topic ASA5510 and RDP in Network Security

ASA5510 and RDP

todd — Mon, 11 Mar 2019 21:19:28 GMT

Hello all,

Recently implemented an ASA5510 and as a total noob on this device I cannot setup RDP access. I've browsed these and other forums and tried all the suggestions that I've been able to find and still no luck. Any help from those of you with more experience would greatly be appreciated.

Below is my running config. I have a spare external static ip that i can use 24.xx.xx.57, but would prefer to use the IP of the outside1 interface 24.xx.xx.53. I need access to 3 different machines and was thinking of using ports 3388, 3389 and 3390.

Thanks!!

Result of the command: "show running-config"

: Saved

ASA Version 8.2(1)

hostname ASA5510

enable password xxx encrypted

passwd xxx encrypted

names

interface Ethernet0/0

nameif outside1

security-level 0

ip address 24.xx.xx.53 255.255.255.240

interface Ethernet0/1

speed 100

duplex full

nameif outside2

security-level 100

ip address 172.xx.xx.1 255.255.255.240

interface Ethernet0/2

nameif inside1

security-level 100

ip address 192.168.30.10 255.255.255.0

interface Ethernet0/3

speed 100

duplex full

nameif inside2

security-level 100

ip address 192.168.40.2 255.255.255.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network LV_SERVERS

network-object host 8.xx.xx.30

network-object host 8.xx.xx.32

network-object host 8.xx.xx.33

network-object host 8.xx.xx.37

network-object host 8.xx.xx.39

object-group network SQPEZZ_NETWORK

network-object 192.168.40.0 255.255.255.0

access-list inside2_access_out extended permit ip any any

access-list inside2_access_out extended permit icmp any any

access-list inside2_access_out extended permit tcp any any

access-list outside1_access_out extended permit ip any any

access-list inside2_access_in extended permit ip any any

access-list inside2_access_in extended permit icmp any any

access-list inside2_access_in extended permit tcp any any

access-list inside1_access_in extended permit ip any any

access-list inside1_access_in extended permit icmp any any

access-list inside1_access_in extended permit tcp any any

access-list outside2_access_in extended permit ip any any

access-list inside1_access_out extended permit ip any any

access-list inside1_access_out extended permit icmp any any

access-list inside1_access_out extended permit tcp any any

access-list VPN-TO-LV extended permit ip object-group SQPEZZ_NETWORK object-group LV_SERVERS

access-list IPSEC-TO-LV extended permit ip host 24.xx.xx.56 object-group LV_SERVERS

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside1 1500

mtu inside2 1500

mtu outside2 1500

mtu outside1 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside2) 1 interface

global (outside1) 1 interface

global (outside1) 2 24.xx.xx.56

nat (inside1) 1 192.168.30.0 255.255.255.0

nat (inside2) 2 access-list VPN-TO-LV

nat (inside2) 1 192.168.40.0 255.255.255.0

static (inside1,inside2) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

static (inside2,inside1) 192.168.40.0 192.168.40.0 netmask 255.255.255.0

access-group inside1_access_in in interface inside1

access-group inside1_access_out out interface inside1

access-group inside2_access_in in interface inside2

access-group inside2_access_out out interface inside2

access-group outside2_access_in in interface outside2

access-group outside1_access_out out interface outside1

route outside1 0.0.0.0 0.0.0.0 24.xx.xx.49 1

route outside2 10.xx.xx.0 255.255.255.0 172.xx.xx.2 1

route outside2 172.xx.xx.0 255.255.255.0 172.xx.xx.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.30.0 255.255.255.0 inside1

http 192.168.40.0 255.255.255.0 inside2

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VPN_MAP 1 match address IPSEC-TO-LV

crypto map VPN_MAP 1 set peer 4.xx.xx.48

crypto map VPN_MAP 1 set transform-set ESP-AES-256-SHA

crypto map VPN_MAP 1 set security-association lifetime seconds 86400

crypto map VPN_MAP 1 set security-association lifetime kilobytes 10000

crypto map VPN_MAP interface outside1

crypto isakmp enable outside1

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 192.168.40.0 255.255.255.0 inside2

