ASA 5505 won't pass remote desktop connections

I have tried everything and can't get remote desktop to work through my firewall.  I have attached the current config.  Please help.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.17 16:01:46 =~=~=~=~=~=~=~=~=~=~=~=
wr t
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd gPmtuWCfb8uToFuQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
             
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_access_in extended permit tcp any any eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
<--- More --->
             
dhcpd auto_config outside
!
dhcpd address 192.168.1.110-192.168.1.140 inside
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

!
!
prompt hostname context
Cryptochecksum:bc94fc38154d314f36e72c368bb272e8
: end
[OK]

ciscoasa#
dhuff2012Asked:
Who is Participating?
 
itnetworknCommented:
I assume that this is the running config, right? I am also assuming that you have tested port 3389 using netmap to verify that the port is not open on the firewall,right? If not, it could be open on the firewall, but you could be blocking it from the workstation.

Look at this example below from this link http://www.petri.co.il/forums/showthread.php?t=22724 . I'm not sure your posted config with "static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255" is correct.

"static (inside,outside) tcp 1.1.1.1 3389 10.0.0.2 3389
access-list inbound_on_outside permit tcp any host 1.1.1.1 eq 3389
access-group inbound_on_outside in interface outside"
0
 
fgasimzadeCommented:
What is the IP address of the PC you are trying to access? How do you access it, using vpn or what?
0
 
dhuff2012Author Commented:
The pc we are trying to RDP to from the Internet is 192.168.1.104.  It is statically pat'd to the outside interface.  Static PAT using the interface requires the use of the 'interface' keyword.  I have recreated the static and the access-list.  It is pasted below.  How can I debug the rdp connection attempts?

ASA Version 8.2(1)
!
hostname ciscoasa
enable password gPmtuWCfb8uToFuQ encrypted
passwd gPmtuWCfb8uToFuQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.17.112.127 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
<--- More --->
             
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
access-list outside_in extended permit tcp any host 69.17.112.127 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.255.255
<--- More --->
             
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.17.112.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 0
<--- More --->
             
dhcpd auto_config outside
!
dhcpd address 192.168.1.110-192.168.1.140 inside
dhcpd dns 64.81.45.2 216.231.41.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username dhuff password qY7wvpZHFcTVydy1 encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:afbf1d382897abd4bf4f04e69c1919a9
: end
[OK]

ciscoasa#
0
 
dhuff2012Author Commented:
Update:  the show access-list command confirms that the outside traffic - in is hitting the firewall.  
 
ciscoasa# show run static
static (inside,outside) tcp interface 3389 192.168.1.104 3389 netmask 255.255.25    5.255
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_in; 2 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit tcp any host 69.17.112.x eq 3389     (hitcnt=7) 0x40e6ccd0
access-list outside_in line 2 extended permit ip any any (hitcnt=0) 0xc3dd4303
ciscoasa#
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.