topic Nat RDP machine, outside to inside in Network Security

Nat RDP machine, outside to inside

danielluz — Tue, 12 Mar 2019 00:39:10 GMT

hi i have the next configuration.

inside 192.168.90.1

outside 10.13.7.188

rdp-host 192.168.90.45

rdp-host-outside 10.13.7.187

ASA Version 8.4(1)

hostname ciscoasa

enable password -----

passwd ----

names

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

nameif outside

security-level 100

ip address 10.13.7.188 255.255.255.192

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa841-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network intra-rdp

host 10.13.7.187

object network rdp-host

host 192.168.90.45

object service rdp_service

service tcp source eq 3389

object-group network Network-A

description Red Network A

network-object 192.168.90.0 255.255.255.0

object-group network INTRANET

description Intranet de Intranet Network

network-object 10.13.0.0 255.255.0.0

object-group icmp-type ping

description Ping Group

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object source-quench

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit icmp any any object-group ping

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit tcp any host 192.168.90.45 eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (outside,inside) source static any any destination static interface rdp-host service rdp_service rdp_service

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.13.7.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.13.0.0 255.255.0.0 outside

http 192.168.1.0 255.255.255.0 management

http 192.168.90.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.90.0 255.255.255.0 inside

ssh 10.13.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username tr password ------ encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e9bfbb5a2a86ba432761431229c9c613

: end

and it is my packet-tracer

ciscoasa(config)# packet-tracer input outside tcp 10.13.7.165 3389 192.168.90.$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.90.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside,inside) source static any any destination static interface rdp-host service rdp_service rdp_service

Additional Information:

Static translate 10.13.7.165/3389 to 10.13.7.165/3389

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1056, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Aparentli it work fine, but when i use mi laptop (10.13.7.165) to conect for rdp to 10.13.7.187 it not work.

Sorry my inglish it very bad....

Nat RDP machine, outside to inside

Jouni Forss — Wed, 19 Dec 2012 20:50:13 GMT

Hi,

Can you try do one of the following changes to your configurations (revert back if it doesnt help for you)

Remove the old NAT configuration

no nat (outside,inside) source static any any destination static interface rdp-host service rdp_service rdp_service

NOTICE! The below configuration are 2 different options. You only need to configure one of them depending on your need.

The first NAT configuration will NAT the LAN host to its own NAT IP.
the seconda NAT configuration will ONLY forward the port TCP/3389 to the LAN host when you connect to the "outside" interface IP address with the port TCP/3389

New NAT configuration - Static NAT

object network STATIC

host 192.168.90.45

nat (inside,outside) static 10.13.7.187

access-list outside_access_in permit tcp any object STATIC eq 3389

New NAT configuration - Port Forward using "outside" interface IP address

object network PORTFORWARD-RDP

host 192.168.90.45

nat (inside,outside) static interface service tcp 3389 3389

access-list outside_access_in permit tcp any object PORTFORWARD-RDP eq 3389

Please let me know if I missunderstood something about what you were after.

Also please rate if you found the information helpfull to solve your problem.

- Jouni

Nat RDP machine, outside to inside

danielluz — Wed, 19 Dec 2012 21:02:24 GMT

ok,

firts option.

Reconfigure ASA, use rdp client to connect 10.13.7.188 and 187 but it not work, the rdp client only show me its cannot connect to windows base computer.

Second option:

Reconfigura ASA,

use rdp client to connect 10.13.7.188 and 187 but it not work, the rdp client tynking.......

Thanks.

Re: Nat RDP machine, outside to inside

Jouni Forss — Wed, 19 Dec 2012 21:09:34 GMT

Hi,

Could you take some "packet-tracer" output when you are using either of the above NAT configurations and copy/paste the output here.

For Static NAT

packet-tracer input outside tcp 10.13.7.187 3389

For Port Forward NAT

packet-tracer input outside tcp 10.13.7.188 3389

EDIT: Are you certain that possibility for RDP connections is enabled on the computer where you are trying to connect to?

- Jouni

Nat RDP machine, outside to inside

danielluz — Wed, 19 Dec 2012 21:19:47 GMT

Hi,

For Static NAT

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC

nat (inside,outside) static 10.13.7.187

Additional Information:

NAT divert to egress interface inside

Untranslate 10.13.7.187/3389 to 192.168.90.45/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1157, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

For Port Forward NAT

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.13.7.128 255.255.255.192 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1164, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

In both cases its aparentli work, but with rdp client don't.

Thanks

Re: Nat RDP machine, outside to inside

Jouni Forss — Wed, 19 Dec 2012 21:29:38 GMT

Hi,

Atleast the Static NAT output looks right to me.

For the Port Forward the output doesnt seem correct. Both the input and output interface are the same and I dont see any mention of the traffic from "packet-tracer" command hitting the Port Forward NAT configuration.

