Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
1
Helpful
14
Replies

Cisco ASA ACL and NAT for RDP through subinterface allow any

Go to solution
GoldTipu
Level 1
Level 1

‎07-10-2024 04:11 PM

Hello Team,

Need help to create first ACL and NAT for our LAB testing . 

I have connected my subinterface with internet using PPPoE - 

I wanted to create ACL and NAT to allow everyone from internet to connect to the RDP on my inside host through my Subinterface_outside

Currenlty we are testing so allow all is fine for me and rest i will configure myself. 

 

GoldTipu_0-1720651557085.png

Could you please send me the command lines please ? 

Regards,

Gold

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to GoldTipu

‎07-11-2024 02:08 PM - edited ‎07-11-2024 02:47 PM

5 (inside) to (SubInterface_OutSide) source static inside_host_05 interface service RDP RDP<<- this must be RDP RDP 

access-list SubInterface_OutSide_access_in extended permit object RDP any any <<- how you config object RDP which you use in ACL?
this need to be 
access-list SubInterface_OutSide_access_in extended permit tcp any any eq rdp

MHM

View solution in original post

0 Helpful
14 Replies 14

Go to solution
ccieexpert
Spotlight
Spotlight

‎07-10-2024 06:03 PM

take a look at this:

https://www.petenetlive.com/KB/Article/0001680

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-10-2024 06:06 PM

One issue here pppoe interface get IP from SP so it IP is change always 

How outer cleint can know the new IP?

Ypu need to ask SP to provide one additional public IP and this IP not change and use it for NAT.

MHM

0 Helpful

Go to solution
ccieexpert
Spotlight
Spotlight
In response to MHM Cisco World

‎07-10-2024 06:24 PM

use DDNS to find new ip I think its a lab test..

Go to solution
MHM Cisco World
VIP
VIP
In response to ccieexpert

‎07-10-2024 06:27 PM - edited ‎07-10-2024 07:09 PM

I think ASA not support DDNS for pppoe

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ccieexpert

‎07-10-2024 07:17 PM

If you sure guide him to run ddns in asa

Goodluck 

MHM

0 Helpful

Go to solution
GoldTipu
Level 1
Level 1
In response to ccieexpert

‎07-11-2024 12:51 AM

We have a static IP assigned by the ISP, and every time, we get the same static IP on Subinterface via PPPoE

0 Helpful

Go to solution
GoldTipu
Level 1
Level 1
In response to MHM Cisco World

‎07-11-2024 12:50 AM - edited ‎07-11-2024 12:50 AM

We have a static IP assigned by the ISP, and every time, we get the same static IP on Subinterface via PPPoE

0 Helpful

Go to solution
ccieexpert
Spotlight
Spotlight
In response to GoldTipu

‎07-11-2024 12:57 AM

Please try the sample here:

https://www.petenetlive.com/KB/Article/0001680

0 Helpful

Go to solution
GoldTipu
Level 1
Level 1
In response to ccieexpert

‎07-11-2024 08:38 AM

I have ASDM - 
Can we have either CLI commands or ASDM KB for this please ? 


0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to GoldTipu

‎07-11-2024 10:22 AM

https://www.packet-forwarding.net/posts/asa-lessons-static-pat/

Check this link' ypu need to config  

Object service for ports  and object network for host (real server IP) 

Then use PAT to interface with using object service' 

This allow ypu to use interface and specific port in PAT

MHM

0 Helpful

Go to solution
GoldTipu
Level 1
Level 1
In response to MHM Cisco World

‎07-11-2024 02:01 PM

After spending several hours on it and we are  stuck.

Unfortunately, I am unable to connect remotely (RDP) from outside, and I cannot see any traffic being terminated from the sub-interface to the inside host.

Point # 1 

I don't understand why I'm not seeing any hits on the ACL for the outside subinterface for RDP and HTTP,  

 

here is the NAT ACL 


5 (inside) to (SubInterface_OutSide) source static inside_host_05 interface service any RDP
translate_hits = 90, untranslate_hits = 90

access-list SubInterface_OutSide_access_in extended permit object RDP any any
access-list SubInterface_OutSide_access_in extended deny ip any any

access-list outside_acl extended permit tcp any any eq www
access-list outside_acl extended permit icmp any any
access-list outside_acl extended permit tcp any any eq 3389
access-list outside_acl extended deny ip any any

GoldTipu_0-1720730527164.png

 

GoldTipu_2-1720731123494.png

NAT 

GoldTipu_1-1720730696459.png

Could you please guide me if i am doing something wrong ? we need assistance to get this resolved as we are unable to access inside network . 

Best Regards,

Gold 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to GoldTipu

‎07-11-2024 02:08 PM - edited ‎07-11-2024 02:47 PM

5 (inside) to (SubInterface_OutSide) source static inside_host_05 interface service RDP RDP<<- this must be RDP RDP 

access-list SubInterface_OutSide_access_in extended permit object RDP any any <<- how you config object RDP which you use in ACL?
this need to be 
access-list SubInterface_OutSide_access_in extended permit tcp any any eq rdp

MHM

0 Helpful

Go to solution
GoldTipu
Level 1
Level 1

‎07-12-2024 02:15 PM - edited ‎07-12-2024 02:17 PM

This worked for me  


object service RDP
service tcp destination eq 3389
description RDP-Service
object service RDP-Service
service tcp source eq 3389
nat (inside,SubInterface_OutSide) source static inside_host_05 interface service RDP RDP-Service
access-list SubInterface_OutSide_access_in extended permit object RDP any any



Able to RDP now . 

Thank you So much for helping me . 
@MHM Cisco World 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card