The access rules and Nats

Mokhalil82 · ‎08-17-2015

Hi

I have a HA pair of firewalls with single Public IP. On the inside I just have a directly connected network with a /24 subnet. I host a few management applications on the internal network and a Windows Server.

I want to RDP into my Windows Server from the Outside, from which I will then be able to access my management applications.

So my Windows server is IP 10.10.10.1 and say my external ip is x.x.x.x

I have the following config on the ASA, but cannot still RDP into my server, tries connecting then fails after a short while

object network ManagermentServer
host 10.10.10.1
nat (inside,outside) static interface service tcp 3389 3389

access-list Outside_In extended permit tcp any object-group ManagementServer eq 3389

access-group Outside_In in interface Outside

When I do show commands, I can see the access-list gets a hit everytime I try to RDP, and the NAT count for untranslate_hits goes up, not sure if it should be the translate_hits that should increment.

Not sure if the config is the issue or is the issue elsewhere. Thanks

Jon Marshall · ‎08-17-2015

Is the default gateway of the server the ASA ?

If so can you post the output of -

"packet-tracer input outside tcp 8.8.8.8 12345 <public IP> 3389"

Jon

Mokhalil82 · ‎08-17-2015

Hi Jon

Yes the gateway of the server is on the ASA inside interface so its a directly connected network.

I cannot access the ASA at this moment as its locked down to only allow access from the office using the office external IP. I will however apply that command tomorrow when I'm in the office

Thanks

Mokhalil82 · ‎08-18-2015

Hi Jon, here is the output

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 91.226.181.136/3389 to 10.57.254.1/3389

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa# packet-tracer input outside tcp 8.8.8.8 1234 91.226.181.136 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Mgmt_Server
nat (inside,outside) static interface service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/3389 to 10.10.10.1/3389

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jon Marshall · ‎08-18-2015

Can you post ASA configuration ?

Jon

Mokhalil82 · ‎08-23-2015

The access rules and Nats were actually correct as I tested by allowing all traffic and still rdp dropping. It turned out that the actual windows server did not accept RDP connections, once I enabled the rule on the server I managed the to rdp to it.

Thanks for the help

ASA Cannot connect to internal server