Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3674
Views
0
Helpful
8
Replies

I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

plogooman
Level 1
Level 1

‎06-11-2012 11:44 AM - edited ‎03-11-2019 04:17 PM

I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.

I need to allow the following IP addresses to have RDP access to my server:

66.237.238.193-66.237.238.222

69.195.249.177-69.195.249.190

69.65.80.240-69.65.80.249

My external WAN server info is - 99.89.69.333

The internal IP address of my server is - 192.168.6.2

The other server shows up as 99.89.69.334 but is working fine.

I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.

THE FOLLOWING IS MY CONFIGURATION FILE

Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course

Also the bolded lines are the modifications I made but that arent working.

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password DowJbZ7jrm5Nkm5B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 99.89.69.233 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group network EMRMC

network-object 10.1.2.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 192.168.11.0 255.255.255.0

network-object 172.16.0.0 255.255.0.0

network-object 192.168.9.0 255.255.255.0

object-group service RDP tcp

description RDP

port-object eq 3389

object-group service GMED tcp

description GMED

port-object eq 3390

object-group service MarsAccess tcp

description MarsAccess

port-object range pcanywhere-data 5632

object-group service MarsFTP tcp

description MarsFTP

port-object range ftp-data ftp

object-group service MarsSupportAppls tcp

description MarsSupportAppls

port-object eq 1972

object-group service MarsUpdatePort tcp

description MarsUpdatePort

port-object eq 7835

object-group service NM1503 tcp

description NM1503

port-object eq 1503

object-group service NM1720 tcp

description NM1720

port-object eq h323

object-group service NM1731 tcp

description NM1731

port-object eq 1731

object-group service NM389 tcp

description NM389

port-object eq ldap

object-group service NM522 tcp

description NM522

port-object eq 522

object-group service SSL tcp

description SSL

port-object eq https

object-group service rdp tcp

port-object eq 3389

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC

access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data

access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522

access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731

access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333

access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp

access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp

access-list out_in extended permit tcp any host 192.168.6.2 eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 99.89.69.338 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.6.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 68.156.148.5

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

tunnel-group 68.156.148.5 type ipsec-l2l

tunnel-group 68.156.148.5 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d

: end

ciscoasa(config-network)#

Labels:
0 Helpful
8 Replies 8

abinjola
Cisco Employee
Cisco Employee

‎06-11-2012 04:43 PM

The config looks good,  try the following:

A-reload or clear arp-cache on outside/gateway/upstream router of ASA.

B-Take packet capture on inside interface of ASA to see if packet leaves ASA and if it see return packet from server

set the following captures

access-list cap1 permit ip

access-list cap1 permit ip

capture cpi acess-l cap1 interface inside

x.x.x.x---is the ip of test machine on the outside world

y.y.y.y--rela ip of server on inside

0 Helpful

plogooman
Level 1
Level 1
In response to abinjola

‎06-11-2012 05:05 PM

Well here is the problem. When I attempt to put i:

static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255

It says that I have an error and that I need to configure nat or something. Its just odd to me because I already have a similar command to map port forwarding for the other internal server to its external ip address. For some reason it wont let me put in the exact same command for the new server. I assume its because there is something wrong for my code.

So I essentially opened up that ports for the ip address I think but I need to link it (port forward). Everything I have tried thus far doesnt work.

0 Helpful

plogooman
Level 1
Level 1
In response to plogooman

‎06-11-2012 06:12 PM

I feel it has something to do with nat and or im not applying it correctly.

0 Helpful

plogooman
Level 1
Level 1
In response to plogooman

‎06-11-2012 06:27 PM

Also I just noticed this but my outside interface vlan 2 (wan ip) is set for 99.89.69.233 and thats the ip I was trying to add a static route for RDP access to my server. Would it not let me port forward it to the internal ip address if it was set for the VLAN 2?

0 Helpful

mikull.kiznozki
Level 1
Level 1
In response to plogooman

‎06-11-2012 09:09 PM

did u vlan your outside interface?

0 Helpful

gouravbathla
Level 1
Level 1
In response to plogooman

‎06-12-2012 03:56 AM

Hi Davis

I want to add

"Well here is the problem. When I attempt to put i:

static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255

It says that I have an error and that I need to configure nat or something. Its just odd to me because I already have a similar command to map port forwarding for the other internal server to its external ip address. For some reason it wont let me put in the exact same command for the new server. I assume its because there is something wrong for my code."

99.89.69.333 is not a valid IP address.

0 Helpful

plogooman
Level 1
Level 1
In response to gouravbathla

‎06-12-2012 04:25 AM

"99.89.69.333 is not a valid IP address."

As I stated before, I did not put my actual IP address. That is just a fake one that I posted.

0 Helpful

Thomas Gronke
Level 1
Level 1
In response to plogooman

‎06-12-2012 05:04 PM

Unclear what did not work.  In your original post you include said some commands were added but don't work:

static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255

and later you state you add another command that gets an error:

static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255

You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.

The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.

Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card