ASA 5505 public server rules - worked then stopped working

davidcampitelli · ‎04-08-2013

I have an ASA 5505 running in a live environement

in the past an RDP 3389 port forward was in place to allow external users to access the Terminal Server

We then experienced a DDOS on RDP and instead of just deactivating the rules, they were removed.

Now we need to renable the remote access but now matter what I do, connections from the outside do not make it inside

Packet Trace of the Access Rule from an outside to the inernal Terminal Server succeeds

Packet Trace of the NAT Rules both directions passes

but Packet Trace on Service Policy Rules does not

Type-ACCESS-LIST Action -DROP

I am connecting through ASDM and trying to trouble shoot the problem and I am having a difficult time finding where I can modify the access list to allow 3389 through

Jouni Forss · ‎04-08-2013

Hi,

The ACL / access-list are configured under the following place in ASDM

Configuration (top bar) --> Firewall (bottom left) --> Access Rules (middle left)

This should open the view for all the ACL on the ASA

Do you only use ASDM? Not the CLI at all?

- Jouni

davidcampitelli · ‎04-08-2013

I have access to the command line but I must admit that I have inherited this device and not trained in the CLI

I am doing research on the CISCO web site to identify commands and syntax that will help, I am posting to get some advice on the next steps

Jouni Forss · ‎04-08-2013

Hi,

The rule you are making would seem to me to be the correct one.

I guess you are using object for both the host behind the firewall and the service

As long as the service under the object RDP is tcp/3389 then I guess there should be no problem. Have you inserted the ACL rule and tried the connect again yet?

If you want to take a look at some information related to the new NAT configuration format of software 8.3 (and newer) then have a look at a document on these forums I recently made.

https://supportforums.cisco.com/docs/DOC-31116

Though the document only has examples of the CLI format configurations.

- Jouni

Jouni Forss · ‎04-08-2013

Alternatively you can give us the CLI format configurations of the ASA at the moment and we can look through them and suggest which commands you need to insert to correct the ASA configurations.

- Jouni

davidcampitelli · ‎04-10-2013

enableconfigure terminalshow running-config

: Saved

:

ASA Version 8.4(3)

!

hostname ASA-1

domain-name something.local

enable password My2iOgBs/OUwK6OX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

description Connected to Linksys G49

switchport access vlan 10

switchport trunk allowed vlan 1,10,100

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/2

switchport access vlan 110

!

interface Ethernet0/3

switchport access vlan 10

!

interface Ethernet0/4

switchport access vlan 10

!

interface Ethernet0/5

switchport access vlan 10

!

interface Ethernet0/6

switchport trunk allowed vlan 1,10,100

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/7

switchport trunk allowed vlan 1,10,100

switchport trunk native vlan 1

switchport mode trunk

!

interface Vlan1

nameif MGMT

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

backup interface Vlan110

nameif outside

security-level 0

ip address 24.43.86.26 255.255.255.248

!

interface Vlan10

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan100

nameif VoIP

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan110

nameif BACKUP_ISP

security-level 0

ip address 69.163.53.50 255.255.255.240

!

boot system disk0:/asa843-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name Schecter.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Inside

subnet 10.0.0.0 255.255.255.0

object network Linksys

host 192.168.1.15

object network VoIP

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_10.0.0.0_24

subnet 10.0.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_25

subnet 192.168.10.0 255.255.255.128

object network CAS2K8

host 10.0.0.3

description CAS2K8

object network 192.168.1.53

host 192.168.1.53

object service RDP

service tcp source eq 3389 destination eq 3389

object network Terminal

host 10.0.0.8

object network A_24.43.86.25

host 24.43.86.25

access-list outside_access extended permit object RDP 24.43.86.24 255.255.255.248 object Terminal

access-list SchecterVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list SchecterVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list SchecterVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list Schecter_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu MGMT 1500

mtu outside 1500

mtu inside 1500

mtu VoIP 1500

mtu BACKUP_ISP 1500

ip local pool VLAN_10 192.168.10.10-192.168.10.100 mask 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 no-proxy-arp route-lookup

!

object network Inside

nat (any,outside) dynamic pat-pool interface

object network VoIP

nat (any,outside) dynamic pat-pool interface

object network Terminal

nat (inside,outside) static 24.43.86.24

access-group outside_access in interface outside

route outside 0.0.0.0 0.0.0.0 24.43.86.25 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

...

[Message clipped] View entire message

Click here to Reply or Forward

Akshay Dubey · ‎04-10-2013

Hi,

Change the ACL to:

access-list outside_access extended permit tcp any host 10.0.0.8 eq 3389

Hope this helps.

-Akshay

davidcampitelli · ‎04-11-2013

unfortunately it does not

the packet trace on that access rules passes

but it will still not allow external access to the Terminal server

Jouni Forss · ‎04-11-2013

Hi,

Provided that the internal IP address of 10.0.0.8 and the public IP address 24.43.86.24

Then your Static NAT configurations seems correct.

The original ACL was wrong as it only allowed traffic from source port TCP/3389 to destination port TCP/3389

The above ACL line suggested by Akshay is the correct option.

I would next attempt the actual connection and see what the TCP connection Teardown message says. If it says SYN Timeout then the server just aint responding to TCP connection forming at all.

- Jouni

davidcampitelli · ‎04-11-2013

the gateway is 24.43.86.25

the first usable ( and interface labeled "outside") is 24.43.86.26

Jouni Forss · ‎04-11-2013

Hi,

You have the following Static NAT configuration (although the ASA CLI configuration format shows it separately)

object network Terminal

host 10.0.0.8

nat (inside,outside) static 24.43.86.24

Which does Static NAT for 10.0.0.8 to the public IP address 24.43.86.24

So it seems to me that you have the wrong public IP address configured in the Static NAT command then? Since your network is 24.43.86.24/29

- Jouni