ā10-29-2012 12:04 PM - edited ā03-11-2019 05:15 PM
Hi,
I am trying to configure RemoteDesktop on a home lab ASA5505 with IOS 8.4.1 and no matter what I tried, I am unable to remote into a local server behind the firewall. I've searched online and found several threads with solutions online including here at Cisco Support Community forum and have tried them all, but have no success. I'm sure it may be something very simple that I've missed.
Here is my Running Config. Any help is appreciated.
ASA Version 8.4(1)
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.148.5 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.x.x.75 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 67.x.x.75
domain-name demo.local
object network inside
subnet 192.168.148.0 255.255.255.0
object network rdp-server
host 192.168.148.105
object service rdp
service tcp source eq 3389
access-list outside_in extended permit tcp any object rdp-server eq 3389
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static rdp-server interface service rdp rdp
nat (inside,outside) source dynamic inside interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.x.x.75 1
Solved! Go to Solution.
ā10-29-2012 12:25 PM
Hi,
Are you sure your local computer has the correct Gateway IP address configured? Just seeing as you have an unusual interface IP address on the ASA (192.168.148.5)
Though if this was the case it would mean the local computer couldnt access anything outside its subnet at the moment. But this has been case a few times in the past so I've learned not to presume everything
I guess there might even be some setting that is blocking the RDP connections from the remote networks?
All in all it seems that the problem is with the local computer and not the ASA.
- Jouni
ā10-29-2012 12:09 PM
Hello,
The configuration looks perfect except for the IP address of the RDP server?
object network rdp-server
host 192.168.1.0
Why is using the network Ip address?
Regards,
ā10-29-2012 12:19 PM
Sorry, I was trying to change the real ip address and have made some errors. The ip has been updated.
So all looks correct to you? If so, somehow I am still cannot remote to the local rdp-server from the internet in.
6 | Oct 29 2012 | 19:11:35 | 67.53.131.93 | 57231 | 192.168.148.105 | 3389 | Teardown TCP connection 68 for outside:67.53.131.93/57231 to inside:192.168.148.105/3389 duration 0:00:30 bytes 0 SYN Timeout |
6 | Oct 29 2012 | 19:11:05 | 67.53.131.93 | 57231 | 192.168.148.105 | 3389 | Built inbound TCP connection 68 for outside:67.53.131.93/57231 (67.53.131.93/57231) to inside:192.168.148.105/3389 (67.53.14.75/3389) |
ā10-29-2012 12:25 PM
Hi,
Are you sure your local computer has the correct Gateway IP address configured? Just seeing as you have an unusual interface IP address on the ASA (192.168.148.5)
Though if this was the case it would mean the local computer couldnt access anything outside its subnet at the moment. But this has been case a few times in the past so I've learned not to presume everything
I guess there might even be some setting that is blocking the RDP connections from the remote networks?
All in all it seems that the problem is with the local computer and not the ASA.
- Jouni
ā10-29-2012 12:27 PM
Personally I would configure the port forward in the following way (with made up ACL and object names)
object network LAN-HOST-RDP
host 192.168.148.105
nat (inside,outside) static interface service tcp 3389 3389
access-list OUTSIDE-IN permit tcp any object LAN-HOST-RDP eq 3389
And remove the NAT you had configure for the RDP.
- Jouni
ā10-29-2012 12:36 PM
JuanikForss,
I have a feeling you may be correct on the gateway for the local rdp-server. It is configured for a different gateway, so let me make the change, and will post back with an update.
ā10-29-2012 12:30 PM
Hello,
I like the NAT you have already Both of them should work so do not worry about changing the nat statement.
Check the default gateway as Jouni suggested if that is fine.
Then do a capture
capture capout interface outside match tcp outside_host_ip host interface_ip eq 3389
capture capin interface inside match tcp host outside-host host 192.168.x.105 eq 3389
Then try to connect and share
show cap capout
show cap capin
ā10-29-2012 12:52 PM
Juani,
That was it. It was the gateway of the local rdp-server. I have two different gateway, one from the ISP modem to a Wireless Router that is connected to a switch and to the local rdp-server and one from the ISP modem to the ASA5505. On the ASA5505, interface Eth0/1 was connected to a Cisco 2950 and interface Eth0/2 was connected to a switch where the local rdp-server is connected. Because I can ping the local rdp-server from the ASA5505, I never realized the problem has to do with the gateway of the rdp-server and kept on pulling my hair out.
You two are truly my heros.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide