cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1142
Views
0
Helpful
1
Replies

Can't connect on RDS

Tim Roelands
Level 1
Level 1

Could someone please explain why I can't contact 97.x.x.218 trough a remote desktop client from a remote WAN? I can't figure out what is wrong with it...

On the LAN the RDS server (192.168.1.20) can be reached, that works fine. It seems the ASA firewall is causing the problem.

ASA Version 8.4(3)
!
hostname cisco-asa
enable password cE8C encrypted
passwd 2KFQnb encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 97.x.x.218 255.255.255.248
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network rds_server
host 192.168.1.20
access-list inbound extended permit tcp any object rds_server eq 3389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network rds_server
nat (inside,outside) static interface service tcp 3389 3389
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 97.x.x.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default

           

Thank you very much!

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To be honest I can only think of only one scenario where the firewall is causing this with your configuration.

And that is the fact that you have the PAT configuration BEFORE the port forward configuration.

Personally I would configure all the NAT configurations on your firewall in the following way:

PAT

object-group PAT-SOURCE-NETWORKS

description LAN networks

network-object 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic PAT-SOURCE-NETWORKS interface

PORT FORWARD

object network SERVER-RDS-PORTFORWARD

description Server Portforward

host 192.168.1.20

nat (inside,outside) static interface service tcp 3389 3389

+ the ACL configuration.

- Jouni

Review Cisco Networking for a $25 gift card