topic Re: Cisco ASA ACL and NAT for RDP through subinterface allow any in Network Security

Cisco ASA ACL and NAT for RDP through subinterface allow any

GoldTipu — Wed, 10 Jul 2024 23:11:33 GMT

Hello Team,

Need help to create first ACL and NAT for our LAB testing .

I have connected my subinterface with internet using PPPoE -

I wanted to create ACL and NAT to allow everyone from internet to connect to the RDP on my inside host through my Subinterface_outside .

Currenlty we are testing so allow all is fine for me and rest i will configure myself.

Could you please send me the command lines please ?

Regards,

Gold

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

ccieexpert — Thu, 11 Jul 2024 01:03:20 GMT

take a look at this:

https://www.petenetlive.com/KB/Article/0001680

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

MHM Cisco World — Thu, 11 Jul 2024 01:06:58 GMT

One issue here pppoe interface get IP from SP so it IP is change always

How outer cleint can know the new IP?

Ypu need to ask SP to provide one additional public IP and this IP not change and use it for NAT.

MHM

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

ccieexpert — Thu, 11 Jul 2024 01:24:05 GMT

use DDNS to find new ip 🙂 I think its a lab test..

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

MHM Cisco World — Thu, 11 Jul 2024 02:09:19 GMT

I think ASA not support DDNS for pppoe

MHM

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

ccieexpert — Thu, 11 Jul 2024 02:00:59 GMT

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/configuration/general/asa-915-general-config/basic-dhcp-ddns.html#task_176A466D16D7497694EEE7F1E01D39CC It has for a long while

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

MHM Cisco World — Thu, 11 Jul 2024 02:17:39 GMT

If you sure guide him to run ddns in asa

Goodluck

MHM

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

GoldTipu — Thu, 11 Jul 2024 07:50:45 GMT

We have a static IP assigned by the ISP, and every time, we get the same static IP on Subinterface via PPPoE

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

GoldTipu — Thu, 11 Jul 2024 07:51:14 GMT

We have a static IP assigned by the ISP, and every time, we get the same static IP on Subinterface via PPPoE

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

ccieexpert — Thu, 11 Jul 2024 07:57:00 GMT

Please try the sample here:

https://www.petenetlive.com/KB/Article/0001680

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

GoldTipu — Thu, 11 Jul 2024 15:38:56 GMT

I have ASDM -
Can we have either CLI commands or ASDM KB for this please ?

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

MHM Cisco World — Thu, 11 Jul 2024 17:22:10 GMT

https://www.packet-forwarding.net/posts/asa-lessons-static-pat/

Check this link' ypu need to config

Object service for ports and object network for host (real server IP)

Then use PAT to interface with using object service'

This allow ypu to use interface and specific port in PAT

MHM

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

GoldTipu — Thu, 11 Jul 2024 21:01:59 GMT

After spending several hours on it and we are stuck.

Unfortunately, I am unable to connect remotely (RDP) from outside, and I cannot see any traffic being terminated from the sub-interface to the inside host.

Point # 1

I don't understand why I'm not seeing any hits on the ACL for the outside subinterface for RDP and HTTP,

here is the NAT ACL

5 (inside) to (SubInterface_OutSide) source static inside_host_05 interface service any RDP
translate_hits = 90, untranslate_hits = 90

access-list SubInterface_OutSide_access_in extended permit object RDP any any
access-list SubInterface_OutSide_access_in extended deny ip any any

access-list outside_acl extended permit tcp any any eq www
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit tcp any any eq 3389
access-list outside_acl extended deny ip any any

NAT

Could you please guide me if i am doing something wrong ? we need assistance to get this resolved as we are unable to access inside network .

Best Regards,

Gold

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

MHM Cisco World — Thu, 11 Jul 2024 21:47:28 GMT

5 (inside) to (SubInterface_OutSide) source static inside_host_05 interface service RDP RDP<<- this must be RDP RDP

access-list SubInterface_OutSide_access_in extended permit object RDP any any <<- how you config object RDP which you use in ACL?
this need to be
access-list SubInterface_OutSide_access_in extended permit tcp any any eq rdp

MHM

Re: Cisco ASA ACL and NAT for RDP through subinterface allow any

GoldTipu — Fri, 12 Jul 2024 21:17:13 GMT

This worked for me 🙂

object service RDP
service tcp destination eq 3389
description RDP-Service
object service RDP-Service
service tcp source eq 3389
nat (inside,SubInterface_OutSide) source static inside_host_05 interface service RDP RDP-Service
access-list SubInterface_OutSide_access_in extended permit object RDP any any

Able to RDP now .

Thank you 🙂 So much for helping me .
@MHM Cisco World