topic The ip very seldom changes in Network Security

Beyond frustration - ASA5506-x ACL for RDP access

BartTecter — Tue, 12 Mar 2019 06:25:28 GMT

Sorry to post here with what is likely a really stupid question. BUT, I've been banging my head against the wall for the past two weeks. I've read everything I can find and watched several online lessons (almost everything retaining to the 5505)

I think I have everything setup properly (I'm using the ASDM interface but have also looked at the CLI output) but I am still not able to get through the firewall with an RDP connection to a server. I can connect to the sever from inside so I know that is not the issue. I have attached the sh run output. Could someone please have a look and tell me what I have missed?

Objective: Is to connect from any outside computer to a server who's inside ip is 192.168.10.2. I have defined this as a network object call Server-RDP, I have setup a service called RDP with the correct ports, Nat and ACL entries. The ASA is working fine for all outgoing traffic. ASA inside IP is 192.168.10.1

Thanks, Bart

Bart-The ACL is wrong. You

Collin Clark — Thu, 13 Aug 2015 17:24:04 GMT

Bart-

The ACL is wrong. You can remove

access-list outside_access_in_1 extended permit object RDP any object Server-RDP

and then add

access-list outside_access_in_1 extended permit tcp any object Server-RDP eq 3389

Hope it helps.

Thanks Colin,I have made the

BartTecter — Thu, 13 Aug 2015 19:44:00 GMT

Thanks Colin,

I have made the change you have suggested, (see attached file) but still no luck. any other suggestions?

Bart

Try switching the interfaces

Collin Clark — Thu, 13 Aug 2015 19:44:01 GMT

Try switching the interfaces in your NAT statement-

nat (outside,inside) static interface service tcp 3389 3389

nat (inside,outside) static interface service tcp 3389 3389

Still no luck. On one level

BartTecter — Thu, 13 Aug 2015 20:32:40 GMT

Still no luck. On one level this seems all so simple but then .... It is very frustrating.

Thanks again Collin. I really appreciate your help with this.

Bart

Hmm. Can you post the results

Collin Clark — Thu, 13 Aug 2015 20:32:41 GMT

Hmm. Can you post the results of this command?

packet-tracer input outside tcp 5.6.7.8 8912 192.168.10.2 3389 detail

Sorry this is a screen grab

BartTecter — Thu, 13 Aug 2015 23:04:03 GMT

Sorry this is a screen grab but the command line interface within asdm will not let me cut and paste text.

Can you post a "sh nat" from

Jon Marshall — Thu, 13 Aug 2015 23:04:04 GMT

Can you post a "sh nat" from the firewall.

Jon

Sorry, once again a screen

BartTecter — Fri, 14 Aug 2015 12:24:01 GMT

Sorry, once again a screen capture. But here is the result of the sh nat

There are no hits on your

Jon Marshall — Fri, 14 Aug 2015 12:24:02 GMT

There are no hits on your static translation which is odd because even though they are both in the same section static should take precedence over dynamic.

I notice your outside interface uses DHCP so how do you know which IP address to use when trying to connect to your server ?

Assuming you do know the public IP of your outside interface can you post -

"packet-tracer input outside tcp 8.8.8.8 12345 <public IP> 3389"

Jon

The ip very seldom changes

BartTecter — Fri, 14 Aug 2015 12:58:04 GMT

The ip very seldom changes but I have no guarantee of a static IP. This one hasn't changed in the year.

According to the packet

Jon Marshall — Fri, 14 Aug 2015 12:58:05 GMT

According to the packet-tracer output your firewall is configured correctly ie. the packet is allowed.

Just out of interest can you run "sh nat" again and see if there are any hits next to the static rules, no need to post the output.

If there are, as I say, your configuration looks correct now after the changes suggested by Collin.

Is the default gateway of your server set to the ASA inside interface IP ?

Jon

The server does have internet

Collin Clark — Fri, 14 Aug 2015 13:24:40 GMT

The server does have internet access correct (web surfing)? Can you type 'clear xlate' and try access again?

Collin,Yes, the server does

BartTecter — Fri, 14 Aug 2015 15:23:20 GMT

Collin,

Yes, the server does have internet access and can browse google for ex. with no issues. I can connect to the server with RDP internally and have checked that the server firewall will allow outside connections. If I remove the ASA5506 and use a router with port forwarding it works fine.

But, even after all the changes suggested in this thread I can still not connect through the ASA unit.

When I do a packet trace it always drops on the rpf-check and references the nat network object entry.

Bart

Jon,The sh nat shows 0

BartTecter — Fri, 14 Aug 2015 15:27:31 GMT

Jon,

The sh nat shows 0 translated hits and 4 untranslated hits for the 3389 port as well as 6K translated and 300 untranslated hit for the dynamic obj_any interface.

Still not working..

Bart-I just tested and I am

Collin Clark — Fri, 14 Aug 2015 15:31:47 GMT

Bart-

I just tested and I am able to telnet to your IP on 3389. How are you testing it?

Collin

When I do a packet trace it

Jon Marshall — Fri, 14 Aug 2015 15:39:33 GMT

When I do a packet trace it always drops on the rpf-check and references the nat network object entry.

It does if you use the private IP of the server which is the wrong IP to use.

When you used the public IP of the server the RPF check was passed and the firewall allowed the packet.

Jon

CollinI'm using RDP on a

BartTecter — Fri, 14 Aug 2015 16:16:09 GMT

Collin

I'm using RDP on a windows workstation. Both ws and server are using 3389 (I know that is not secure and will change the ports but for now wanted to keep everything simple until I can get it working.

Bart

Jon, I'm not sure I

BartTecter — Fri, 14 Aug 2015 16:19:27 GMT

Jon, I'm not sure I understand your comment. With RDP from outside my lan I can only use the public IP connected to the ASA Outside port. The server itself does not have a separate public IP.

Bart

What I meant was when you

Jon Marshall — Fri, 14 Aug 2015 16:35:32 GMT

What I meant was when you test a packet coming from outside to the public IP on port 3389 your ASA is correctly translating the destination IP to the real server IP and it allows the packet.

You can see that from the packet-tracer output I asked you to run ie. there is no RPF failure.

In terms of testing is your workstation on the outside of the ASA ie. if your workstation is on the same network as the server then this won't work.

Jon