Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1441
Views
10
Helpful
5
Replies

Help! Need ASA help on REAL project. Allow RDP over http through ASA.

Opreccfl76
Level 1
Level 1

‎09-02-2018 08:43 AM - edited ‎02-21-2020 08:10 AM

 

topology2.PNG.png

 

The goal:

 

Allow RDP sessions from the "outside" represented here by the "Internet_PC" VM with the ip of 192.168.50.100. This PC has to be able to follow the path highlighted in red, using RDP over port 80. There will actually be 5 users coming in from the outside attempting to reach 5 PCs that are living inside the network on the left (under ISP1) using 10.200.10.x IPs. So basically these 5 users will attempt an RDP session from the outside to IPs 10.200.10.230 through .235. The firewall must NAT those IPs (the 10.200.10.x IPs) to their corresponding internal 10.30.8.x IPs. For example, 10.200.10.230 must be natted to 10.30.8.230, 10.200.10.231 to 10.30.8.231, and so on. Only that RDP traffic is to be allowed through the ASA and nothing else. Those 10.30.8.x PCs do not need to go out to the internet either.

 

The setup:

 

These are 2 different networks (LANs) being separated by their own routers (ASE-R1 and US_Orlando_01). The ASA is being used to allow and secure traffic to 5 specific internal PCs from the LAN on the left, under ISP1. The users from the "outside" (off of router US_Orlando_01's f0/1 interface) represented by the "Internet_PC" VM with the ip of 192.168.50.100 MUST access the internal PCs from ISP 1 (the network on the left).  Yes, i know if they came in through ASE-R1 this would be much easier but that's the requirement. There are no routing protocols being used. Its all static routing (at the moment). All the devices here have internet access. XP5 and XP1 have their default gateways pointed to 10.308.240 which is the ASA's inside interface. The ASA's default route points 10.200.10.1 which is POE switch 1, under ISP2.

 

Whats working:

 

  1. I've configured the NAT on the ASA for the internal IP of 10.30.8.231 (XP5) to its corresponding external IP of 10.200.10.231.
  2. I am able to ping the 10.200.10.231 IP from the LAN on the right from the core switch (US_Orlando_POE_SW1) having an IP of 10.200.10.1 and from the Server2008R2 box using the IP of 10.113.32.50.
  3. I edited the global service policy on the ASA to allow icmp inspection.
  4. i created and associated an ACL to the ASA's outside interface to allow icmp from anywhere IF its going to the internal IP of 10.30.8.231. The network object "ORGANICS_data_processing_PC2" represents the 10.30.8.231 IP. Here is the ACL: access-list outside_access_in extended permit icmp any object ORGANICS_data_processing_PC2

 

What's NOT working:

  1. I am NOT able to create the RDP session from any of the 2 PCs (the server2008R2 or internet pc) to the internal 10.30.8.x PCs.

What I've tried:

 

  1. As i said, i was able to configure the NAT statement for IP 10.30.8.231 to 10.200.10.231.
  2. I tried allowing tcp port 3389 (windows RDP port) through the ASA's outside interface from anywhere to the destination IP of 10.200.10.231.
  3. I tried allowing http (port 80) services through the ASA's outside interface from anywhere to the destination IP of 10.200.10.231.

That's it. That's where I'm stuck. I have packet captures and the running configs that i can share. I can't upload them here so I can email if anyone would like.

 

If anyone can help Id gladly appreciate it. I'm willing to send someone that can help me a few $$$ to treat you to lunch!

 

Thank you all in advance!

 

 

ping from 10.113.32.50 to 10.200.10.231 on asa inside interface.pcapng
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-02-2018 08:46 PM

Since you want to use tcp/80 incoming for RDP, you need to do either one of two things:

 

1. Translate the incoming tcp/80 traffic to your internal host to tcp/3389 (default port for RDP), or

2. Configure the destination hosts to listen on tcp/80 for RDP.

 

Which approach are you taking? The necessary firewall configuration will vary according to your answer.

Opreccfl76
Level 1
Level 1
In response to Marvin Rhoads

‎09-04-2018 05:08 AM

Hello Marvin. Good morning and thank you for responding!

 

I'm going to go with Option 1. Is this now another NAT config?

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni
In response to Opreccfl76

‎09-04-2018 09:13 AM

yes it would be, so do a NAT on port 80 (10.200.10.10) to 3389 to the real IP address. also, allow port 80 on your outside IP addresses from the connection IP to the real IP of the RDP host.

Please remember to rate useful posts, by clicking on the stars below.

Opreccfl76
Level 1
Level 1
In response to Dennis Mink

‎09-04-2018 10:20 AM

Can you gentlemen please help me with the config? or perhaps the steps in ASDM? I've tried this and i didnt work. I've watched videos on youtube as well and its just not the same as what I need. Im sure its something Im doing wrong, not the device. What i tried broke my original natting but I was able to re-configure that.

 

Please dont take my response above as me being lazy. Its just that admittedly I'm a little out of my depth here and Im just about out of time. After this is done, I'll be creating a full lab video on this and post it on youtube to help others who may be now or in the future in a similar situation but for right now I just need to get this done.

0 Helpful

Opreccfl76
Level 1
Level 1
In response to Opreccfl76

‎09-04-2018 10:21 AM

I'm also open to a remote session if it helps move this along quicker. Please and thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card