Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
8
Replies

RDP Access problem

saroj pradhan
Level 1
Level 1

‎02-13-2012 05:42 AM - edited ‎03-11-2019 03:28 PM

Hi ,

i am using  Cisco ASA5510  Firewall  on  my  network  at the distrubution  Layer  . The  Private IP Address is  in the network  for  Users  and PAT  is  use.

I have  a  client   who has  configured the RDP on port2000. when  the Users  behind  the Firewall  in my Network  tried RDP  it does not work  it shows  configuring  remote Desktop only. i am  able to telnet  the Client  said server  with port 2000  but  unable  RDP.

Is  any changes  required  on my firewall  as a tesult  the RDP works.

Please advice.

Thanks,

Saroj

Labels:
0 Helpful
8 Replies 8

jasbryan
Level 6
Level 6

‎02-13-2012 07:54 AM

Saroj,

You most likely want to move you're question over to this forum for your answer.

https://supportforums.cisco.com/community/netpro/security/firewall

Thanks,

Jasbryan

0 Helpful

cindy toy
Level 7
Level 7
In response to jasbryan

‎02-13-2012 11:19 PM

Hi Saroj,

Per Jason's suggestion, I have moved your question into the firewall area so you do not need to repost.

Regards,

Cindy Toy

Cisco Small Business Community Manager

for Cisco Small Business Products

www.cisco.com/go/smallbizsupport

twitter: CiscoSBsupport

Regards, Cindy If my response answered your question, please mark the response as answered. Thank you!
0 Helpful

luisroja
Level 1
Level 1

‎02-14-2012 07:00 AM

Hello Saroj,

Please attach the ASA configuration to the post so I can review it.

Thanks.

0 Helpful

saroj pradhan
Level 1
Level 1
In response to luisroja

‎02-14-2012 07:03 AM

Please find the ASA Configuration.

Thanks,

Saroj

122445-ASA.txt.zip
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to saroj pradhan

‎02-14-2012 07:11 AM

Hello,

Here is the packet-tracer we used yesterday to troubleshoot this:

Netlink-OS-ASA# packet-tracer input inside tcp 172.16.48.213 1025 74.94.242.13$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in_1 in interface inside

access-list inside_access_in_1 extended permit ip any any

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: inspect-skinny

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect skinny

service-policy global_policy global

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 Block_FromASA_ThroughUntangle1 255.255.255.192

  match ip inside Block_FromASA_ThroughUntangle1 255.255.255.192 outside any

    dynamic translation to pool 1 (122.168.191.66 Re: RDP Access problem  through ASA5510 FW)

    translate_hits = 59925, untranslate_hits = 345

Additional Information:

Dynamic translate 172.16.48.213/1025 to 122.168.191.66/29284 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 Block_FromASA_ThroughUntangle1 255.255.255.192

  match ip inside Block_FromASA_ThroughUntangle1 255.255.255.192 outside any

    dynamic translation to pool 1 (122.168.191.66 Re: RDP Access problem  through ASA5510 FW)

    translate_hits = 59925, untranslate_hits = 345

Additional Information:

Phase: 9

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_out out interface outside

access-list outside_access_out extended permit ip any any

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 59535332, packet dispatched to next module

Phase: 12

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 122.168.191.65 using egress ifc outside

adjacency Active

next-hop mac address 0019.2f8e.c639 hits 29742

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Please create some captures to check if the RDP server is responding to the client request!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

saroj pradhan
Level 1
Level 1
In response to Julio Carvajal

‎02-14-2012 07:42 AM

I have configured the packet capture but unable to find the RDP Server IP in the Capture packet List which is 74.94.242.139

Netlink-OS-ASA(config)# show capture testcap count 20

1145 packets captured

1: 21:01:58.142784 172.16.63.1.22 > 172.16.51.10.49245: P 2967950329:2967950397(68) ack 2868729768 win 8192

2: 21:01:58.142845 76.187.139.64.43075 > 172.16.51.10.14106: udp 1402

3: 21:01:58.143028 172.16.51.10.49245 > 172.16.63.1.22: . ack 2967950397 win 65535

4: 21:01:58.143455 76.187.139.64.43075 > 172.16.51.10.14106: udp 1402

5: 21:01:58.144508 76.127.90.119.52843 > 172.16.51.10.14106: udp 1438

6: 21:01:58.144523 209.104.131.20.443 > 172.16.50.168.52716: udp 85

7: 21:01:58.144630 209.104.131.20.443 > 172.16.51.10.1117: udp 85

8: 21:01:58.146217 172.16.51.10.56443 > 199.71.245.17.443: P 4023407154:4023407192(38) ack 2968440731 win 65535

9: 21:01:58.146766 208.86.251.15.80 > 172.16.51.10.53612: S 191863448:191863448(0) ack 1450255578 win 65535 172.16.48.72.3389: . ack 2709156126 win 258

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to saroj pradhan

‎02-14-2012 07:56 AM

Here is what you need to do:

access-list capin permit tcp host rdp_client_private_ip host server_outside eq 2000

access-list capin permit tcp  host server_outside eq 2000 host rdp_client_private_ip

access-list capout permit tcp host rdp_client_public_ip host server_outside eq 2000

access-list capout permit tcp host server_outside eq 2000 host rdp_client_public_ip

capture capin access-list capin interface inside

capture capout access-list capout interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

saroj pradhan
Level 1
Level 1
In response to Julio Carvajal

‎02-14-2012 05:01 PM

As per your instruction I have configured on the ASA the following command to capture packet but no result.

Showing 0 packet captured while trying with RDP On port 2000 ,

Thanks,

Saroj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card