Julio,

Thank you for your reply. I don't understand what you mean. Kindly please give me an example of your suggestion based on the RDP section of my configuration file.

Hello Michael,

The configuration its fine, the only problem I could see is the Object service configuration, instead of using :

service tcp destination eq 3389

USE

service tcp source eq 3389

Regards,

Please rate helpful posts

Julio

Julio,

I have applied your suggested change:

object service RDP

service tcp source eq 3389

I then copied running config to startup config, cleared xlate and reloaded. Port forwarding is still not working.

I can ping the outside interface, I have remote access by vpn client but no port forwarding pleasure.

Any other suggestions?

Regards,

I look forward to fully rating a helpful post.

Michael

Hello Michael,

Here is what you need to have on the configuration, until you have this, the connections coming from the outside to port 3389  on  the outside IP address are not going to work:

object network SBS-RDP

host 192.168.23.18

object service RDP

service tcp source eq 3389

no nat (outside,inside) source static any any destination static interface SBS-RDP service RDP RDP

nat (inside,outside) 1 source static SBS-RDP interface service  RDP  RDP

192.168.5.0/24

Regards,

Julio

Thanks for your timely reply Julio,

I have enthusiastically applied your suggested changes but no happy ending . Here is a sample of the config file with your suggestions in bold itialics:

object network NETWORK_OBJ_192.168.23.0_24

subnet 192.168.23.0 255.255.255.0

object network NETWORK_OBJ_10.10.10.0_24

subnet 10.10.10.0 255.255.255.0

description IPSec VPN 

object network SBS-SMTP

host 192.168.23.18

object service RDP

service tcp source eq 3389

object service SMTP

service tcp destination eq smtp

object service 987

service tcp destination eq 987

object service HTTPS444

service tcp destination eq 444

object network SBS-RDP

host 192.168.23.18

object network SBS-HTTPS444

host 192.168.23.18

object network SBS-987

host 192.168.23.18

access-list SPS-Remote_SplitTunnelAcl standard permit 192.168.23.0 255.255.255.0

access-list SPS-Remote_SplitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit tcp any object SBS-SMTP eq smtp

access-list outside_access_in extended permit tcp any object SBS-RDP eq 3389

access-list outside_access_in extended permit tcp any object SBS-HTTPS444 eq 444

access-list outside_access_in extended permit tcp any object SBS-987 eq 987

access-list outside_Nat0_outbound extended permit ip any 192.168.23.0 255.255.255.0

access-list inside_Nat0_outbound extended permit ip any 192.168.23.0 255.255.255.0

access-list inside_Nat0_outbound_1 extended permit ip 192.168.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 192.168.23.0 255.255.255.0

access-list inside_access_in remark Allow VPN traffic inside

access-list inside_access_in extended permit ip 192.168.23.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in_1 extended permit ip object NETWORK_OBJ_10.10.10.0_24 192.168.23.0 255.255.255.0

access-list outside_access_in_2 extended permit object RDP any any log alerts

access-list outside_access_in_2 extended permit object SMTP any any

access-list outside_access_in_2 extended permit object 987 any any

access-list outside_access_in_2 extended permit object HTTPS444 any any

access-list outside_access_in_2 extended permit ip object NETWORK_OBJ_10.10.10.0_24 object NETWORK_OBJ_192.168.23.0_24

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

asdm history enable

arp timeout 14400

nat (inside,outside) source static SBS-RDP interface service RDP RDP

nat (any,any) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static NETWORK_OBJ_192.168.23.0_24 NETWORK_OBJ_192.168.23.0_24

nat (outside,inside) source static any any destination static interface SBS-SMTP service SMTP SMTP

nat (outside,inside) source static any any destination static interface SBS-HTTPS444 service HTTPS444 HTTPS444

nat (outside,inside) source static any any destination static interface SBS-987 service 987 987

nat (inside,outside) source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in_2 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

What could possibly be missing or in need of changing? The ASDM Syslog shows internal and vpn connected activity. How do I configure ASDM to show me the dropped packets from tcp/3389 outside traffic?

Regards,

Michael

Hello Michael,

Is there a way that we could use another IP address instead of the Outside ip address on the Nat.

This traffic is not being sourced from a VPN tunnel right, it is regular traffic comming from the internet.

Now lets do a capture to see what is going on because this should be up and running, in the access-list the xxx is the outside IP address.

access-list capin permit tcp host 76.185.77.99 host 192.168.23.18

access-list capin permit tcp host 192.168.23.18 host 76.185.77.99

access-list capout permit tcp host 76.185.77.99 host xxxxxx

access-list capout permit tcp host xxxx host 76.185.77.99

capture capin access-list capin interface inside

capture capout access-list capout interface outside

capture asp type asp-drop all

Provide the following outputs.

show capture capin

show capture capout

show capture asp

Regards,

Julio

Julio, this traffic is not being sourced from a VPN tunnel. It is regular traffic traversing the internet. There are some other IP addresses provided by my ISP. I could try another if you think the one I'm using is defective. I do not have the luxury of a different public network however.

