08-08-2011 09:05 AM - edited 03-11-2019 02:08 PM
Hey guys, I am using an ASA5510 for internal firewalling in my QA environment. How do I allow RDP from one subnet to those protected by the firewall? Preferably using the ASDM. Thanks!!
Solved! Go to Solution.
08-08-2011 11:26 AM
I guess we might have nailed it, you would need to add this acl:
access-list 48_access_out extended permit ip any any
in your config, it is inactive at the moment and that is why the traffic is dropping.
Let me know if we are going in right direction, otherwise another output of packet-tracer
Thanks,
Varun
08-08-2011 12:02 PM
Here's another output. So far no worky. Thanks!
Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.48.170 3389 detailed"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.16.48.0 255.255.255.0 48
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd66fe6c8, priority=12, domain=permit, deny=false
hits=2, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true
hits=3053, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any 48 any
dynamic translation to pool 101 (10.16.48.1 [Interface PAT])
translate_hits = 3, untranslate_hits = 0
Additional Information:
Dynamic translate 10.30.0.23/2345 to 10.16.48.1/48931 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd6c179c0, priority=1, domain=nat, deny=false
hits=3, user_data=0xd67b8f60, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6b5b340, priority=1, domain=host, deny=false
hits=1639, user_data=0xd6b5b020, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 48_access_out out interface 48
access-list 48_access_out extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd6b93850, priority=12, domain=permit, deny=false
hits=1, user_data=0xd6b93810, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd6c0fe10, priority=0, domain=permit-ip-option, deny=true
hits=4974, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11525, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.16.48.170 using egress ifc 48
adjacency Active
next-hop mac address 0050.569d.2bfd hits 0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: 48
output-status: up
output-line-status: up
Action: allow
08-09-2011 08:11 AM
Hello. Success on part of it! I can now remote into a 10.16.48.x machine. Now can someone assist me in adding 10.16.100 and 10.16.101?
Here's my config.
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(5)
!
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.0.0.199 255.255.255.0
!
interface Ethernet0/1
nameif 48
security-level 100
ip address 10.16.48.1 255.255.255.0
!
interface Ethernet0/2
nameif 100
security-level 100
ip address 10.16.100.1 255.255.255.0
!
interface Ethernet0/3
nameif 101
security-level 100
ip address 10.16.101.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name daxko
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list 100_access_in extended permit icmp any any
access-list 100_access_in extended permit ip any any
access-list 100_access_in extended permit tcp any any
access-list 100_access_in extended permit udp any any
access-list 48_access_in extended permit icmp any any
access-list 48_access_in extended permit ip any any
access-list 48_access_in extended permit tcp any any
access-list 48_access_in extended permit udp any any
access-list 101_access_in extended permit ip any any
access-list 48_access_out extended permit icmp any any
access-list 48_access_out extended permit ip any any
access-list 48_access_out extended permit tcp any any inactive
access-list 48_access_out extended permit udp any any inactive
access-list 100_access_out extended permit icmp any any
access-list 100_access_out extended permit tcp any any inactive
access-list 100_access_out extended permit udp any any inactive
access-list 100_access_out extended permit ip any any inactive
access-list inside_access_out extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu 48 1500
mtu 100 1500
mtu 101 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
global (48) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (48,inside) 10.16.48.0 10.16.48.0 netmask 255.255.255.255
static (100,inside) 10.16.100.0 10.16.100.0 netmask 255.255.255.255
static (101,inside) 10.16.101.0 10.16.101.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group 48_access_in in interface 48
access-group 48_access_out out interface 48
access-group 100_access_in in interface 100
access-group 100_access_out out interface 100
access-group 101_access_in in interface 101
route inside 0.0.0.0 0.0.0.0 10.0.0.199 1
route inside 10.2.0.0 255.255.255.0 Gateway 1
route inside 10.10.0.0 255.255.255.0 Gateway 1
route inside 10.30.0.0 255.255.255.0 Gateway 1
route inside 10.31.0.0 255.255.255.0 Gateway 1
route inside 10.32.0.0 255.255.255.0 Gateway 1
route inside 10.33.0.0 255.255.255.0 Gateway 1
route inside 10.34.0.0 255.255.255.0 Gateway 1
route inside 10.252.252.0 255.255.255.0 Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.32.0.0 255.255.255.0 inside
http 10.30.0.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
client-update enable
telnet 10.30.0.0 255.255.255.0 inside
telnet 10.32.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
message-length maximum client auto
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d08113f8d49b927b3a0777acae8c1f45
: end
08-09-2011 08:19 AM
When I do a packet trace, this is what I get.
Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.100.167 3389 detailed"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.16.100.0 255.255.255.0 100
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd66fe6c8, priority=12, domain=permit, deny=false
hits=31, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true
hits=4070, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any 100 any
dynamic translation to pool 101 (No matching global)
translate_hits = 4, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6b5cbd0, priority=1, domain=nat, deny=false
hits=4, user_data=0xd68b28c8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: 100
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-09-2011 09:33 AM
Hi Jerry,
Really happy, its worked, you now just need to asdd these:
global (100) 101 interface
global (101) 101 interface
and add these well:
access-list 100_access_out extended permit ip any any
and we should be good.
Let me know if this works.
Thanks,
Varun
08-09-2011 09:39 AM
Thanks for all the help.
It didn't work. Here's the output of the packet tracer from my ip address to one on the 100 subnet.
Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.100.167 3389 detailed"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.16.100.0 255.255.255.0 100
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd66fe6c8, priority=12, domain=permit, deny=false
hits=38, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true
hits=4363, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any 100 any
dynamic translation to pool 101 (10.16.100.1 [Interface PAT])
translate_hits = 7, untranslate_hits = 0
Additional Information:
Dynamic translate 10.30.0.23/2345 to 10.16.100.1/58999 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd6b5cbd0, priority=1, domain=nat, deny=false
hits=7, user_data=0xd68b28c8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 101 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6b5b340, priority=1, domain=host, deny=false
hits=3014, user_data=0xd6b5b020, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 100_access_out out interface 100
access-list 100_access_out extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd6882398, priority=12, domain=permit, deny=false
hits=36, user_data=0xd6d2cb90, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd683b890, priority=0, domain=permit-ip-option, deny=true
hits=572, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 13981, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.16.100.167 using egress ifc 100
adjacency Active
next-hop mac address 0050.569d.4ea7 hits 0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: 100
output-status: up
output-line-status: up
Action: allow
08-09-2011 10:11 AM
Hi Jerry,
How did the 10.16.48.x subnet work?? We have the same config for the other two as well, right?? can we check if we have the RDP port open on those machines. If this doesn't work we'll take captures on ASA.
-Varun
08-09-2011 10:44 AM
Remote is enabled, ping trace route etc doesn't travel either. I'm totally lost on why one interface works but not another.
08-09-2011 10:53 AM
No issues, don't worry, we'll nail it.
Lets take captures now:
access-list cap permit ip host 10.30.0.23 host 10.16.100.167
access-list cap permit ip host 10.16.100.167 host 10.30.0.23
access-list cap permit ip host 10.16.100.167 host 10.16.100.1
access-list cap permit ip host 10.16.100.1 host 10.16.100.167
cap capin access-list cap interface inside
cap capo access-list cap interface 100
Generate some traffic and then collect the captures by:
show cap capin
show cap capo
Collect the logs as well, when traffic gets denied.
It has to be something. Can you also just paste the config after making the changes.
-Varun
08-10-2011 01:18 PM
Varun I really appreciate all the help I finally figured it out. It was a combination of the things you helped me with and a small routing issue as well. Thanks so much!!
08-11-2011 11:31 AM
Glad I could help you on this
-Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide