https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913025#M458411 <HTML><HEAD></HEAD><BODY><P>Brandon,</P><P></P><P>It may help us if you could post your configuration.&nbsp; It will help to see all the access-lists and such that could be denying this connection.</P><P></P><P>Thanks,</P><P></P><P>Kimberly</P></BODY></HTML> Wed, 07 Mar 2012 19:05:48 GMT Kimberly Adams 2012-03-07T19:05:48Z https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913024#M458409 <P>Hello,</P><P></P><P>&nbsp;&nbsp;&nbsp; Just started using our ASA 5505 v8.2 (1)</P><P></P><P>Trying to configure the ASA applaince to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).</P><P></P><P>I have used a static NAT:</P><P>static (inside,outside) 100.100.100.2 192.168.1.28 netmask 255.255.255.255</P><P></P><P>access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389</P><P></P><P>When I view the logs it is reporting the following:</P><P>Inbound TCP connection denied from 206.100.100.1 <STRONG>(external IP) </STRONG>to 100.100.100.2 /3389 flags SYN on interface outside.</P><P></P><P>Been pulling my hair out with this one as I believe I have everything configured correctly. New to the world of ASA’s so be nice <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>ZT</P> Mon, 11 Mar 2019 22:39:17 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913024#M458409 ZoeTaite48 2019-03-11T22:39:17Z https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913025#M458411 <HTML><HEAD></HEAD><BODY><P>Brandon,</P><P></P><P>It may help us if you could post your configuration.&nbsp; It will help to see all the access-lists and such that could be denying this connection.</P><P></P><P>Thanks,</P><P></P><P>Kimberly</P></BODY></HTML> Wed, 07 Mar 2012 19:05:48 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913025#M458411 Kimberly Adams 2012-03-07T19:05:48Z https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913026#M458413 <HTML><HEAD></HEAD><BODY><P> Kimberly,</P><P></P><P>&nbsp;&nbsp; Here it is:</P><P></P><P>ASA Version 8.2(1)<BR />!<BR />hostname Burlington-FW<BR />enable password Adl1Gmm8UmMZT0CS encrypted<BR />passwd U7QyKVyA28TBRwD. encrypted<BR />names<BR />!<BR />interface Vlan1<BR /> no nameif<BR /> no security-level<BR /> no ip address<BR />!<BR />interface Vlan2<BR /> nameif outside<BR /> security-level 0<BR /> ip address 100.100.100.3 255.255.255.224<BR />!<BR />interface Vlan3<BR /> nameif inside<BR /> security-level 100<BR /> ip address 192.168.1.1 255.255.255.0<BR />!<BR />interface Vlan4<BR /> nameif server<BR /> security-level 100<BR /> ip address 192.168.2.1 255.255.255.0<BR />!<BR />interface Ethernet0/0<BR /> description outside<BR /> switchport access vlan 2<BR /> speed 100<BR /> duplex full<BR />!<BR />interface Ethernet0/1<BR /> description inside<BR /> switchport access vlan 3<BR /> speed 100<BR /> duplex full<BR />!<BR />interface Ethernet0/2<BR /> description server<BR /> switchport access vlan 4<BR /> speed 100<BR /> duplex full<BR />!<BR />interface Ethernet0/3<BR />!<BR />interface Ethernet0/4<BR />!<BR />interface Ethernet0/5<BR />!<BR />interface Ethernet0/6<BR />!<BR />interface Ethernet0/7<BR />!<BR />banner motd<BR />banner motd Disconnect IMMEDIATELY if you are not an authorized user!<BR />banner motd<BR />banner motd This system is for the use of Company authorized users only.<BR />banner motd Individuals using this computer system without authority, or in excess of<BR />banner motd their authority, are subject to having all of their activities on this<BR />banner motd system monitored and recorded by system personnel.<BR />banner motd<BR />banner motd Anyone using this system expressly consents to such monitoring and is<BR />banner motd advised that if such monitoring reveals possible evidence of criminal<BR />banner motd activity or conduct, Company system personnel may provide the evidence<BR />banner motd of such monitoring to law enforcement officials.<BR />banner motd<BR />banner motd Users should NOT be using this device to launch denial of service<BR />banner motd attacks or connect unauthorized external networks and systems.<BR />ftp mode passive</P><P>clock timezone EST -5<BR />clock summer-time EDT recurring<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq 3389</P><P>access-list OUTSIDE extended permit tcp any host 100.100.100.2 eq ssh<BR />pager lines 24<BR />logging enable<BR />logging monitor alerts<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside 1500<BR />mtu server 1500<BR />no failover<BR />icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any inside<BR />asdm image disk0:/asdm-621.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />nat-control<BR />global (outside) 1 interface<BR />nat (inside) 1 192.168.2.0 255.255.255.0<BR />nat (inside) 1 0.0.0.0 0.0.0.0<BR />static (inside,outside) 100.100.100.2 192.168.2.70 netmask 255.255.255.255 dns tcp 1000 100<BR />route outside 0.0.0.0 0.0.0.0 100.100.100.1 1<BR />timeout xlate 3:00:00<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />aaa authentication ssh console LOCAL<BR />http server enable<BR />http 192.168.2.0 255.255.255.0 inside<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />crypto ipsec security-association lifetime seconds 28800<BR />crypto ipsec security-association lifetime kilobytes 4608000<BR />telnet 192.168.2.0 255.255.255.0 inside<BR />telnet timeout 5<BR />ssh X.X.X.X 255.255.255.255 outside<BR />ssh Y.Y.Y.Y 255.255.255.255 outside<BR />ssh timeout 10<BR />console timeout 0<BR />dhcpd dns 167.69.184.199 167.69.184.107<BR />!<BR />dhcpd address 192.168.2.10-192.168.2.100 inside<BR />dhcpd enable inside<BR />!</P><P>threat-detection basic-threat<BR />threat-detection statistics port<BR />threat-detection statistics protocol<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />webvpn<BR />username dvvc110 password 6lx6srLwcBTxdQZs encrypted<BR />!<BR />!<BR />prompt hostname context<BR />Cryptochecksum:43ebf72f29f9f85a8c21ad2c38d6a84b<BR />: end</P></BODY></HTML> Wed, 07 Mar 2012 19:43:16 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913026#M458413 ZoeTaite48 2012-03-07T19:43:16Z https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913027#M458414 <HTML><HEAD></HEAD><BODY><P>try out by only using the following line.</P><P></P><P>static (inside,outside) 100.100.100.2 192.168.2.70 netmask 255.255.255.255</P><P></P><P>remove the DNS keyword and the tcp 1000 100.</P><P></P><P>chk and reply back.</P></BODY></HTML> Wed, 07 Mar 2012 19:52:53 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913027#M458414 jack samuel 2012-03-07T19:52:53Z https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913028#M458416 <HTML><HEAD></HEAD><BODY><P> Jack,</P><P></P><P>&nbsp;&nbsp; Just updated the config. Received the same result when trying to RDP to 100.100.100.2</P><P></P><P>ZT</P></BODY></HTML> Wed, 07 Mar 2012 19:59:05 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913028#M458416 ZoeTaite48 2012-03-07T19:59:05Z https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913029#M458418 <HTML><HEAD></HEAD><BODY><P>Hello Brandon,</P><P></P><P>try out the follwing line </P><P></P><P>static (inside,outside) tcp 100.100.100.2 3389 192.168.2.70 3389 netmask&nbsp;&nbsp;&nbsp; 255.255.255.255.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 07 Mar 2012 20:42:43 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-rule-to-connect-to-a-system-using-rdp/m-p/1913029#M458418 jack samuel 2012-03-07T20:42:43Z