Solved: Problem configuring RemoteDesktop on ASA5505 8.4.1

tsabsuavyaj · ‎10-29-2012

Hi,

I am trying to configure RemoteDesktop on a home lab ASA5505 with IOS 8.4.1 and no matter what I tried, I am unable to remote into a local server behind the firewall. I've searched online and found several threads with solutions online including here at Cisco Support Community forum and have tried them all, but have no success. I'm sure it may be something very simple that I've missed.

Here is my Running Config. Any help is appreciated.

ASA Version 8.4(1)
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.148.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.x.x.75 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 67.x.x.75
domain-name demo.local
object network inside
subnet 192.168.148.0 255.255.255.0
object network rdp-server
host 192.168.148.105
object service rdp
service tcp source eq 3389
access-list outside_in extended permit tcp any object rdp-server eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static rdp-server interface service rdp rdp
nat (inside,outside) source dynamic inside interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.x.x.75 1

Jouni Forss · ‎10-29-2012

Hi,

Are you sure your local computer has the correct Gateway IP address configured? Just seeing as you have an unusual interface IP address on the ASA (192.168.148.5)

Though if this was the case it would mean the local computer couldnt access anything outside its subnet at the moment. But this has been case a few times in the past so I've learned not to presume everything

I guess there might even be some setting that is blocking the RDP connections from the remote networks?

All in all it seems that the problem is with the local computer and not the ASA.

- Jouni

View solution in original post

Julio Carvajal · ‎10-29-2012

Hello,

The configuration looks perfect except for the IP address of the RDP server?

object network rdp-server

host 192.168.1.0

Why is using the network Ip address?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

tsabsuavyaj · ‎10-29-2012

Sorry, I was trying to change the real ip address and have made some errors. The ip has been updated.

So all looks correct to you? If so, somehow I am still cannot remote to the local rdp-server from the internet in.

6

Oct 29 2012

19:11:35

67.53.131.93

57231

192.168.148.105

3389

Teardown TCP connection 68 for outside:67.53.131.93/57231 to inside:192.168.148.105/3389 duration 0:00:30 bytes 0 SYN Timeout

6

Oct 29 2012

19:11:05

67.53.131.93

57231

192.168.148.105

3389

Built inbound TCP connection 68 for outside:67.53.131.93/57231 (67.53.131.93/57231) to inside:192.168.148.105/3389 (67.53.14.75/3389)

Jouni Forss · ‎10-29-2012

Hi,

Are you sure your local computer has the correct Gateway IP address configured? Just seeing as you have an unusual interface IP address on the ASA (192.168.148.5)

Though if this was the case it would mean the local computer couldnt access anything outside its subnet at the moment. But this has been case a few times in the past so I've learned not to presume everything

I guess there might even be some setting that is blocking the RDP connections from the remote networks?

All in all it seems that the problem is with the local computer and not the ASA.

- Jouni

Jouni Forss · ‎10-29-2012

Personally I would configure the port forward in the following way (with made up ACL and object names)

object network LAN-HOST-RDP

host 192.168.148.105

nat (inside,outside) static interface service tcp 3389 3389

access-list OUTSIDE-IN permit tcp any object LAN-HOST-RDP eq 3389

And remove the NAT you had configure for the RDP.

- Jouni

tsabsuavyaj · ‎10-29-2012

JuanikForss,

I have a feeling you may be correct on the gateway for the local rdp-server. It is configured for a different gateway, so let me make the change, and will post back with an update.

Julio Carvajal · ‎10-29-2012

Hello,

I like the NAT you have already Both of them should work so do not worry about changing the nat statement.

Check the default gateway as Jouni suggested if that is fine.

Then do a capture

capture capout interface outside match tcp outside_host_ip host interface_ip eq 3389

capture capin interface inside match tcp host outside-host host 192.168.x.105 eq 3389

Then try to connect and share

show cap capout

show cap capin

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

tsabsuavyaj · ‎10-29-2012

Juani,

That was it. It was the gateway of the local rdp-server. I have two different gateway, one from the ISP modem to a Wireless Router that is connected to a switch and to the local rdp-server and one from the ISP modem to the ASA5505. On the ASA5505, interface Eth0/1 was connected to a Cisco 2950 and interface Eth0/2 was connected to a switch where the local rdp-server is connected. Because I can ping the local rdp-server from the ASA5505, I never realized the problem has to do with the gateway of the rdp-server and kept on pulling my hair out.

You two are truly my heros.