topic Re: ASA 5510 + RDP issues in Network Security

ASA 5510 + RDP issues

Bert Kelchtermans — Mon, 11 Mar 2019 19:45:14 GMT

Hi all

A while back I had a problem with using active ftp trough our ASA 5510.

Thanks to he help on this forum, the problem got solved.

Topic: https://supportforums.cisco.com/thread/2053280

Now active ftp works fine, but now we are not able to use RDP to clients/server to other subnets.

If anyone has an idea, please let me know.

Regards

Bert

Re: ASA 5510 + RDP issues

Jennifer Halim — Sat, 05 Feb 2011 10:36:07 GMT

Can you please advise where you are trying to RDP to and from? If you can share the subnets that you are trying to RDP to and from, we can check the configuration to make sure whether it is config error or it might be something else. Thanks.

Re: ASA 5510 + RDP issues

Bert Kelchtermans — Sat, 05 Feb 2011 10:50:09 GMT

Ok, It happens we try to use RD between the 192.0.0.0, 192.0.2.0, 192.0.4.0, 192.0.6.0 subnets.

Regards, Bert

Re: ASA 5510 + RDP issues

Jennifer Halim — Sat, 05 Feb 2011 11:06:57 GMT

All those subnets are actually behind the ASA, and it doesn't pass through the ASA at all therefore, RDP between the subnets should works.

I would check if personal firewall is enabled on the RDP server as that is one of the issue that blocks inbound RDP access. Please turn off the firewall and test the connectivity again. Further to that, please also check if RDP service has been enabled.

Re: ASA 5510 + RDP issues

Bert Kelchtermans — Sat, 05 Feb 2011 11:55:35 GMT

Ok, let me explain, RDP always worked as desired until I changed the settings to allow active ftp

as suggsted in this topic: https://supportforums.cisco.com/thread/2053280

Now active FTP works, RDP doesn't.

When I configure:

class class-default
set connection advanced-options tcp-state-bypass
inspect ftp

RDP works, connecting to a FTPserver with active FTP fails.

The configuration of the servers, and their firewalls haven't changed.

Thanks, Bert

Re: ASA 5510 + RDP issues

Jennifer Halim — Sat, 05 Feb 2011 12:12:54 GMT

Looks like default gateway for the 192.0.0.0/24 subnet might have been the ASA and by configuring "set connection advanced-options tcp-state-bypass", RDP will work. You can configure "set connection advanced-options tcp-state-bypass" but don't configure "inspect ftp" as you have configured previously, ie: just re-add "set connection advanced-options tcp-state-bypass" into the class class-default, however, don't worry about the "inspect ftp".

that should resolve the issue.

Re: ASA 5510 + RDP issues

Bert Kelchtermans — Wed, 09 Feb 2011 08:40:47 GMT

I configured the ASA as suggested, but active ftp still doesn't work.

If you have anymore idea's please let me know.

Thanks

Re: ASA 5510 + RDP issues

Jennifer Halim — Wed, 09 Feb 2011 10:16:08 GMT

Can you please add the following:

policy-map global_policy
class inspection_default

inspect ftp

Is the RDP working now?

Re: ASA 5510 + RDP issues

Bert Kelchtermans — Wed, 09 Feb 2011 10:26:23 GMT

RDP is working even without

policy-map global_policy
class inspection_default

inspect ftp

Now my previous problem of the active FTP has returned.

With the asa 5510 as default gateway, we are unable to use active ftp.

Regards

Re: ASA 5510 + RDP issues

Jennifer Halim — Wed, 09 Feb 2011 10:34:06 GMT

How did the active FTP issue get resolved last time? I checked the forum: https://supportforums.cisco.com/thread/2053280 however, I don't see any confirmation nor what has resolved the issue of active FTP.

As KS has suggested, did removing the following resolve the issue:

I am not sure what this below section is doing in the config. I'd remove it.
class class-default
set connection advanced-options tcp-state-bypass
inspect ftp

policy-map global_policy
class class-default
no set connection advanced-options tcp-state-bypass
no inspect ftp

exit

no class class-default

There is no inspection for RDP, so RDP should have worked despite any changes to the FTP configuration because they are running on different ports.

Re: ASA 5510 + RDP issues

Bert Kelchtermans — Wed, 09 Feb 2011 11:05:14 GMT

When i remove those lines RDP from the 192.0.0.0 subnet to the 192.0.2.0, 192.0.4.0, 192.0.6.0 is not possible.

Regards, Bert

Re: ASA 5510 + RDP issues

Jennifer Halim — Thu, 10 Feb 2011 04:41:52 GMT

It should work just fine if you change the default gateway for hosts in the 192.0.0.0/24 subnet from 192.0.0.40 to 192.0.0.187.

And on the 192.0.0.187 router, configure its default gateway to be 192.0.0.40.

Re: ASA 5510 + RDP issues

Bert Kelchtermans — Thu, 10 Feb 2011 07:34:16 GMT

The router with the address 192.0.0.187, isn't used in our internal network, it is a router

placed by one of out manufacturers to monitor some machines.

We do not control it, and do not use it, I just had to forward some ports to it.

The internal network uses the 192.0.0.40 as default gateway.

Regards

Re: ASA 5510 + RDP issues

Jennifer Halim — Thu, 10 Feb 2011 07:40:15 GMT

Actually, sorry, i was wrong earlier, you should change the default gateway to 192.0.0.25 instead. This will be the correct router as all the192.0.2.0/24, 192.0.4.0/24 and 192.0.6.0/24 are being forwarded to 192.0.0.25 as follows on the firewall:

route inside 192.0.2.0 255.255.255.0 192.0.0.25 1
route inside 192.0.4.0 255.255.255.0 192.0.0.25 1
route inside 192.0.6.0 255.255.255.0 192.0.0.25 1