Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
0
Helpful
3
Replies

Port redirection - ASA (cli) for RDP - Remote Desktop Protocol

walldiv01
Level 1
Level 1

‎03-03-2014 12:13 PM - edited ‎03-11-2019 08:52 PM

Hello and thank you for reading & helping out! 

I have a customer that we are trying to remotely monitor and manage their servers.  We have a management server and I can setup the ACL's to have any/any port:3389 open and accessible, but we are trying to strengthen the inbound simply by having a port redirection.  Below is my code, which seems to be right according to all the other sites i have looked over trying to find out how to redirect ports on an ASA, as well NAT in general with cisco's CLI.  I dont have ASDM capable, using SSH (putty) and remoting into the firewall. when i try to switch the ports access to 3390 with a port redirection (as shown below) I am not able to connect (nor will Portquery.exe show it as listening, rather it comes back "filtered").

I think that I am doing the NAT in the wrong location, but if I try to do a global NAT with the other statements outside fo the network object, I cant seem to get the ports to go through ( ' nat (inside,outside) source static any any service tcp 3390 3389 ' )  it says the port 3389 is 'invalid input'.  I for one am lost lol, please help!

***ALL other code attempts work fine with 3389 in the acl/object-nat segments****

object network GLF-VCENTER

host 172.30.25.254

nat (inside,outside) static interface service tcp 3390 3389

access-list outside_access_in extended permit tcp any any eq 3390

Labels:
0 Helpful
3 Replies 3

Itzcoatl Espinosa
Cisco Employee
Cisco Employee

‎03-03-2014 03:11 PM

Hello Dan,

Is port 3390 the real port of your server or the one you are using the connect?

Have you tried swapping the ports on the nat configuration? The first one is that real port and the second one should be the mapped port you type in order to connect.

object network GLF-VCENTER

host 172.30.25.254

nat (inside,outside) static interface service tcp 3389 3390

I hope it helps

regards,

Itzcoatl

0 Helpful

walldiv01
Level 1
Level 1
In response to Itzcoatl Espinosa

‎03-04-2014 05:51 AM

@ Itzcoatl,

Yes i've done both commands (below)  neither work and i understand the order of mapped/real ports, i know i had it backwards in my original statement (sorry)

HAVE TRIED BOTH:
nat (inside,outside) static interface service tcp 3389 3390
nat (inside,outside) static interface service tcp 3390 3389

~Dan

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to walldiv01

‎03-04-2014 07:32 AM

Hello Dan,

Have you also tried the ACL for port 3389

Please share the exact configuration you have (using the right port-mapping)

and also this

packet-tracer input outside tcp 4.2.2.2 1025 interface_ip 3389

Then enable this capture

cap capout interface outside match tcp any host x.x.x.x (Interface_IP) eq 3389

cap capin interface inside match tcp any host x.x.x (Internal server IP) eq 3389

Afterwards try to connect Just Once and finally provide

show cap capout

show cap capin

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card