04-08-2013 11:56 AM - edited 03-11-2019 06:25 PM
I have an ASA 5505 running in a live environement
in the past an RDP 3389 port forward was in place to allow external users to access the Terminal Server
We then experienced a DDOS on RDP and instead of just deactivating the rules, they were removed.
Now we need to renable the remote access but now matter what I do, connections from the outside do not make it inside
Packet Trace of the Access Rule from an outside to the inernal Terminal Server succeeds
Packet Trace of the NAT Rules both directions passes
but Packet Trace on Service Policy Rules does not
Type-ACCESS-LIST Action -DROP
I am connecting through ASDM and trying to trouble shoot the problem and I am having a difficult time finding where I can modify the access list to allow 3389 through
04-08-2013 12:01 PM
Hi,
The ACL / access-list are configured under the following place in ASDM
Configuration (top bar) --> Firewall (bottom left) --> Access Rules (middle left)
This should open the view for all the ACL on the ASA
Do you only use ASDM? Not the CLI at all?
- Jouni
04-08-2013 12:07 PM
I have access to the command line but I must admit that I have inherited this device and not trained in the CLI
I am doing research on the CISCO web site to identify commands and syntax that will help, I am posting to get some advice on the next steps
04-08-2013 12:13 PM
Hi,
The rule you are making would seem to me to be the correct one.
I guess you are using object for both the host behind the firewall and the service
As long as the service under the object RDP is tcp/3389 then I guess there should be no problem. Have you inserted the ACL rule and tried the connect again yet?
If you want to take a look at some information related to the new NAT configuration format of software 8.3 (and newer) then have a look at a document on these forums I recently made.
https://supportforums.cisco.com/docs/DOC-31116
Though the document only has examples of the CLI format configurations.
- Jouni
04-08-2013 12:15 PM
Alternatively you can give us the CLI format configurations of the ASA at the moment and we can look through them and suggest which commands you need to insert to correct the ASA configurations.
- Jouni
04-10-2013 02:06 PM
enableconfigure terminalshow running-config : Saved : ASA Version 8.4(3) ! hostname ASA-1 domain-name something.local enable password My2iOgBs/OUwK6OX encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 speed 100 duplex full ! interface Ethernet0/1 description Connected to Linksys G49 switchport access vlan 10 switchport trunk allowed vlan 1,10,100 switchport trunk native vlan 1 switchport mode trunk ! interface Ethernet0/2 switchport access vlan 110 ! interface Ethernet0/3 switchport access vlan 10 ! interface Ethernet0/4 switchport access vlan 10 ! interface Ethernet0/5 switchport access vlan 10 ! interface Ethernet0/6 switchport trunk allowed vlan 1,10,100 switchport trunk native vlan 1 switchport mode trunk ! interface Ethernet0/7 switchport trunk allowed vlan 1,10,100 switchport trunk native vlan 1 switchport mode trunk ! interface Vlan1 nameif MGMT security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 backup interface Vlan110 nameif outside security-level 0 ip address 24.43.86.26 255.255.255.248 ! interface Vlan10 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! interface Vlan100 nameif VoIP security-level 100 ip address 192.168.100.1 255.255.255.0 ! interface Vlan110 nameif BACKUP_ISP security-level 0 ip address 69.163.53.50 255.255.255.240 ! boot system disk0:/asa843-k8.bin ftp mode passive dns server-group DefaultDNS domain-name Schecter.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network Inside subnet 10.0.0.0 255.255.255.0 object network Linksys host 192.168.1.15 object network VoIP subnet 192.168.100.0 255.255.255.0 object network NETWORK_OBJ_10.0.0.0_24 subnet 10.0.0.0 255.255.255.0 object network NETWORK_OBJ_192.168.10.0_25 subnet 192.168.10.0 255.255.255.128 object network CAS2K8 host 10.0.0.3 description CAS2K8 object network 192.168.1.53 host 192.168.1.53 object service RDP service tcp source eq 3389 destination eq 3389 object network Terminal host 10.0.0.8 object network A_24.43.86.25 host 24.43.86.25 access-list outside_access extended permit object RDP 24.43.86.24 255.255.255.248 object Terminal access-list SchecterVPN_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0 access-list SchecterVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 access-list SchecterVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0 access-list Schecter_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu MGMT 1500 mtu outside 1500 mtu inside 1500 mtu VoIP 1500 mtu BACKUP_ISP 1500 ip local pool VLAN_10 192.168.10.10-192.168.10.100 mask 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_192.168.10.0_25 NETWORK_OBJ_192.168.10.0_25 no-proxy-arp route-lookup ! object network Inside nat (any,outside) dynamic pat-pool interface object network VoIP nat (any,outside) dynamic pat-pool interface object network Terminal nat (inside,outside) static 24.43.86.24 access-group outside_access in interface outside route outside 0.0.0.0 0.0.0.0 24.43.86.25 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 outside http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes ...[Message clipped] View entire message
|
04-10-2013 11:51 PM
Hi,
Change the ACL to:
access-list outside_access extended permit tcp any host 10.0.0.8 eq 3389
Hope this helps.
-Akshay
04-11-2013 12:14 PM
unfortunately it does not
the packet trace on that access rules passes
but it will still not allow external access to the Terminal server
04-11-2013 12:27 PM
Hi,
Provided that the internal IP address of 10.0.0.8 and the public IP address 24.43.86.24
Then your Static NAT configurations seems correct.
The original ACL was wrong as it only allowed traffic from source port TCP/3389 to destination port TCP/3389
The above ACL line suggested by Akshay is the correct option.
I would next attempt the actual connection and see what the TCP connection Teardown message says. If it says SYN Timeout then the server just aint responding to TCP connection forming at all.
- Jouni
04-11-2013 12:43 PM
the gateway is 24.43.86.25
the first usable ( and interface labeled "outside") is 24.43.86.26
04-11-2013 12:59 PM
Hi,
You have the following Static NAT configuration (although the ASA CLI configuration format shows it separately)
object network Terminal
host 10.0.0.8
nat (inside,outside) static 24.43.86.24
Which does Static NAT for 10.0.0.8 to the public IP address 24.43.86.24
So it seems to me that you have the wrong public IP address configured in the Static NAT command then? Since your network is 24.43.86.24/29
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide