topic Re: Can't Remote Desktop in Network Security

Can't Remote Desktop

mengxi zhang — Fri, 21 Feb 2020 17:19:02 GMT

ASA5520 running in 8.4(4)1

A win2012R2 server can be reached by windows remote desktop in Lan. Using Static NAT it outside and permit port in ACL. Telnet can access the server RD port at 3389 but windows RD doesn't work from internet. What's wrong with it? Who can kindly help me? Thanks!

Re: Can't Remote Desktop

balaji.bandi — Thu, 18 Jul 2019 17:50:38 GMT

Since we do not see the Logs what is wrong to confirm,

can you post the Logs while you connecting from outside to inside RDP Server.

post configuraiton also.

here is the snippet to work.

==========================

object service RDP

service tcp source eq 3389

object network inside-host

host x.x.x.x

nat (inside,outside) source static inside-host interface service RDP RDP

Re: Can't Remote Desktop

Francesco Molino — Thu, 18 Jul 2019 18:10:29 GMT

Hi

Can you share your config please?
Your issue is to access your RDP over Internet? If so can you run the following command and share the output:
packet-tracer input INTERNET tcp 8.8.8.8 12345 RDP-SRV-PUB 3389

Replace INTERNET with the real name of your outside interface and RDP-SRV-PUB with your public IP you're trying to access your RDP server,

Re: Can't Remote Desktop

mengxi zhang — Fri, 19 Jul 2019 06:06:11 GMT

yes, it is same as you. object network new host 192.168.0.250 object network new nat (inside,outside) static *.*.*.*(a public IP) Telnet can access ports 3389 or 8082 of the NAT server from Internet. Exploers can also access the WEB service at 8082. But windows RD can't work.

Re: Can't Remote Desktop

mengxi zhang — Fri, 19 Jul 2019 06:21:10 GMT

Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: object network new2 nat (inside,outside) static 219.143.34.200 Additional Information: NAT divert to egress interface inside Untranslate 219.143.34.200/1234 to 192.168.0.250/1234 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group in in interface outside access-list in extended permit tcp any any Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network new2 nat (inside,outside) static 219.143.34.200 Additional Information: Phase: 7 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 10189590, packet dispatched to next module Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow By the way, the server RD port has been changed to 1234.

Re: Can't Remote Desktop

balaji.bandi — Fri, 19 Jul 2019 07:00:20 GMT

just confirm, is the RDP works Locally ?

Re: Can't Remote Desktop

mengxi zhang — Fri, 19 Jul 2019 13:03:07 GMT

RD is working well in the LAN

Re: Can't Remote Desktop

Francesco Molino — Fri, 19 Jul 2019 15:00:48 GMT

I'm sorry the output is not readable, if you can paste it use the reply button instead of quick reply or put the output into a text file it would be helpful.

It looks like everything is ok. Can you share your config and can you run the command using the real RDP port please?