topic Port redirection - ASA (cli) for RDP - Remote Desktop Protocol in Network Security

Port redirection - ASA (cli) for RDP - Remote Desktop Protocol

walldiv01 — Tue, 12 Mar 2019 03:52:59 GMT

Hello and thank you for reading & helping out!

I have a customer that we are trying to remotely monitor and manage their servers. We have a management server and I can setup the ACL's to have any/any port:3389 open and accessible, but we are trying to strengthen the inbound simply by having a port redirection. Below is my code, which seems to be right according to all the other sites i have looked over trying to find out how to redirect ports on an ASA, as well NAT in general with cisco's CLI. I dont have ASDM capable, using SSH (putty) and remoting into the firewall. when i try to switch the ports access to 3390 with a port redirection (as shown below) I am not able to connect (nor will Portquery.exe show it as listening, rather it comes back "filtered").

I think that I am doing the NAT in the wrong location, but if I try to do a global NAT with the other statements outside fo the network object, I cant seem to get the ports to go through ( ' nat (inside,outside) source static any any service tcp 3390 3389 ' ) it says the port 3389 is 'invalid input'. I for one am lost lol, please help!

***ALL other code attempts work fine with 3389 in the acl/object-nat segments****

object network GLF-VCENTER

host 172.30.25.254

nat (inside,outside) static interface service tcp 3390 3389

access-list outside_access_in extended permit tcp any any eq 3390

Port redirection - ASA (cli) for RDP - Remote Desktop Protocol

Itzcoatl Espinosa — Mon, 03 Mar 2014 23:11:58 GMT

Hello Dan,

Is port 3390 the real port of your server or the one you are using the connect?

Have you tried swapping the ports on the nat configuration? The first one is that real port and the second one should be the mapped port you type in order to connect.

object network GLF-VCENTER

host 172.30.25.254

nat (inside,outside) static interface service tcp 3389 3390

I hope it helps

regards,

Itzcoatl

Port redirection - ASA (cli) for RDP - Remote Desktop Protocol

walldiv01 — Tue, 04 Mar 2014 13:51:49 GMT

@ Itzcoatl,

Yes i've done both commands (below) neither work and i understand the order of mapped/real ports, i know i had it backwards in my original statement (sorry)

HAVE TRIED BOTH:
nat (inside,outside) static interface service tcp 3389 3390
nat (inside,outside) static interface service tcp 3390 3389

~Dan

Port redirection - ASA (cli) for RDP - Remote Desktop Protocol

Julio Carvajal — Tue, 04 Mar 2014 15:32:40 GMT

Hello Dan,

Have you also tried the ACL for port 3389

Please share the exact configuration you have (using the right port-mapping)

and also this

packet-tracer input outside tcp 4.2.2.2 1025 interface_ip 3389

Then enable this capture

cap capout interface outside match tcp any host x.x.x.x (Interface_IP) eq 3389

cap capin interface inside match tcp any host x.x.x (Internal server IP) eq 3389

Afterwards try to connect Just Once and finally provide

show cap capout

show cap capin

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com