I would make sure that the RDP service on the computer is configured and working. Possible firewall software might be worth checking too. Can you connect to that computer with RDP from another computer in the network 192.168.90.0/24. This should confirm if the problem is with the actual computer or the firewall.

Also you could try looking through the ASDM monitor while trying to RDP connection to see what happens to the connection attempt. We would be interested in the log message that has the "Teardown" message.

Also I would try to change this NAT rule also

no nat (inside,outside) source dynamic any interface

and use

nat (inside,outside) after-auto source dynamic any interface

You could also try using "clear xlate" after this to clear all the NAT translations from the firewall before you test anything else. EDIT: Notice that "clear xlate" will also terminate connections going through the firewall but NOT the actual connection you have to the actual firewall.

- Jouni

Re: Nat RDP machine, outside to inside

danielluz — Thu, 20 Dec 2012 00:37:43 GMT

Test the computer back to back with same network and work right.

i change the nat instructions, clear xlate.

on the static NAT.

RDP cliente show me error message and try reconncting to the window pc.

the syslog message don't show any.

Port Forward NAT log

This firewall its fron test configuration when it working right send configuration to productive sistem.

This the configuration working

ciscoasa# sh ru

: Saved

ASA Version 8.4(1)

hostname ciscoasa

enable password -- encrypted

passwd -- encrypted

names

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

nameif outside

security-level 100

ip address 10.13.7.188 255.255.255.192

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa841-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network intra-rdp

host 10.13.7.187

object network rdp-host

host 192.168.90.45

object service rdp_service

service tcp source eq 3389

object network STATIC

host 192.168.90.45

object-group network net-a

description Red a

network-object 192.168.90.0 255.255.255.0

object-group network INTRANET

description Intranet

network-object 10.13.0.0 255.255.0.0

object-group icmp-type ping

description Ping Group

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object source-quench

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit icmp any any object-group ping

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit tcp any object STATIC eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

object network STATIC

nat (inside,outside) static 10.13.7.187

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.13.7.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.13.0.0 255.255.0.0 outside

http 192.168.1.0 255.255.255.0 management

http 192.168.90.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.90.0 255.255.255.0 inside

ssh 10.13.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username 9JL83 password hOSugQuHRmysWJ/d encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:25e72e430d5c89305fba85c82f178b18

: end

ciscoasa#

And this the packer traker from this configuration.

ciscoasa# packet-tracer input outside tcp 10.13.7.165 62644 10.13.7.187 3389

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC

nat (inside,outside) static 10.13.7.187

Additional Information:

NAT divert to egress interface inside

Untranslate 10.13.7.187/3389 to 192.168.90.45/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network STATIC

nat (inside,outside) static 10.13.7.187

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1432, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Thanks

Nat RDP machine, outside to inside

Jouni Forss — Thu, 20 Dec 2012 08:04:52 GMT

Hey,

The log message screen capture you posted seems to indicate that the host 192.168.90.45 doesnt simply reply when the remote host is trying to establish the TCP connection.

Have you made sure that the LAN server has the correct default gateway configured? The ASA interface IP address of 192.168.90.1?

The log messages dont indicate any kind of problem with your firewall configurations.

- Jouni

Re: Nat RDP machine, outside to inside

danielluz — Thu, 20 Dec 2012 17:43:12 GMT

Hi,

RDP Network config

i have to test rdp-host with client in the same network and it work fine.

in the rdp-host send ping to 10.13.7.x (other machine in intranet network) and its work fine.

this problem has me desperate and can not find solution.

Thanks

Re: Nat RDP machine, outside to inside

Jouni Forss — Thu, 20 Dec 2012 18:02:41 GMT

Hi,

The packet-tracer already seemed to point out that the connection attempt should work with regards to the firewall.

Do you have any other service running on the RDP computer you could test from the other side of the firewall?

For example, could you install UltraVNC (another remote desktop connection) on the same server and on the host attempting the connection and try to connect using that and see if the result is the same? (Would naturally need to open ports for UltraVNC also, think they are TCP/5900 and TCP/5901 as default)

Can any host behind the firewall (from behind interface "outside") PING the computer 10.13.7.187?

Are you positively sure that there is not some setting that might prevent this connection on the actual computer (even though the host on the connected network can access it).

- Jouni

Nat RDP machine, outside to inside

danielluz — Thu, 20 Dec 2012 20:26:20 GMT

Hi, the problem in te rdp server it's tha fu..... antivirus..... i don't know its include an other firewall an it only accep conection from the connected network.

I test RDP-VNC services an it working fine,

Thanks and rate

Nat RDP machine, outside to inside

Jouni Forss — Thu, 20 Dec 2012 20:30:38 GMT

Hi,

Glad it got sorted out. and thank you for the rating.

I would have been really baffled if it wasnt something related to the actual computer you were trying to connect to.

- Jouni