Re: Cisco Asa Port Forwarding using a custom RDP Port

Frederic Garcia · ‎06-20-2018

Hello,

I need to translate a custom RDP Port. I'm a little bit stuck...

Here the rules :

object network RDP-Server
nat (inside,outside) static interface service tcp 3389 33890

access-list outside_access_in extended permit object RDP-Service any object RDP-Server

RDP-Service = 3389

RDP-Service-Ext 33890

Thanks for your help ! :)

Daniele Giordano · ‎06-20-2018

Try to add a permit ip any any in the acl just for test.

If it works try

access-list outside_access_in extended permit tcp any host YOUR SERVER IP eq 3389

Regards.

Frederic Garcia · ‎06-20-2018

Hello Daniele,
Thanks for your help.

Your command has been accepted by my Cisco Asa. I think it was ok because my Hits are ok.

My Asa Version si 9.6(2)22

You will find in attachment a screenshot of my NAT config with the VPN.

Daniele Giordano · ‎06-20-2018

Do you have tested the port forward? I see hits on your screenshot.

Regards.

Frederic Garcia · ‎06-20-2018

What did you mean for tested my port forward ?

I try to connect with a laptop using a 4G, and i have a error. And I'm ok with you, I see the hits on my screenshot after each try.

Daniele Giordano · ‎06-20-2018

1) if you temporarilly add a permit ip any any to acl, are you abel to connect to your server?

If yes, the problem is in the ACL

If no the problem could be in your server

2) Are you able to connect to your server using private IP?

if yes the problem is on the ASA

if no the problme is in the server

Let me know your findings.

Regards.

Frederic Garcia · ‎06-20-2018

ok !

With an internal IP it's OK.

If I use my VPN it's OK.

But, We have a external ressource to help us on the ERP. We prefer a RDP connection than VPN.

Daniele Giordano · ‎06-20-2018

So, the server is configured correctly.

Can you try to modify temporarily the access list and permit all just for test?

If the RDP connection works, the issue is in the ACL.

If it doesn't work the issue is in the NAT.

Regards.

Frederic Garcia · ‎06-20-2018

It's doesn't work.

Here the conf of my all NAT rules.

nat (inside,outside) source static NETWORK-PROGINOV2 NETWORK-PROGINOV2 destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK-PROGINOV NETWORK-PROGINOV destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK-INSIDE NETWORK-INSIDE destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK-BSM NETWORK-BSM destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK-LORIENT NETWORK-LORIENT destination static NETWORK-ANYCONNECT NETWORK-ANYCONNECT no-proxy-arp route-lookup
!
object network NETWORK-INSIDE
nat (inside,outside) dynamic interface
object network Theseus
nat (inside,outside) static interface service tcp 3389 33890
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
!