Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
5
Replies

Allowing external access to a secure server via RDP

Group IT
Level 1
Level 1

‎12-21-2015 03:42 AM - edited ‎03-12-2019 12:03 AM

Would anyone be able to shed some light on my small problem. Its probably a really simple thing I have overlooked.

I am trying to allow a 3rd party to RDP to one of our servers using a custom port.

I have set up an access rule on our ASA 5515-X using the ASDM (I cannot do CLI).

Rule is as follows:

Source Criteria - Permit - Any

Destination Criteria - internal.server.local - (Service) RDP

Then I have applied a NAT rule as follows:

Match

Source Interface - Internet - Source Address - Any

Destination Interface - LAN - Destination Address - 1.2.3.4 (Our public IP) - Service - Custom RDP

Action

Source NAT Type - Static - Source Address - Original - Destination Address - internal.server.local - Service - RDP

This rule seems to be working and the logs show that the connection attempt is made but then it looks like the Windows server on the other end is refusing the connection.

6 Dec 21 2015 11:41:20 302014 4.3.2.1 49927 10.11.200.25 3389 Teardown TCP connection 20126175 for Internet:1.2.3.4/49927 to LAN:10.11.200.25/3389 duration 0:00:30 bytes 0 SYN Timeout

I have double checked the server, firewall is off and there is also an exception rule in place to allow RDP connections anyway, plus RDP is enabled. 

Have I missed something really obvious? Thank you for your time.

Labels:
0 Helpful
5 Replies 5

Shivapramod M
Level 1
Level 1

‎12-22-2015 12:14 AM

Hi,

This looks like SYN timeout. I believe the firewall is forwarding the SYN packet to 10.11.200.25 on port 3389 but not getting any response back from the server.

You may have to check the server configuration it self. Does it have any default route configured ?

Does the RDP works if you try to connect in the same subnet?

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful

Group IT
Level 1
Level 1
In response to Shivapramod M

‎12-22-2015 12:37 AM

Thank you so much for replying!

Yes if I connect locally it works with no problems and I guess the routing on the server is configured correctly as I can connect out to the internet from it.

Do you know what I should be checking on the server?

I also posted another error message that I have seen this morning, just below my original question. This may help some more.

0 Helpful

Group IT
Level 1
Level 1

‎12-22-2015 12:34 AM

This morning I have also noticed the following error:

5 Dec 22 2015 07:34:08 305013 4.3.2.1 49345 10.11.200.25 3389 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src BTnet:1.2.3.4/49345 dst LAN:10.11.200.25/3389 denied due to NAT reverse path failure

Could this be the actual reason it is failed. Can anyone help? Please?

0 Helpful

Shivapramod M
Level 1
Level 1
In response to Group IT

‎12-22-2015 01:28 AM

Hi,

Yes this could be the reason since the traffic is hitting different NAT on reverse direction traffic.

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-4771046

You can packet tracer on the ASA and check which NAT the ASA is considering for out to in and inside to outside.

packet-tracer input outside tcp <internet IP> 1234 <mapped IP> <mapped port> detail

Thanks,
Shivapramod M

0 Helpful

Andre Neethling
Level 4
Level 4
In response to Group IT

‎12-23-2015 10:04 PM

Can you please post the output of "show nat"? To see the order in which your NAT rules are applying.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card