12-18-2013 08:14 AM - edited 03-11-2019 08:20 PM
Hi,
please help me to resolve my Issue in the Cisco ASA 5510 firewall. From outside port 3389 is blocked but sitll accessable from LAN IP natted with the private IP Address. Enclosed the ASA config file.
Regards,
Saroj Pradhan
Solved! Go to Solution.
01-03-2014 12:20 PM
Hello Saroj,
So to move forward:
You can RDP locally to a server but you cannot from the internet.
What's the NAT you have configured for the server?
Also to get closer to the solution do
packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 3389 (Where x.x.x.x is the outside public IP address of the Server)
Provide the entire output
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-04-2014 08:04 PM
Hello Saroj,
So you mean you want to block it even locally???
From where are you trying to RDP using the local IP address?
For the ASA to block it the traffic must traverse the ASA
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-03-2014 04:13 AM
Please specify what is that IP Address
01-04-2014 06:26 PM
The Server interface has Private IP Address and for access the server from Internet Natted with a Public IP Address. Please help I want to blocked the RDP Port access from Internet.
01-03-2014 05:06 AM
From outside port 3389 is blocked but sitll accessable from LAN IP natted with the private IP Address
You config shows you have permited RDP from the outside
access-list outside_access_in extended permit tcp any any eq 3389
I am not sure what you mean by "still accessable from LAN IP natted with the prive IP address". Could you please clarify this.
--
Please remember to rate and select a correct answer
01-03-2014 12:20 PM
Hello Saroj,
So to move forward:
You can RDP locally to a server but you cannot from the internet.
What's the NAT you have configured for the server?
Also to get closer to the solution do
packet-tracer input outside tcp 4.2.2.2 1025 x.x.x.x 3389 (Where x.x.x.x is the outside public IP address of the Server)
Provide the entire output
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-04-2014 06:24 PM
plesae find the details.
The server private ip is 172.16.48.83 and natted with public ip address 122.168.191.82.
Please find the report.
Netlink-OS-ASA# packet-tracer input outside tcp 4.2.2.2 1025 122.168.191.82 33$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255
match ip inside host Timesheet_Inside_Local outside any
static translation to Timesheet_Outside_Public
translate_hits = 35877, untranslate_hits = 2503399
Additional Information:
NAT divert to egress interface inside
Untranslate Timesheet_Outside_Public/0 to Timesheet_Inside_Local/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit ip any any
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255
match ip inside host Timesheet_Inside_Local outside any
static translation to Timesheet_Outside_Public
translate_hits = 35877, untranslate_hits = 2503421
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) Timesheet_Outside_Public Timesheet_Inside_Local netmask 255.255.255.255
match ip inside host Timesheet_Inside_Local outside any
static translation to Timesheet_Outside_Public
translate_hits = 35877, untranslate_hits = 2503430
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 277395699, packet dispatched to next module
Phase: 11
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop VPN_AccesssL3 using egress ifc inside
adjacency Active
next-hop mac address 001a.a224.73c2 hits 2236
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-04-2014 08:04 PM
Hello Saroj,
So you mean you want to block it even locally???
From where are you trying to RDP using the local IP address?
For the ASA to block it the traffic must traverse the ASA
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-05-2014 03:41 AM
For the ASA to block/filter all traffic headed for 3389 then all traffic must pass through the ASA. If it is a windows machine you could use the windows firewall to permit/deny RDP traffic. If it is not a windows machine you could install a software firewall on it and use that to regulate traffic.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide