08-17-2015 01:47 PM - edited 03-11-2019 11:26 PM
Hi
I have a HA pair of firewalls with single Public IP. On the inside I just have a directly connected network with a /24 subnet. I host a few management applications on the internal network and a Windows Server.
I want to RDP into my Windows Server from the Outside, from which I will then be able to access my management applications.
So my Windows server is IP 10.10.10.1 and say my external ip is x.x.x.x
I have the following config on the ASA, but cannot still RDP into my server, tries connecting then fails after a short while
object network ManagermentServer
host 10.10.10.1
nat (inside,outside) static interface service tcp 3389 3389
access-list Outside_In extended permit tcp any object-group ManagementServer eq 3389
access-group Outside_In in interface Outside
When I do show commands, I can see the access-list gets a hit everytime I try to RDP, and the NAT count for untranslate_hits goes up, not sure if it should be the translate_hits that should increment.
Not sure if the config is the issue or is the issue elsewhere. Thanks
08-17-2015 01:51 PM
Is the default gateway of the server the ASA ?
If so can you post the output of -
"packet-tracer input outside tcp 8.8.8.8 12345 <public IP> 3389"
Jon
08-17-2015 02:46 PM
Hi Jon
Yes the gateway of the server is on the ASA inside interface so its a directly connected network.
I cannot access the ASA at this moment as its locked down to only allow access from the office using the office external IP. I will however apply that command tomorrow when I'm in the office
Thanks
08-18-2015 01:08 AM
Hi Jon, here is the output
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 91.226.181.136/3389 to 10.57.254.1/3389
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 91.226.181.136 3389
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/3389 to 10.10.10.1/3389
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-18-2015 03:59 AM
Can you post ASA configuration ?
Jon
08-23-2015 02:26 PM
The access rules and Nats were actually correct as I tested by allowing all traffic and still rdp dropping. It turned out that the actual windows server did not accept RDP connections, once I enabled the rule on the server I managed the to rdp to it.
Thanks for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide