topic I need helping!!! configuring RDP access to my local server from in Network Security

I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

plogooman — Mon, 11 Mar 2019 23:17:52 GMT

I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.

I need to allow the following IP addresses to have RDP access to my server:

66.237.238.193-66.237.238.222

69.195.249.177-69.195.249.190

69.65.80.240-69.65.80.249

My external WAN server info is - 99.89.69.333

The internal IP address of my server is - 192.168.6.2

The other server shows up as 99.89.69.334 but is working fine.

I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.

THE FOLLOWING IS MY CONFIGURATION FILE

Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course

Also the bolded lines are the modifications I made but that arent working.

ASA Version 7.2(4)

hostname ciscoasa

domain-name default.domain.invalid

enable password DowJbZ7jrm5Nkm5B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.6.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 99.89.69.233 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group network EMRMC

network-object 10.1.2.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

network-object 172.16.0.0 255.255.0.0

network-object 192.168.9.0 255.255.255.0

object-group service RDP tcp

description RDP

port-object eq 3389

object-group service GMED tcp

description GMED

port-object eq 3390

object-group service MarsAccess tcp

description MarsAccess

port-object range pcanywhere-data 5632

object-group service MarsFTP tcp

description MarsFTP

port-object range ftp-data ftp

object-group service MarsSupportAppls tcp

description MarsSupportAppls

port-object eq 1972

object-group service MarsUpdatePort tcp

description MarsUpdatePort

port-object eq 7835

object-group service NM1503 tcp

description NM1503

port-object eq 1503

object-group service NM1720 tcp

description NM1720

port-object eq h323

object-group service NM1731 tcp

description NM1731

port-object eq 1731

object-group service NM389 tcp

description NM389

port-object eq ldap

object-group service NM522 tcp

description NM522

port-object eq 522

object-group service SSL tcp

description SSL

port-object eq https

object-group service rdp tcp

port-object eq 3389

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC

access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data

access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731

access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333

access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp

access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp

access-list out_in extended permit tcp any host 192.168.6.2 eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 99.89.69.338 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.6.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 68.156.148.5

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

tunnel-group 68.156.148.5 type ipsec-l2l

tunnel-group 68.156.148.5 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d

: end

ciscoasa(config-network)#

I need helping!!! configuring RDP access to my local server from

abinjola — Mon, 11 Jun 2012 23:43:04 GMT

The config looks good, try the following:

A-reload or clear arp-cache on outside/gateway/upstream router of ASA.

B-Take packet capture on inside interface of ASA to see if packet leaves ASA and if it see return packet from server

set the following captures

access-list cap1 permit ip

capture cpi acess-l cap1 interface inside

x.x.x.x---is the ip of test machine on the outside world

y.y.y.y--rela ip of server on inside

I need helping!!! configuring RDP access to my local server from

plogooman — Tue, 12 Jun 2012 00:05:25 GMT

Well here is the problem. When I attempt to put i:

static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255

It says that I have an error and that I need to configure nat or something. Its just odd to me because I already have a similar command to map port forwarding for the other internal server to its external ip address. For some reason it wont let me put in the exact same command for the new server. I assume its because there is something wrong for my code.

So I essentially opened up that ports for the ip address I think but I need to link it (port forward). Everything I have tried thus far doesnt work.

I need helping!!! configuring RDP access to my local server from

plogooman — Tue, 12 Jun 2012 01:12:51 GMT

I feel it has something to do with nat and or im not applying it correctly.

I need helping!!! configuring RDP access to my local server from

plogooman — Tue, 12 Jun 2012 01:27:22 GMT

Also I just noticed this but my outside interface vlan 2 (wan ip) is set for 99.89.69.233 and thats the ip I was trying to add a static route for RDP access to my server. Would it not let me port forward it to the internal ip address if it was set for the VLAN 2?

I need helping!!! configuring RDP access to my local server from

mikull.kiznozki — Tue, 12 Jun 2012 04:09:55 GMT

did u vlan your outside interface?

I need helping!!! configuring RDP access to my local server from

gouravbathla — Tue, 12 Jun 2012 10:56:49 GMT

Hi Davis

I want to add

"Well here is the problem. When I attempt to put i:

static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255

99.89.69.333 is not a valid IP address.

I need helping!!! configuring RDP access to my local server from

plogooman — Tue, 12 Jun 2012 11:25:39 GMT

"99.89.69.333 is not a valid IP address."

As I stated before, I did not put my actual IP address. That is just a fake one that I posted.

I need helping!!! configuring RDP access to my local server from

Thomas Gronke — Wed, 13 Jun 2012 00:04:22 GMT

Unclear what did not work. In your original post you include said some commands were added but don't work:

static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255

and later you state you add another command that gets an error:

static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255

You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.

The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.

Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389.