04-05-2009 07:51 PM - edited 03-11-2019 08:15 AM
I have a very simple config. I'm trying to forward custom RDP ports. The default 3389 port is forwarding fine and I'm able to get into the 10.0.0.5
I cannot, however, get to 10.0.0.102
The machine is up (I can RDP into the x.5 server, and from there RDP into the x.102 machine).
Anything I'm missing?
access-list incoming extended permit tcp any host 7.17.25.9 eq 3389
access-list incoming extended permit tcp any host 7.17.25.9 eq 3390
static (inside,outside) tcp interface 3389 10.0.0.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 10.10.0.102 3390 netmask 255.255.255.255
edit: I'm launching 'mstsc' and connecting to "7.17.25.9:3390" for the custom port (not actual IP). This is correct?
04-06-2009 12:34 AM
Hi,
I think that your second static NAT statement should be
static (inside,outside) tcp interface 3390 10.10.0.102 3389 netmask 255.255.255.255
ie. on the outside you connect to port 3390, but it connects through to 3389 on the inside.
Regards
04-06-2009 04:44 AM
Good catch!
I made the change but it's still not working.
static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255
So strange. It appears to be correct, but it's not working. Yet if I RDP into the 10.0.0.5:3389 it works, and from there I'm able to RDP into 10.0.0.102
Very strange.
Any other ideas?
04-06-2009 05:44 AM
Hi Scott,
I think that your ASA config is correct now. Maybe it's the way you're calling mstc, can you please try the following
mstsc /v:7.17.25.9:3390
Regards
04-06-2009 11:12 AM
Gah.
I just tried what you said and no luck. Same thing. Tries for a few seconds then comes back with error, can't connect.
Yet again, I connect to the 10.0.0.5 server, and from there can RDP into the 10.0.0.102 machine.
I'm at a wall here. This should be a simple setup, right?
04-06-2009 12:22 PM
Scott,
!
no static (inside,outside) tcp interface 3390 10.10.0.102 3389 netmask 255.255.255.255
!
static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255
If it wasn't then what realtime logging says.
Toshi
04-06-2009 11:44 PM
Hi Scott,
Where are you trying to connect from? Is TCP 3390 allowed outbound on your test line/network?
I've done this before so I'm sure your ASA config is correct
Do you see anything in your ASA logs?
Regards
04-08-2009 09:33 PM
Have you had any luck in connecting to the 2nd workstation remotely? Does the workstation have a firewall enabled? type in command clear xlate and then try again.
04-21-2009 06:34 PM
Hello all,
Sorry for the delay. Another switch project came up with another client so this was put on the back burner. Now I'm back.
As of right now, this is what I have on the firewall:
access-list incoming extended permit tcp any host 7.17.25.9 eq 3389
access-list incoming extended permit tcp any host 7.17.25.9 eq 3390
access-list incoming extended permit tcp any host 7.17.25.9 eq 3391
static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 10.0.0.106 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.0.0.5 3389 netmask 255.255.255.255
access-group incoming in interface outside
I'm focusing on the 10.*.102 host for now.
102 is Windows XP Pro SP3. Windows Firewall is enabled, but I've manually allowed 3389 (tcp and udp) to exceptions. It also has Symantec Endpoint Protection with Network Threat Protection, which I've disabled for troubleshooting.
Remote Desktop Connections is enabled under right-click My Computer.
I am able to RDP into 10.*.5 (the server) fine. And from there, I'm able to RDP into 10.*.102 fine.
I've tried "clear xlate"
I've tried "reload"
There is no outbound ACL, all is open.
Ugh! Frustrated!
What else could it be?!
update: just did a capture on the firewall:
faoasa# capture test interface inside
faoasa# sh capture test | grep 3390
faoasa# sh capture test | grep 3389
1: 19:18:27.899535 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192
2: 19:18:30.888442 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192
3: 19:18:36.889648 802.1Q vlan#1 P0 24.*.*.92.59585 > 10.0.0.102.3389: S 2304876493:2304876493(0) win 8192
faoasa#
The 24.* is me at home. It looks like the traffic is being forwarded, right?
Gah.
04-21-2009 08:48 PM
Update: I made the following changes, and now it works:
no static (inside,outside) tcp interface 3390 10.0.0.102 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 10.0.0.102 3390 netmask 255.255.255.255
On host machine:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
Changed PortNumber to 3390; restart machine.
Now it works. What the ?
So does this mean it was a problem with the ASA translation from 3390 -> 3389 ?
Theories?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide