RDP access through ASA

DOUGLAS DRURY — Tue, 12 Mar 2019 02:46:35 GMT

I'm trying to allow remote users RDP access to a server throough the ASA 5505. I was able to do this with the old Billion router but i can't seem to get it to work curretly on the ASA. Users will use the microsoft RDP client useing a public IP Address. I can see the ACL counter going up in ASDM but users are saying that it can't connect. Could somebody please have a look at my config give me an idea where i'm going wrong.

Thanks

Doug

FYI i've removed my public IP from the config and replaced them with (Public IP Removed)

: Saved
: Written by drurydd1 at 07:29:25.198 GMT Thu Oct 3 2013
!
ASA Version 8.4(5)
!
hostname Thames-House
domain-name idrury
enable password JCdTyvBk.ia9GKSj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 15
!
interface Vlan2
nameif IDNET
security-level 0
pppoe client vpdn group ppp
ip address (Public IP Removed) 255.255.255.255 pppoe setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan15
description Used for LAB access and misc
no forward interface Vlan10
nameif DMZ
security-level 50
ip address 192.168.15.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.10.201
name-server 8.8.8.8
domain-name idrury
object network obj_Inside
subnet 192.168.10.0 255.255.255.0
object network obj-Embankment
host 192.168.10.199
object service RDP
service tcp destination eq 3389
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network obj-Stratford
host 192.168.10.253
access-list IDNET_access_in extended permit tcp any object obj-Embankment eq telnet inactive
access-list IDNET_access_in remark Permits HTTPS access to ESX host
access-list IDNET_access_in extended permit object RDP any object obj-Stratford
access-list Home_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.10.0_24 any
pager lines 24
logging asdm informational
mtu IDNET 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPN-POLL 192.168.20.1-192.168.20.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,IDNET) source static any any destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
nat (inside,IDNET) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27 no-proxy-arp route-lookup
!
object network obj-Embankment
nat (inside,IDNET) static (Public IP Removed)
object network obj-Stratford
nat (inside,IDNET) static (Public IP Removed) service tcp 3389 3389
!
nat (inside,IDNET) after-auto source dynamic any interface
access-group IDNET_access_in in interface IDNET
access-group inside_access_in in interface inside
!
router eigrp 10
network 192.168.10.0 255.255.255.0
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 IDNET
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IDNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IDNET_map interface IDNET
crypto ikev1 enable IDNET
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 IDNET
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ppp request dialout pppoe
vpdn group ppp localname 01771622598@idnet.gw6
vpdn group ppp ppp authentication chap
vpdn username 01771622598@idnet.gw6 password 0baf1fc1 store-local

dhcpd auto_config IDNET
!
dhcpd address 192.168.10.20-192.168.10.100 inside
dhcpd dns 192.168.10.201 8.8.8.8 interface inside
dhcpd lease 43200 interface inside
dhcpd domain idrury interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable IDNET
anyconnect-essentials
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_AnyConnect internal
group-policy GroupPolicy_AnyConnect attributes
wins-server none
dns-server value 192.168.10.201 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value idrury
group-policy Home internal
group-policy Home attributes
dns-server value 192.168.10.201 8.8.8.8
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Home_splitTunnelAcl
default-domain value idrury
username drurydd1 password NvNqxNowycPPpt.J encrypted privilege 15
tunnel-group AnyConnect type remote-access
tunnel-group AnyConnect general-attributes
address-pool VPN-POLL
default-group-policy GroupPolicy_AnyConnect
tunnel-group AnyConnect webvpn-attributes
group-alias AnyConnect enable
tunnel-group Home type remote-access
tunnel-group Home general-attributes
address-pool VPN-POLL
default-group-policy Home
tunnel-group Home ipsec-attributes
ikev1 pre-shared-key Rockets2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
   message-length maximum client auto
   message-length maximum 512
policy-map global_policy
class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
   inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d8c2899f95569c47761739595fce9c02
: end

RDP access through ASA

Julio Carvajal — Thu, 03 Oct 2013 07:00:34 GMT

Hello Douglas,

So you have the right NAT configured,

The right ACL

the access-group correctly

I can see the RDP server is directly connected to the Inside interface,

What happens if you RDP locally? does it work?

Do the following

cap capin interface inside match tcp any host 192.168.10.253 eq 3389

cap capout interface outside match tcp any host OUTSIDE_IP eq 3389

cap asp type asp-drop all circular-buffer

Then try to connect only once and finally share the following output

show cap capin

show cap capout

show cap asp | include 192.168.10.253

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

topic RDP access through ASA in Network Security

RDP access through ASA

RDP access through ASA