Solved: Cannot open RDP port on FPR1120 from FDM

Rigels002 · ‎03-20-2023

Dear Community,

My client wants to open remote desktop port 3389 on the fpr1120.

I created static nat with port forward from outside to inside to forward incoming request on port 1616 to ip 192.168.**.** on port 3389 windows RDP and an acl to allow the connection from outside.

Configuration are below.

When i do packet tracer connection i being drop by acl.

I cant figure out the problem.

Any help is appreciated.

*********NAT****
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-ne

TCP PAT from outside:0.0.0.0/0 1616-1616 to ether2:192.168.**.** 3389-3389
flags srT idle 0:01:07 timeout 0:00:00

*ether2 port is part of bridge interface*

*****ACL*******

Action : Allow
Intrusion Policy : Source ISE Metadata :Source Zones : outside_zone
Destination Zones : inside_zone
Destination Networks : juli_pc (192.168.**.**)
Source Ports : 1616 (protocol 6, port 1616)
Destination Ports : 3389 (protocol 6, port 3389)
Users
URLs
Logging Configuration
DC : Enabled
Beginning : Enabled
End : Enabled
Files : Enabled
Safe Search : No
Rule Hits : 0
File Policy : Block Malware All
Variable Set : Default-Set

***************
> packet-tracer input outside icmp 80.90.**.** 8 0 192.168.**.**

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.**.** using egress ifc inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005651f5cc91fa flow (NA)/NA

Sheraz.Salim · ‎03-20-2023

That correct you have to place the static nat rule on top if you have configured a dynmaic rule.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎03-20-2023

creat two ACL. the one you already define outside to inside the other ACL you have to define Inside to outside and test again.

could you also share your nat rules please. when you do packet tracer you using outside IP address?

please do not forget to rate.

Rigels002 · ‎03-20-2023

i did that but still not working.

i need only to for remote host port 1616 to connect via remote desktop on port 3389.

Static manual nat is bidirectional so should work both directions.

dont understand why cant figure it out.

Rigels002 · ‎03-20-2023

Sheraz.Salim · ‎03-20-2023

do packet-trace please

packet-tracer interface outside tcp 8.8.8.8 1234 X.X.X.X 3389

x.x.x.x is your FTD outside ip address (are you using public ip or Private IP address?)

please do not forget to rate.

Rigels002 · ‎03-20-2023

yes, x.x.x.x is my FTD outside ip address.

i fixed it, tried everything but just had to change the placement of the NAT - above a specific rule - above inside_outside dynamic nat rule.

Static nat should be place above dynamic nat.

i was able to get hits on acl and connect via rdp.

Attached pics

Thanks

Sheraz.Salim · ‎03-20-2023

That correct you have to place the static nat rule on top if you have configured a dynmaic rule.

please do not forget to rate.