topic Can we check now ?? . I need in Network Security

asa explicit rule blocking the traffic.

Saji Thomas — Tue, 12 Mar 2019 04:31:05 GMT

Hello All,

On ASA 5515 version 8.6, I am trying to create a NAT and access list to allow RDP from outside public to inside private network.

I was able to create it using the ASDM as I am comfortable with it and not a expert with CLI.

When I tested it, it does not work no matter what. I tried to see the packet tracer and it said that the traffic was blocked by implicit rule.

I tried to create an ACL and it said the ACL exists. However, it does not work as the packets are dropped.

Any assistance or ideas is very much appreciated.

Thanks!

Saji

Hi Share me your asa show

SANTHOSHKUMAR SARAVANAN — Tue, 22 Jul 2014 16:42:41 GMT

Share me your asa show runn configuration .

HTH

Sandy

Can I email it to you? I am

Saji Thomas — Tue, 22 Jul 2014 18:13:46 GMT

Can I email it to you? I am little hesitant to post the complete run config on the blog.

I can also send you some screenshot of Packet tracer that shows that the packets are dropped at the inside interface because of a implicit rule. I think I have to create an access rule on the inside interface also which I do not see but I am worried to break something.

Thanks Sandy!

Hi Sandy, Please take a look

Saji Thomas — Tue, 22 Jul 2014 18:33:27 GMT

Hi Sandy, Please take a look at the picture.

Thanks!

Hi , What is your ASA code

SANTHOSHKUMAR SARAVANAN — Wed, 23 Jul 2014 04:20:30 GMT

Hi ,

What is your ASA code version ??

share me following output alone

1) show runn access-list

2) show runn access-group

3) show runn static

HTH

Sandy

ASA Code is 8.6(1).I think

Saji Thomas — Wed, 23 Jul 2014 12:15:58 GMT

ASA Code is 8.6(1).

I think the issue is we do not have any access list on the internal interface. Bit I am worried to change it because it is a implicit rule to allow everything from less secure networks.

Result of the command: "show run access-list"

access-list 102 extended permit tcp any host 67.208.160.156 eq www
access-list 102 extended permit tcp any host 67.208.160.156 eq 3389
access-list 102 extended permit icmp any any echo-reply
access-list 102 extended permit icmp any any source-quench
access-list 102 extended permit icmp any any unreachable
access-list 102 extended permit icmp any any time-exceeded
access-list 102 extended permit ip any host 67.208.160.155
access-list 102 extended permit tcp any host 67.208.160.158 eq www
access-list 102 extended permit udp any host 67.208.160.158 eq netbios-ns inactive
access-list 102 extended permit udp any host 67.208.160.158 eq netbios-dgm inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq netbios-ssn inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq 445
access-list 102 extended permit tcp any host 67.208.160.158 eq ftp inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq https
access-list 102 extended permit tcp any host 67.208.160.158 eq rtsp inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq domain inactive
access-list 102 extended permit udp any host 67.208.160.158 eq domain inactive
access-list 102 extended permit udp any host 67.208.160.158 eq ntp
access-list 102 extended permit tcp any host 67.208.160.158 eq smtp inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq ldap inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq ldaps inactive
access-list 102 extended permit tcp any host 67.208.160.158 eq ssh inactive
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 445
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 554
access-list 102 extended permit tcp any host 67.208.160.158 object-group DM_INLINE_TCP_1
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 4743
access-list 102 extended permit tcp any host 67.208.160.157 eq www
access-list 102 extended permit tcp any host 67.208.160.159 eq 2011
access-list 102 extended permit udp any host 67.208.160.159 eq 2011
access-list 102 extended permit tcp any host 67.208.160.159 eq 6001
access-list 102 extended permit udp any host 67.208.160.159 eq 6001
access-list 102 extended permit tcp any host 67.208.160.159 eq 22609
access-list 102 extended permit udp any host 67.208.160.159 eq 22609
access-list 102 extended permit tcp any host 67.208.160.160 eq 2011
access-list 102 extended permit udp any host 67.208.160.160 eq 2011
access-list 102 extended permit tcp any host 67.208.160.160 eq 6001
access-list 102 extended permit udp any host 67.208.160.160 eq 6001
access-list aaa standard permit host 0.0.0.0

Result of the command: "show runn access-group"

access-group 102 in interface outside

Result of the command: "show runn static"

show runn static
^
ERROR: % Invalid input detected at '^' marker.

Can we check now ?? . I need

SANTHOSHKUMAR SARAVANAN — Wed, 23 Jul 2014 16:13:15 GMT

Can we check now ?? . I need to check few things

1) NAT

join below webex

https://meetings.webex.com/collabs/meetings/join?uuid=M7EXGIM8ID8WZKIJFTFXAJM5BK-512H

HTH

Sandy

Yes.

Saji Thomas — Wed, 23 Jul 2014 16:13:16 GMT

Yes.

Join Below meetinghttps:/

SANTHOSHKUMAR SARAVANAN — Wed, 23 Jul 2014 16:39:18 GMT

Join Below meeting

https://meetings.webex.com/collabs/meetings/join?uuid=M7EXGIM8ID8WZKIJFTFXAJM5BK-512H

Hi ,Join this webex meeting

SANTHOSHKUMAR SARAVANAN — Wed, 23 Jul 2014 16:40:26 GMT

Hi ,

Join this webex meeting

https://meetings.webex.com/collabs/meetings/join?uuid=M5G5MMW7PC5GDNDV05Z9VB1N6J-512H

On Remote session below

SANTHOSHKUMAR SARAVANAN — Wed, 23 Jul 2014 18:44:08 GMT

On Remote session below configuration is updated on your ASA device

1) mismatch on your ACL

no access-list 102 extended permit tcp any host 67.208.x.x eq www
no access-list 102 extended permit tcp any host 67.208.x.x.x eq 3389

access-list 102 extended permit tcp any host 10.90.230.xe q 3389

2) Mismatch on your NAT config

object network rdp_server

host 10.90.230.x

nat (inside,outside) static 67.208.x.x service tcp 3389 3389

HTH

Sandy