telnet timeout 5

ssh 192.168.40.0 255.255.255.0 inside2

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.5 management

dhcpd enable management

dhcpd address 192.168.30.30-192.168.30.120 inside1

dhcpd dns 10.xx.xx.170 10.xx.xx.170 interface inside1

dhcpd enable inside1

dhcpd address 192.168.40.15-192.168.40.100 inside2

dhcpd dns 10.xx.xx.170 10.xx.xx.170 interface inside2

dhcpd enable inside2

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username xxx password xxx encrypted privilege 15

tunnel-group 4.xx.xx.48 type ipsec-l2l

tunnel-group 4.xx.xx.48 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ASA5510 and RDP

Maykol Rojas — Wed, 31 Aug 2011 23:53:22 GMT

Have you tried this?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Mike

ASA5510 and RDP

todd — Thu, 01 Sep 2011 00:16:37 GMT

Mike,

I've reviewed that documentation, but can't make heads or tails of it.

I understand the 20.1.1.10 external ip address and the 172.16.11.10 internal ip but I get lost with the 209.165.200.10

I have only an external ip address 24.xx.xx.53 and a couple internal ip's 192.168.30.xx's

I'd appreciate any clarification that you might be able to offer.

Thanks.

ASA5510 and RDP

todd — Thu, 01 Sep 2011 00:34:51 GMT

I've added the following to the config, but it still doesn't work.

object-group service RDP tcp

port-object eq 3389

access-list outside1_access_in extended permit tcp any any object-group RDP

static (inside1,outside1) tcp interface 3389 192.168.30.210 3389 netmask 255.255.255.255

ASA5510 and RDP

Maykol Rojas — Thu, 01 Sep 2011 00:38:03 GMT

Ohh,

But that 20.1.1.10 is the host on the internet that is trying to access your RDP server, it is just an access list to restrict the guys who are going to access your RDP server, for example here,

This is the access list, this says that only host 20.1.1.10 on the internet will be able to talk to the RDP server on the RDP server port

access-list outside_access_in extended permit tcp host 20.1.1.10 host 209.165.200.10 eq 3389

This is the NAT so the outside users can reach the server

static (inside,outside) 209.165.200.10 172.16.11.10 netmask 255.255.255.255

And this is the access list applied to the interface where the packet is coming from

access-group outside_access_in in interface outside

If you have nay further questions let me know.

Mike

ASA5510 and RDP

Maykol Rojas — Thu, 01 Sep 2011 00:39:47 GMT

You need to apply the access-group

access-group outside1_access_in in interface outside1

Mike

ASA5510 and RDP

todd — Thu, 01 Sep 2011 01:26:15 GMT

Mike,

So I have now applied the following:

object-group service RDP tcp

port-object eq 3389

access-list outside1_access_in extended permit tcp any any object-group RDP

static (inside1,outside1) tcp interface 3389 192.168.30.210 3389 netmask 255.255.255.255

access-group outside1_access_in in interface outside1

and clear xlate but still no success.

ASA5510 and RDP

Maykol Rojas — Thu, 01 Sep 2011 01:51:46 GMT

Ok,

Try this,

packet-tracer input outside1 tcp 4.2.2.2 1025 24.x.x.53 3389

Change the x for the outside1 IP... That would simulate a packet coming through the ASA with port 3389. I want to check if the firewall would allow it or deny it.

Mike

Re: ASA5510 and RDP

todd — Thu, 01 Sep 2011 01:54:59 GMT

Results:

Result of the command: "packet-tracer input outside1 tcp 4.2.2.2 1025 24.x.x.53 3389"

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside1,outside1) tcp interface 3389 192.168.30.210 3389 netmask 255.255.255.255

match tcp inside1 host 192.168.30.210 eq 3389 outside1 any

static translation to 24.x.x.53/3389

translate_hits = 0, untranslate_hits = 3

Additional Information:

