02-13-2012 05:42 AM - edited 03-11-2019 03:28 PM
Hi ,
i am using Cisco ASA5510 Firewall on my network at the distrubution Layer . The Private IP Address is in the network for Users and PAT is use.
I have a client who has configured the RDP on port2000. when the Users behind the Firewall in my Network tried RDP it does not work it shows configuring remote Desktop only. i am able to telnet the Client said server with port 2000 but unable RDP.
Is any changes required on my firewall as a tesult the RDP works.
Please advice.
Thanks,
Saroj
02-13-2012 07:54 AM
Saroj,
You most likely want to move you're question over to this forum for your answer.
https://supportforums.cisco.com/community/netpro/security/firewall
Thanks,
Jasbryan
02-13-2012 11:19 PM
Hi Saroj,
Per Jason's suggestion, I have moved your question into the firewall area so you do not need to repost.
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport
02-14-2012 07:00 AM
Hello Saroj,
Please attach the ASA configuration to the post so I can review it.
Thanks.
02-14-2012 07:03 AM
02-14-2012 07:11 AM
Hello,
Here is the packet-tracer we used yesterday to troubleshoot this:
Netlink-OS-ASA# packet-tracer input inside tcp 172.16.48.213 1025 74.94.242.13$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit ip any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: inspect-skinny
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect skinny
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 Block_FromASA_ThroughUntangle1 255.255.255.192
match ip inside Block_FromASA_ThroughUntangle1 255.255.255.192 outside any
dynamic translation to pool 1 (122.168.191.66 Re: RDP Access problem through ASA5510 FW)
translate_hits = 59925, untranslate_hits = 345
Additional Information:
Dynamic translate 172.16.48.213/1025 to 122.168.191.66/29284 using netmask 255.255.255.255
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 Block_FromASA_ThroughUntangle1 255.255.255.192
match ip inside Block_FromASA_ThroughUntangle1 255.255.255.192 outside any
dynamic translation to pool 1 (122.168.191.66 Re: RDP Access problem through ASA5510 FW)
translate_hits = 59925, untranslate_hits = 345
Additional Information:
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_out out interface outside
access-list outside_access_out extended permit ip any any
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 59535332, packet dispatched to next module
Phase: 12
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 122.168.191.65 using egress ifc outside
adjacency Active
next-hop mac address 0019.2f8e.c639 hits 29742
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Please create some captures to check if the RDP server is responding to the client request!
02-14-2012 07:42 AM
I have configured the packet capture but unable to find the RDP Server IP in the Capture packet List which is 74.94.242.139
Netlink-OS-ASA(config)# show capture testcap count 20
1145 packets captured
1: 21:01:58.142784 172.16.63.1.22 > 172.16.51.10.49245: P 2967950329:2967950397(68) ack 2868729768 win 8192
2: 21:01:58.142845 76.187.139.64.43075 > 172.16.51.10.14106: udp 1402
3: 21:01:58.143028 172.16.51.10.49245 > 172.16.63.1.22: . ack 2967950397 win 65535
4: 21:01:58.143455 76.187.139.64.43075 > 172.16.51.10.14106: udp 1402
5: 21:01:58.144508 76.127.90.119.52843 > 172.16.51.10.14106: udp 1438
6: 21:01:58.144523 209.104.131.20.443 > 172.16.50.168.52716: udp 85
7: 21:01:58.144630 209.104.131.20.443 > 172.16.51.10.1117: udp 85
8: 21:01:58.146217 172.16.51.10.56443 > 199.71.245.17.443: P 4023407154:4023407192(38) ack 2968440731 win 65535
9: 21:01:58.146766 208.86.251.15.80 > 172.16.51.10.53612: S 191863448:191863448(0) ack 1450255578 win 65535 172.16.48.72.3389: . ack 2709156126 win 258
02-14-2012 07:56 AM
Here is what you need to do:
access-list capin permit tcp host rdp_client_private_ip host server_outside eq 2000
access-list capin permit tcp host server_outside eq 2000 host rdp_client_private_ip
access-list capout permit tcp host rdp_client_public_ip host server_outside eq 2000
access-list capout permit tcp host server_outside eq 2000 host rdp_client_public_ip
capture capin access-list capin interface inside
capture capout access-list capout interface outside
Regards,
Julio
02-14-2012 05:01 PM
As per your instruction I have configured on the ASA the following command to capture packet but no result.
Showing 0 packet captured while trying with RDP On port 2000 ,
Thanks,
Saroj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide