Hello Varun,

and thank you for a really quick response!

Are you sure that command is syntactically correct?

ciscoasa(config)# access-list outside_access_in extended permit tcp any 192.168.10.2 eq 3389

access-list outside_access_in extended permit tcp any 192.168.10.2 eq 3389

                                                                    ^

ERROR: % Invalid input detected at '^' marker.

(if the formatting "eats" up the whitespace, the '^' marker is pointed at 'eq')

Also, should this rule override the one already present or should it be added to it? Sorry if these questions are of a basic nature.

Thank you.

Regards,

Martin

Hey Martin,

M sorry, a tiny winy mistake

access-list outside_access_in extended permit tcp any host 192.168.10.2 eq 3389

we were missing the host keyword.

Thanks,

Varun

Hello Varun,

thanks for the clarification.

I've added the permission in the access-list, however I am still unable to connect via RDP and packet-trace still exits on phase 2 (i.e. access-list) with the same error message:

Drop-reason: (acl-drop) Flow is denied by configured rule

Any idea what else I might be missing? Should I post complete show running-config?

Thanks,

Martin

It should not say that now, but yes, if you can post the config, that would be helpful.

Thanks,

Varun

Here it is:

http://pastebin.com/mXzqKLdQ

I've replaced the password hashes with ''. Other than that the dump is intact.

Thank you,

Martin

Hi Martin,

Cna you delete the old nat statment:

object network srv2003

   nat (inside,outside) static interface service tcp 3389 3389

and add this one:

nat (outside,inside) source static any any destination static interface srv2003 service rdp rdp

Can you let me know how it goes.

Thanks,

Varun

Hi Varun,

I've deleted the statement as you suggested and added the new one. The configuration now looks as follows:

http://pastebin.com/5jejUQCr

However the problem persists - I still can not make the RDP connection from the outside and the packet-trace fails too.

Thank you,

Martin

Ohhhhhhhhhhhhhhhhhhh   how could I just overlooked it

Check these:

1. access-list 101 extended permit icmp any any echo-reply
2. access-list 101 extended permit icmp any any source-quench
3. access-list 101 extended permit icmp any any unreachable
4. access-list 101 extended permit icmp any any time-exceeded

1. access-group 101 in interface outside

It the wrong access-list applied on outside interface, kindly change it to:

access-group outside_access_in in interface outside

Thanks,

Varun

Thank you for your response.

I changed it (I suppose it means that I change which access list applies to the given interface?), so it looks like following:

http://pastebin.com/VXJ1mvaE

Yet still no luck (neither RDP nor packet-trace, problem is still the same).

Is it possible I might have missed something else (and basic)?

Thank you very much,

Martin

Hi Martin,

For accessing the server on rdp port, we just need the basic config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host 192.168.10.2 eq 3389

object service rdp

  service tcp destination eq 3389

object network srv2003

  host 192.168.10.2

nat (outside,inside) source static any any destination static interface srv2003 service rdp rdp

after this the packet tracer should not say, implicit deny, n thats wat amazes me. I really dont think it to be a windows issue right now and would love to take it forward with you in digging into it, if u'r fine with it.

1. Phase: 2
2. Type: ACCESS-LIST
3. Subtype:
4. Result: DROP
5. Config:
6. Implicit Rule
7. Additional Information:

Thanks,

Varun

Hello Varun,

thanks again for taking time and helping me.

I set up everything like you instructed me to in your last post.

Here's my complete running-config, just to be sure:

http://pastebin.com/L7pcYYp3

And here's the output of packet tracer:

http://pastebin.com/JqjwjYfZ

I also don't think it's the Windows problem at the moment (since I am connected to the server via SSH tunnel as of now, since RDP forwarding doesn't work ).

I am glad you take this much interest in this case and I'd love to provide you with as much information as you need to further investigate this problem.

Again, thank you very much!

Martin

::EDIT::

In the meantime, I did a little check and tried the old Linux router we used for our network and port forward works just fine. The purpose was to exclude problems with ISP, Windows Server and anything else that doesn't come to mind at the moment. So it should really be ASA issue at the moment.

Hello Varun,

have you got any update on my issue, please?