NAT divert to egress interface inside1

Untranslate 24.x.x.53/3389 to 192.168.30.210/3389 using netmask 255.255.255.255

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside1_access_in in interface outside1

access-list outside1_access_in extended permit tcp any any object-group RDP

object-group service RDP tcp

port-object eq 3389

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside1_access_out out interface inside1

access-list inside1_access_out extended permit ip any any

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside1,outside1) tcp interface 3389 192.168.30.210 3389 netmask 255.255.255.255

match tcp inside1 host 192.168.30.210 eq 3389 outside1 any

static translation to 24.x.x.53/3389

translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside1,inside2) 192.168.30.0 192.168.30.0 netmask 255.255.255.0

match ip inside1 192.168.30.0 255.255.255.0 inside2 any

static translation to 192.168.30.0

translate_hits = 1869, untranslate_hits = 9376

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5408732, packet dispatched to next module

Result:

input-interface: outside1

input-status: up

input-line-status: up

output-interface: inside1

output-status: up

output-line-status: up

Action: allow

ASA5510 and RDP

Maykol Rojas — Thu, 01 Sep 2011 02:08:03 GMT

Certainly seems like is not the ASA which is dropping them

Do you have time for some capturing? I'll be online for a couple of hours so I can check them....

do the following:

capture out interface outside1 match tcp any any eq 3389

capture in interface inside1 match tcp any any eq 3389

Try to connect via RDP, once it fails, go ahead and do the following:

show cap out

show cap in

Copy the output and paste it here, feel free to mask the IPs.

Mike...

Re: ASA5510 and RDP

todd — Thu, 01 Sep 2011 02:12:43 GMT

Result of the command: "show cap out"

0 packet captured

0 packet shown

Result of the command: "show cap in"

9 packets captured

1: 19:04:55.283341 192.168.30.200.3389 > 192.168.40.5.64885: P 2811343421:2811343538(117) ack 3776020312 win 258

2: 19:04:55.490529 192.168.40.5.64885 > 192.168.30.200.3389: . ack 2811343538 win 253

3: 19:05:06.450660 192.168.30.200.3389 > 192.168.40.5.64885: P 2811343538:2811343591(53) ack 3776020312 win 258

4: 19:05:06.650006 192.168.40.5.64885 > 192.168.30.200.3389: . ack 2811343591 win 253

5: 19:05:09.872910 192.168.40.5.64885 > 192.168.30.200.3389: P 3776020312:3776020365(53) ack 2811343591 win 253

6: 19:05:09.873917 192.168.30.200.3389 > 192.168.40.5.64885: P 2811343591:2811343660(69) ack 3776020365 win 258

7: 19:05:10.079005 192.168.40.5.64885 > 192.168.30.200.3389: . ack 2811343660 win 253

8: 19:05:26.468527 192.168.30.200.3389 > 192.168.40.5.64885: P 2811343660:2811343713(53) ack 3776020365 win 258

9: 19:05:26.670497 192.168.40.5.64885 > 192.168.30.200.3389: . ack 2811343713 win 258

9 packets shown

Not sure what's up with the 192.168.30.200 since I configured for 192.168.30.210

ASA5510 and RDP

Maykol Rojas — Thu, 01 Sep 2011 02:19:38 GMT

I dont see the packets arriving to the outside interface... when you do the RDP you are doing it to the 24 not the 192 address right?

Mike

Re: ASA5510 and RDP

todd — Thu, 01 Sep 2011 02:39:02 GMT

Yes I was, but I was trying to log in from an internal machine with the external IP address.

Once I tried from an off network machine it worked correctly and I was able to quickly configure the natting for a couple additional external ports and internal ip's

Apparently using the external ip address from an internal machine requires additional configurations that we don't really need to explore since it's not a necessary function.

I appreciate all your help with this!!

ASA5510 and RDP

Maykol Rojas — Thu, 01 Sep 2011 02:42:21 GMT

Hi,

Exactly, if you try to access the RDP from inside using the public IP, it will actually give you an error, that is what is called U-Turning or Hairpinning which as you suggested requires additional configuration.

If you want to configure that in the future just come back to this forum, I will help you out with that.

For now I think that it would be it.

Glad it worked.

Mike