 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0xb04ca848
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.128 (hitcnt=0) 0x84db8f36
access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xcaaa4637
access-list outside_1_cryptomap; 1 elements; name hash: 0xcf826bcb
access-list outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=2) 0xd15bde0d
Thank you!!
This is my current access-list:
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 99.61.x.x eq 3389 (hitcnt=0) 0xfa4c6f20
access-list MPConInc_splitTunnelAcl; 1 elements; name hash: 0xba71ee91
access-list MPConInc_splitTunnelAcl line 1 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0xb04ca848
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.128 (hitcnt=0) 0x84db8f36
access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xcaaa4637
access-list outside_1_cryptomap; 1 elements; name hash: 0xcf826bcb
access-list outside_1_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=2) 0xd15bde0d
Thank you!!
Mmm, ok. Just to make sure:
In
static (inside,outside) 99.61.x.x Server netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
The address 99.61.x.x is the same, correct?
But how about the address in:
interface Vlan2
nameif outside
security-level 0
ip address 99.61.x.x 255.255.255.248
Is that also the same public?
In
static (inside,outside) 99.61.x.x Server netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 99.61.x.x eq 3389
The address 99.61.x.x is the same, correct?
But how about the address in:
interface Vlan2
nameif outside
security-level 0
ip address 99.61.x.x 255.255.255.248
Is that also the same public?
You could also go through Packet Tracer (easiest in ASDM) and simulate whether connections from the outside would come through ... select outside interface, source some random IP (1.2.3.4), destination the outside IP 99.61.x.y of the RDP server, some random port incoming (1234) and 3389 as destination port ... then run and see whether the packet is correctly transported through the different stages on the ASA ...
That's also a good idea. And even just looking at the (ASDM) logs might give you a clue.
But I'm still curious about the publics though.
But I'm still curious about the publics though.
ASKER
No the IP's are different, I have a /29 so I have the typical outside interface addressed with one IP and then using another for the RDP session.
I'm not sure I can do that Garry, not sure my knowledge is well enough to simulate that, I guess I could make an RDP request and view if the request is even hitting the Outside Interface ?
I'm not sure I can do that Garry, not sure my knowledge is well enough to simulate that, I guess I could make an RDP request and view if the request is even hitting the Outside Interface ?
Just to make sure, the RDP server (still) has the ASA as the default gateway? No firewall running there? Terminal services running?
Sometimes windowsupdate might mess things up.
Sometimes windowsupdate might mess things up.
ASKER
I verified that it does -- RDP has the ASA as the gateway 192.168.1.1, and the firewall is turned off, and remote/terminal access is running and is enabled. I can access the server through RDP on the inside, just not Outside In.
ASKER
When I make the request, I do not see anything come across the ASDM Syslog messages area either???
ASKER
The issue was that the Modem MAC address had not been updated in the ATT Router so it would allow Internet Access, but the packets got lots on the way to my outside interface for anything that wasn't and inbound requested initiated from the inside to begin with.<br /><br />Thank you for all the help!!!