Solved: Re: ASA 443 Port Forwarding Issues

Skawilly1 · ‎04-29-2018

Hello. I have a weird issue. I am attempting to RDP from my mobile device to my computer, however my ISP has blocked very many ports. 443, however, is open. VPN is not an option, even for SSL at the moment. I can see traffic hitting the firewall using my RDP through 443 <WAN-IP:443>. The real time log viewer is saying an ACL is blocking the connection. I have tried everything, Including an access list to let any any in interface OUTSIDE and the error is identical. "TCP access denied by ACL from to OUTSIDE". I set http enable server 4433 and I set http 0 0 OUTSIDE to be sure. I do not have ssl vpn enabled. So 443, to my knowledge, is not being used by the Management-Plain. My goal here is to get RDP working over 443 and not change the RDP port. End result should be; RDP hits the OUTSIDE interface of the ASA at port TCP port 443 and is moved to the OFFICE_PC (A.K.A) 172.16.0.7 at TCP port 3389.

Cisco Adaptive Security Appliance Software Version 9.1(3)

Here is my running config:

ASA-5510(config)# show run
: Saved
:
ASA Version 9.1(3)
!
hostname ASA-5510
domain-name skawilly.local
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 172.16.0.1 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
nameif WIFI
security-level 75
ip address 10.0.2.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
domain-name skawilly.local
object network LAN_172
subnet 172.16.0.0 255.255.0.0
object network LAN_192
subnet 192.168.0.0 255.255.255.0
object network LAN_10
subnet 10.10.10.0 255.255.255.0
object network OFFICE_PC
host 172.16.0.7
object service RDP
service tcp source eq 3389
object service HTTPS
service tcp source eq https
access-list DMZ-to-INTERNAL extended permit tcp 10.10.10.0 255.255.255.0 172.16.0.0 255.255.0.0 eq 445
access-list DMZ-to-INTERNAL extended permit udp 10.10.10.0 255.255.255.0 172.16.0.0 255.255.0.0 eq domain
access-list DMZ-to-INTERNAL extended permit tcp 10.10.10.0 255.255.255.0 172.16.0.0 255.255.0.0 eq netbios-ssn
access-list DMZ-to-INTERNAL extended deny tcp 10.10.10.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list DMZ-to-INTERNAL extended deny udp 10.10.10.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list DMZ-to-INTERNAL extended permit tcp any any
access-list DMZ-to-INTERNAL extended permit udp any any
access-list DMZ-to-INTERNAL extended permit icmp any any
access-list WIFI-to-LAN extended permit tcp any any
access-list WIFI-to-LAN extended permit icmp any any
access-list WIFI-to-LAN extended permit udp any any
access-list OUT-to-IN extended permit tcp any host 172.16.0.7 eq https
access-list OUT-to-IN extended permit tcp any host 172.16.0.7 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu WIFI 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source dynamic LAN_172 interface
nat (WIFI,OUTSIDE) source dynamic LAN_192 interface
nat (DMZ,OUTSIDE) source dynamic LAN_10 interface
nat (OUTSIDE,INSIDE) source static OFFICE_PC interface destination static interface OFFICE_PC service RDP HTTPS
!
object network OFFICE_PC
nat (INSIDE,OUTSIDE) static interface service tcp 3389 https
access-group OUT-to-IN in interface OUTSIDE
access-group DMZ-to-INTERNAL in interface DMZ
access-group WIFI-to-LAN in interface WIFI
route WIFI 192.168.0.0 255.255.255.0 10.0.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable 4433
http 0.0.0.0 0.0.0.0 INSIDE
http 0.0.0.0 0.0.0.0 OUTSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 INSIDE
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 172.16.0.3 8.8.8.8
dhcpd domain skawilly.com
!
dhcpd address 172.16.0.50-172.16.0.199 INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 69.164.198.192
username will password qOxvBl8VK/1ZfBiB encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a6121f271b1cd1f5de6caa581153af1d
: end

Karsten Iwen · ‎04-29-2018

First you take two actions:

Update your ASA to the latest interims-release of 9.1(7)
correct the NAT. Your statements are in the wrong order:

no nat (INSIDE,OUTSIDE) source dynamic LAN_172 interface
no nat (WIFI,OUTSIDE) source dynamic LAN_192 interface
no nat (DMZ,OUTSIDE) source dynamic LAN_10 interface
no nat (OUTSIDE,INSIDE) source static OFFICE_PC interface destination static interface OFFICE_PC service RDP HTTPS
!
nat (INSIDE,OUTSIDE) after-auto source dynamic LAN_172 interface
nat (WIFI,OUTSIDE) after-auto source dynamic LAN_192 interface
nat (DMZ,OUTSIDE) after-auto source dynamic LAN_10 interface

View solution in original post

Karsten Iwen · ‎04-29-2018

First you take two actions:

Update your ASA to the latest interims-release of 9.1(7)
correct the NAT. Your statements are in the wrong order:

no nat (INSIDE,OUTSIDE) source dynamic LAN_172 interface
no nat (WIFI,OUTSIDE) source dynamic LAN_192 interface
no nat (DMZ,OUTSIDE) source dynamic LAN_10 interface
no nat (OUTSIDE,INSIDE) source static OFFICE_PC interface destination static interface OFFICE_PC service RDP HTTPS
!
nat (INSIDE,OUTSIDE) after-auto source dynamic LAN_172 interface
nat (WIFI,OUTSIDE) after-auto source dynamic LAN_192 interface
nat (DMZ,OUTSIDE) after-auto source dynamic LAN_10 interface

Skawilly1 · ‎04-30-2018

You fixed my issue in like 2 minutes. This is great news.

I have 3 questions for you before I mark it as resolved.

1) My device is not currently supported/no support account. Is there a way I can still update the 'interim'?

2) What caught your eye on the NAT statements that tipped you off? This would very much be helpful to me.

3) I thought ACLs hit first, before NAT statements. Why would my NAT statement order be causing an ACL error?

Thanks again, I spent many hours on the ACLs and never got this going. Your help was invaluable.

Karsten Iwen · ‎04-30-2018

> 1) My device is not currently supported/no support account. Is there a way I can still update the 'interim'?

Yes, you can open a support case by phone and reference the security-Advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa2

> 2) What caught your eye on the NAT statements that tipped you off? This would very much be helpful to me.

The dynamic NAT entries always (or at least in 99,999%) have to be at the end of the NAT rules.

> 3) I thought ACLs hit first, before NAT statements. Why would my NAT statement order be causing an ACL error?

For a working traffic-flow, the connection has to first land on the right NAT- and then on the right access-control entry. With the dynamic NAT at the beginning, this will always match the wrong NAT and as a consequence the Access-control will not work.

Skawilly1 · ‎04-30-2018

Dynamic at the end.

Beautiful work sir.