I have applied your suggested changes (making sure to replace the XXX's with the ISP provided public outside address and here are the results:

Result of the command: "show capture capin"

0 packet captured

0 packet shown

Result of the command: "show capture capout"

0 packet captured

0 packet shown

Result of the command: "show capture asp"

413 packets captured

   1: 18:47:26.728798 9afd.43ad.b4c9 1503.0100.1630 0x80e9 27:  Drop-reason: (np-socket-closed) Dropped pending packets in a closed socket

   2: 18:47:26.729469 802.1Q vlan#1 P0 192.168.23.5.4438 > 192.168.23.3.443: F 2125777054:2125777054(0) ack 2832524426 win 64836 Drop-reason: (tcp-not-syn) First TCP packet not SYN

etcetera, etcetera 

  72: 18:49:25.494954 802.1Q vlan#1 P0 192.168.23.5.137 > 192.168.23.255.137:  udp 50

  73: 18:49:26.244677 802.1Q vlan#1 P0 192.168.23.5.137 > 192.168.23.255.137:  udp 50

Regards,

Michael

Hello Michael,

As you can see on the capture: capin and capout there are no packets, that means the rdp requests are not getting into your ASA.

That is the problem, there is something outhere blocking those packets.

Regards,

Please rate helpful posts.

Julio

Hello Julio,

That something out there blocking the packets happens to be the ASA5505! I can ping the outside address  of the ASA as well as connect to it using the Cisco VPN and SSL client  but 3389 wont pass.

I changed the outside address of the ASA to each of  the other available addresses in the range provided by my ISP with the  same negative result.

I configured a Checkpoint router to forward tcp 3389  with the outside address that had been originally assigned to the ASA  and it successfully forwards the service and continues to do so when  configured with any of the other public addresses provided by my ISP.

If the configuration file is correct then something is wrong with either the ASA5505 or the ASA software.

Your thoughts?

Hello Michael,

You got to focus on this, you are saying the ASA is the one dropping the packets but on the packet we could saw there are no packets going to the outside interface on port 3389. so witch packets are being dropped by the ASA.

Do you see my point???

Regards,

Julio

Hello Julio,

That is exactly what I am saying: The ASA5505 is dropping the packets going to outside interface on port 3389. When I connect a Checkpoint, or DLink, or Juniper, or Netgear or Sonicwall router configured to forward port 3389 I have success. When I connect the ASA5505 I have failure.

So yes, only the ASA5505 and no other brand of router of mine is dropping the packets going to the outside interface on port 3389.

What do I need to do to make this work?

Regards,

Michael

Hello Michael,

I think you do not understand my point, how is the ASA going to drop this packets if those packets are not arriving to the outside interface,

If the ASA were dropping the packets we should be able to see the  packets on the outside interface but none on the inside interface, and this is not the case, we are not seeing packets on any of the ASA interfaces.

Can you do a show capture asp | include xx.xx.xx (xx.xx.xx. is the source ip address of the connection)

This is going to show us the packets being dropped by the asa regarding that particular IP address.

Can you attached the updated and complete configuration file.

Regards,

Julio

Thank you for your patience Julio,

Attached is the updated running config and the results of my capture.

ciscoasa# show capture asp | include 76.185.77.99

   54: 13:14:06.303542 802.1Q vlan#2 P0 76.185.77.99.2274 >  69.15.25.70.3389: S 3941159061:3941159061(0) win 8192

  55: 13:14:09.277909 802.1Q  vlan#2 P0 76.185.77.99.2274 > 69.15.25.70.3389: S  3941159061:3941159061(0) win 8192

  56: 13:14:15.261400 802.1Q vlan#2 P0  76.185.77.99.2274 > 69.15.25.70.3389: S 3941159061:3941159061(0) win  8192

332: 13:20:58.395334 802.1Q  vlan#2 P0 76.185.77.99.1276 > 69.15.25.70.3389: S  2667809503:2667809503(0) win 8192

334: 13:21:01.387553 802.1Q vlan#2 P0  76.185.77.99.1276 > 69.15.25.70.3389: S 2667809503:2667809503(0) win  8192

335:  13:21:07.377711 802.1Q vlan#2 P0 76.185.77.99.1276 >  69.15.25.70.3389: S 2667809503:2667809503(0) win 8192

Regards,

Michael