cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6485
Views
3
Helpful
19
Replies

ASA5505 8.4.2 nat (outside,inside) black hole

mellison
Level 1
Level 1

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.

The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. Would someone please take a look at my config file and tell me what I'm doing wrong and what I need to change in order to make it work?

Attached is the RDP packet trace and the config file. Thanks in advance for your help

19 Replies 19

Hello Michael,

Please take out the attached filled( your configuration) this in order to provide security to your company.

The configuration seems the one required to me, have you tried to do RDP from another PC on the outside?

On the ASP drop we are able to see that the ASA is the one dropping the connections, can you enable logging and then try to make the connections and see the logs being generated by this connection.

Logging enable

logging monitor 7

and then show loggin | include xxxx ( Ip address of the outside interface)

I think there is something that it is not expected or secure enough for the ASA on that particular connection.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

Here is the log report from my ISP connection and that of someone else on a different ISP connection:

4    Nov 29 2011    14:44:07        64.46.169.26    2715    192.168.23.18    3389    Deny tcp src outside:64.46.169.26/2715 dst inside:192.168.23.18/3389 by access-group "outside_access_in_2" [0x0, 0x0]

4    Nov 29 2011    14:44:01        76.185.77.99    1845    192.168.23.18    3389    Deny tcp src outside:76.185.77.99/1845 dst inside:192.168.23.18/3389 by access-group "outside_access_in_2" [0x0, 0x0]

Regards,

Michael

Hello Michael,

Logs never lie, seems like the access-group is dropping the packets.

Please create the following line:

access-list outside_access_in_2 line 1  permit tcp host 76.185.77.99 host 192.168.23.18 eq 3389.

Try this ASAP and let me know the result,

I will be waiting in order to help.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

Exito! (success) Me agradesco mucho. I greatly appreciate your efforts. 5 stars for you!

Regards,

Michael

Hello Michael,

Great to hear that now everything is working, finally we got into the bottom of the issue.

Hope you have a good one.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card