jgrammer42
asked on
ASA config not allowing an RDP session
For several years I have had allowed an RDP connection to a specific server in my network through the ASA. It has worked just fine.
Recently, I added a second account to the configuration and the second account is not working. The first still works fine. It is only the new one I added that is not allowing an RDP connection through the ASA firewall.
Can anyone find the error in my configuration below? I am sure I am just missing something.
Here is the config snippet.
object network 74.13.72.173
host 74.13.72.173
description This RDP account works
object network 172.14.35.146
host 172.14.35.146
description This RDP account does not work
object-group network DM_INLINE_NETWORK_2
network-object object 74.13.72.173
network-object object 172.14.35.146
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.250.61 eq 3389
Thank you for any help,
Jeff
Recently, I added a second account to the configuration and the second account is not working. The first still works fine. It is only the new one I added that is not allowing an RDP connection through the ASA firewall.
Can anyone find the error in my configuration below? I am sure I am just missing something.
Here is the config snippet.
object network 74.13.72.173
host 74.13.72.173
description This RDP account works
object network 172.14.35.146
host 172.14.35.146
description This RDP account does not work
object-group network DM_INLINE_NETWORK_2
network-object object 74.13.72.173
network-object object 172.14.35.146
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.250.61 eq 3389
Thank you for any help,
Jeff
ASKER
Banks
Yes as soon as I get it...I will post it here.
Yes as soon as I get it...I will post it here.
ASKER
bamsi,
here is the config with the NAT statements.
object network obj-dmz
host 192.168.250.61
object network obj-dmz1-1
host 192.168.250.61
object network obj-dmz1-2
host 192.168.250.61
object network obj-dmz1-3
host 192.168.250.61
object network 74.13.72.173
host 74.13.72.173
description Ben's home IP
object network 172.14.35.146
host 172.14.35.146
description Jeff's home IP
object-group network DM_INLINE_NETWORK_2
network-object 218.126.142.128 255.255.255.240
network-object object 74.13.72.173
network-object object 172.14.35.146
access-list outside_access_in extended permit tcp any4 host 192.168.250.61 eq https
access-list outside_access_in extended permit tcp host 205.132.83.29 host 192.168.250.61 eq 61617 log disable
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.250.61 eq 3389
object network obj-dmz
nat (dmz,outside) dynamic interface
object network obj-dmz1-1
nat (dmz,outside) static interface service tcp https https
object network obj-dmz1-2
nat (dmz,outside) static interface service tcp 3389 3389
object network obj-dmz1-3
nat (dmz,outside) static interface service tcp 61617 61617
access-group outside_access_in in interface outside
here is the config with the NAT statements.
object network obj-dmz
host 192.168.250.61
object network obj-dmz1-1
host 192.168.250.61
object network obj-dmz1-2
host 192.168.250.61
object network obj-dmz1-3
host 192.168.250.61
object network 74.13.72.173
host 74.13.72.173
description Ben's home IP
object network 172.14.35.146
host 172.14.35.146
description Jeff's home IP
object-group network DM_INLINE_NETWORK_2
network-object 218.126.142.128 255.255.255.240
network-object object 74.13.72.173
network-object object 172.14.35.146
access-list outside_access_in extended permit tcp any4 host 192.168.250.61 eq https
access-list outside_access_in extended permit tcp host 205.132.83.29 host 192.168.250.61 eq 61617 log disable
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.250.61 eq 3389
object network obj-dmz
nat (dmz,outside) dynamic interface
object network obj-dmz1-1
nat (dmz,outside) static interface service tcp https https
object network obj-dmz1-2
nat (dmz,outside) static interface service tcp 3389 3389
object network obj-dmz1-3
nat (dmz,outside) static interface service tcp 61617 61617
access-group outside_access_in in interface outside
the config looks ok, it should work. Have you checked if there are routes that are causing the connection to be dropped inside your network?
have you checked the ASA Logs whenever you try to attempt RDP connection? i traffic properly received?
have you checked the ASA Logs whenever you try to attempt RDP connection? i traffic properly received?
ASKER
Bamsi
My apologies for not responding sooner.
I have been looking at logs. Not seeing much.
Quick question.
Could the issue be having those nat statements inside of object ones?
I HATE Cisco's new object IOS config. It really sucks.
My apologies for not responding sooner.
I have been looking at logs. Not seeing much.
Quick question.
Could the issue be having those nat statements inside of object ones?
I HATE Cisco's new object IOS config. It really sucks.
ASKER
Any other suggestions?
Hi,
The NAT statements should be fine, but it can be cleaned up to avoid to many lines. Like below.
nat (dmz,outside) source static obj-dmz interface
by saying "not seeing much" on the logs, does that mean you are not seeing any connection attempts?
although the new IOS is kinda confusing, it actually makes more logic once you get the hang of it. Well thats my personal opinion though.
The NAT statements should be fine, but it can be cleaned up to avoid to many lines. Like below.
nat (dmz,outside) source static obj-dmz interface
by saying "not seeing much" on the logs, does that mean you are not seeing any connection attempts?
although the new IOS is kinda confusing, it actually makes more logic once you get the hang of it. Well thats my personal opinion though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
used different solution
the access rule looks fine, can you also share how NAT is done for this access?