[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA 5505 won't pass remote desktop connections

Posted on 2012-09-17
4
Medium Priority
?
1,123 Views
Last Modified: 2012-09-20
I have tried everything and can't get remote desktop to work through my firewall.  I have attached the current config.  Please help.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.17 16:01:46 =~=~=~=~=~=~=~=~=~=~=~=
wr t
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd gPmtuWCfb8uToFuQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
             
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_access_in extended permit tcp any any eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
<--- More --->
             
dhcpd auto_config outside
!
dhcpd address 192.168.1.110-192.168.1.140 inside
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

!
!
prompt hostname context
Cryptochecksum:bc94fc38154d314f36e72c368bb272e8
: end
[OK]

ciscoasa#
0
Comment
Question by:dhuff2012
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
itnetworkn earned 2000 total points
ID: 38407698
I assume that this is the running config, right? I am also assuming that you have tested port 3389 using netmap to verify that the port is not open on the firewall,right? If not, it could be open on the firewall, but you could be blocking it from the workstation.

Look at this example below from this link http://www.petri.co.il/forums/showthread.php?t=22724 . I'm not sure your posted config with "static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255" is correct.

"static (inside,outside) tcp 1.1.1.1 3389 10.0.0.2 3389
access-list inbound_on_outside permit tcp any host 1.1.1.1 eq 3389
access-group inbound_on_outside in interface outside"
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38408992
What is the IP address of the PC you are trying to access? How do you access it, using vpn or what?
0
 

Author Comment

by:dhuff2012
ID: 38410115
The pc we are trying to RDP to from the Internet is 192.168.1.104.  It is statically pat'd to the outside interface.  Static PAT using the interface requires the use of the 'interface' keyword.  I have recreated the static and the access-list.  It is pasted below.  How can I debug the rdp connection attempts?

ASA Version 8.2(1)
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd gPmtuWCfb8uToFuQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.17.112.127 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
             
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_in extended permit tcp any host 69.17.112.127 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255
<--- More --->
             
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.17.112.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
<--- More --->
             
dhcpd auto_config outside
!
dhcpd address 192.168.1.110-192.168.1.140 inside
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username dhuff password qY7wvpZHFcTVydy1 encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:afbf1d382897abd4bf4f04e69c1919a9
: end
[OK]

ciscoasa#
0
 

Author Comment

by:dhuff2012
ID: 38411926
Update:  the show access-list command confirms that the outside traffic - in is hitting the firewall.  
 
ciscoasa# show run static
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.25    5.255
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_in; 2 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit tcp any host 69.17.112.x eq 3389     (hitcnt=7) 0x40e6ccd0
access-list outside_in line 2 extended permit ip any any (hitcnt=0) 0xc3dd4303
ciscoasa#
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question