Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1623
Views
0
Helpful
5
Replies

Remote Desktop Connection to ASA 5515x

Go to solution
bhalbautista
Level 1
Level 1

‎02-06-2013 07:34 AM - edited ‎03-11-2019 05:56 PM

Hi Guys,


I have ASA 5515x and it has already Internet Connection since my firewall is not "production". So right now I'm trying to configure a Remote Session just for a test and eventually I was not able to connect from it. I followed the instructions from technotes but still Remote Connection dropped. Here's my sample configuration on my firewall, btw I also configured a service policy rule and ACL just to make sure if I can able to access the Server inside my network but Session also dropped.

Feel free if you guys have any inputs on my concern. Thanks a lot.

nat (inside,outside) source static 1.1.1.1 2.2.2.1

access-list 110 extended permit tcp host 3.3.3.1 host 2.2.2.1 eq 3389

CiscoASA(config)#class-map rdpmss
CiscoASA(config-cmap)#match access-list 110    
CiscoASA(config-cmap)#exit
CiscoASA(config)#tcp-map mss-map
CiscoASA(config-tcp-map)#exceed-mss allow
CiscoASA(config-tcp-map)#exit
CiscoASA(config)#policy-map rdpmss
CiscoASA(config-pmap)#class rdpmss
CiscoASA(config-pmap-c)#set connection advanced-options mss-map
CiscoASA(config-pmap-c)#exit
CiscoASA(config-pmap)#exit
CiscoASA(config)#service-policy rdpmss interface outside


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎02-06-2013 07:50 AM

The service-policy is not needed in this scenario. But your ACL has to use the real address of the internal server:

access-list 110 extended permit tcp host 3.3.3.1 host 1.1.1.1 eq 3389

And is the ACL bound to the outside interface?

access-group 110 in int outside

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎02-06-2013 07:50 AM

The service-policy is not needed in this scenario. But your ACL has to use the real address of the internal server:

access-list 110 extended permit tcp host 3.3.3.1 host 1.1.1.1 eq 3389

And is the ACL bound to the outside interface?

access-group 110 in int outside

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
bhalbautista
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2013 08:03 AM

Hi Karsten,

Thanks for your response. Yes I bounded this to outside interface, but still Remote Desktop unable to connect.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to bhalbautista

‎02-06-2013 08:19 AM

3.3.3.1 is the PC from which you test RDP? 1.1.1.1 is the inside server? And you access the IP 2.2.2.1 from outside? Then show the output of thew following command:

packet-tracer input outside tcp 3.3.3.1 1234 2.2.2.1 3389

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
bhalbautista
Level 1
Level 1
In response to Karsten Iwen

‎02-06-2013 08:35 AM

Hi Karsten,

Yes, Anyway my apologies to you, I setup another server and I think my 1st server having some problem with RDP. Right now I'm able to use RDP session to my new server setup. My bad, so meaning my configuration are correct without using service policy as well. Thank you so much karsten I really appreciated your assistance. Once again my apoliges.

Thanks,

Bhal

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to bhalbautista

‎02-06-2013 12:57 PM

no problem! Fine when it's working now.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card