ok,

firts option.

Reconfigure ASA, use rdp client to connect 10.13.7.188 and 187 but it not work, the rdp client only show me its cannot connect to windows base computer.

Second option:

Reconfigura ASA, 

use rdp client to connect 10.13.7.188 and 187 but it not work, the rdp client tynking.......

Thanks.

Hi,

Could you take some "packet-tracer" output when you are using either of the above NAT configurations and copy/paste the output here.

For Static NAT

packet-tracer input outside tcp 10.13.7.187 3389

For Port Forward NAT

packet-tracer input outside tcp 10.13.7.188 3389

EDIT: Are you certain that possibility for RDP connections is enabled on the computer where you are trying to connect to?

- Jouni

Hi,

For Static NAT

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC

nat (inside,outside) static 10.13.7.187

Additional Information:

NAT divert to egress interface inside

Untranslate 10.13.7.187/3389 to 192.168.90.45/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:      

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1157, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

For Port Forward NAT

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.13.7.128     255.255.255.192 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4     

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1164, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

In both cases its aparentli work, but with rdp client don't.

Thanks

Hi,

Atleast the Static NAT output looks right to me.

For the Port Forward the output doesnt seem correct. Both the input and output interface are the same and I dont see any mention of the traffic from "packet-tracer" command hitting the Port Forward NAT configuration.

I would make sure that the RDP service on the computer is configured and working. Possible firewall software might be worth checking too. Can you connect to that computer with RDP from another computer in the network 192.168.90.0/24. This should confirm if the problem is with the actual computer or the firewall.

Also you could try looking through the ASDM monitor while trying to RDP connection to see what happens to the connection attempt. We would be interested in the log message that has the "Teardown" message.

Also I would try to change this NAT rule also

no nat (inside,outside) source dynamic any interface

and use

nat (inside,outside) after-auto source dynamic any interface

You could also try using "clear xlate" after this to clear all the NAT translations from the firewall before you test anything else. EDIT: Notice that "clear xlate" will also terminate connections going through the firewall but NOT the actual connection you have to the actual firewall.

- Jouni

ok

Test the computer back to back with same network and work right.

i change the nat instructions, clear xlate.

on the static NAT.

RDP cliente show me error message and try reconncting to the window pc.

the syslog message don't show any.

Port Forward NAT log

This firewall its fron test configuration when it working right send configuration to productive sistem.

This the configuration working

ciscoasa# sh ru

: Saved

:

ASA Version 8.4(1)

!

hostname ciscoasa

enable password -- encrypted

passwd -- encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.90.1 255.255.255.0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface Ethernet0/3

nameif outside

security-level 100

ip address 10.13.7.188 255.255.255.192

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa841-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network intra-rdp

host 10.13.7.187

object network rdp-host

host 192.168.90.45

object service rdp_service

service tcp source eq 3389

object network STATIC

host 192.168.90.45

object-group network net-a

description Red a

network-object 192.168.90.0 255.255.255.0

object-group network INTRANET

description Intranet

network-object 10.13.0.0 255.255.0.0

object-group icmp-type ping

description Ping Group

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object traceroute

icmp-object source-quench

icmp-object unreachable

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit icmp any any object-group ping

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit tcp any object STATIC eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

!

object network STATIC

nat (inside,outside) static 10.13.7.187

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.13.7.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.13.0.0 255.255.0.0 outside

http 192.168.1.0 255.255.255.0 management

http 192.168.90.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 192.168.90.0 255.255.255.0 inside

ssh 10.13.0.0 255.255.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username 9JL83 password hOSugQuHRmysWJ/d encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home    

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:25e72e430d5c89305fba85c82f178b18

: end

ciscoasa#  

And this the packer traker from this configuration.

ciscoasa# packet-tracer input outside tcp 10.13.7.165 62644 10.13.7.187 3389  

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC

nat (inside,outside) static 10.13.7.187

Additional Information:

NAT divert to egress interface inside

Untranslate 10.13.7.187/3389 to 192.168.90.45/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:      

Additional Information:

Phase: 4

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network STATIC

nat (inside,outside) static 10.13.7.187

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1432, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Thanks

Hey,

The log message screen capture you posted seems to indicate that the host 192.168.90.45 doesnt simply reply when the remote host is trying to establish the TCP connection.

Have you made sure that the LAN server has the correct default gateway configured? The ASA interface IP address of 192.168.90.1?

The log messages dont indicate any kind of problem with your firewall configurations.

- Jouni

Hi,

RDP Network config

i have to test rdp-host with client in the same network and it work fine.

in the rdp-host send ping to 10.13.7.x (other machine in intranet network) and its work fine.

this problem has me desperate and can not find solution.

Thanks

Hi, the problem in te rdp server it's tha fu..... antivirus.....  i don't know its include an other firewall an it only accep conection from the connected network.

I test RDP-VNC services an it working fine,

Thanks and rate

Hi,

Glad it got sorted out. and thank you for the rating.

I would have been really baffled if it wasnt something related to the actual computer you were trying to connect to.

- Jouni