Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2420
Views
0
Helpful
6
Replies

Unable to use RDP through ASA

cosguy699
Level 1
Level 1

‎08-18-2011 07:40 AM - edited ‎03-11-2019 02:13 PM

We just switched to a 5510 from a PIX 515 last evening, and the only things that are not working are any services from the outside to the inside.  Example: I am unable to connect to a RDP server on the inside from the outside.  I've been looking at the config for the past five hours, but am unable to see my mistake.  Running 8.2(1)   People on the inside are able to get out.  Thanks for any suggestions.

ASA Version 8.2(1)

!

hostname Firewall

domain-name aaaa.org

names

name 10.10.8.13 mailserver

name 10.10.8.12 video-conf

name 1.1.1.2 PubMail

name 1.1.1.3 VidCon

name 1.1.1.5 Ms-Aderson

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 1.1.1.1 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.8.1 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

banner login You aer accessing a secured network device.  If you have not been given permission to lawfully access this network, please leave now.

banner asdm You are accessing a secured network device.  If you have not been given permission to lawfully access this network, please leave now.

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name aaaa.org

object-group service RDP tcp

port-object eq 3389

port-object eq ssh

access-list access-outside-in extended permit icmp any any echo-reply

access-list access-outside-in extended permit icmp any any time-exceeded

access-list access-outside-in extended permit icmp any any unreachable

access-list access-outside-in extended permit icmp any any source-quench

access-list access-outside-in extended permit tcp any host VidCon range 3230 3260

access-list access-outside-in extended permit udp any host VidCon range 3230 3290

access-list access-outside-in extended permit tcp any host VidCon eq h323

access-list access-outside-in extended permit tcp any host 1.1.1.4 eq 3306

access-list access-outside-in extended permit tcp any host 1.1.1.4 eq 7500

access-list access-outside-in extended permit tcp any host 1.1.1.4 eq 9501

access-list access-outside-in extended permit tcp any host Ms-Aderson eq https

access-list access-outside-in extended permit tcp any host 1.1.1.4 object-group RDP

pager lines 24

logging enable

logging trap critical

logging host inside 10.10.8.10

logging debug-trace

mtu Outside 1500

mtu inside 1500

ip local pool VPN-Pool 10.10.10.230-10.10.10.239 mask 255.255.255.252

ip verify reverse-path interface Outside

ip verify reverse-path interface inside

ip audit name InsideAttack attack action alarm

ip audit name MainAttack attack action alarm drop

ip audit name MainInfo info action alarm

ip audit interface Outside MainAttack

ip audit interface inside MainInfo

ip audit interface inside InsideAttack

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (inside) 1 10.10.8.0 255.255.252.0

static (inside,Outside) PubMail mailserver netmask 255.255.255.255

static (inside,Outside) VidCon video-conf netmask 255.255.255.255

static (inside,Outside) Ms-Aderson 10.10.9.7 netmask 255.255.255.255

static (inside,Outside) 1.1.1.4 10.10.8.10 netmask 255.255.255.255

static (Outside,inside) 10.10.8.10 1.1.1.4 netmask 255.255.255.255

access-group access-outside-in in interface Outside

route Outside 0.0.0.0 0.0.0.0 1.1.1.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.8.10 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 Outside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 10

ssh 1.1.1.1 255.255.255.255 Outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.43.244.18 source Outside prefer

ntp server 17.171.4.21 source Outside

webvpn

group-policy VPN-Users internal

group-policy VPN-Users attributes

wins-server value 10.10.8.10

dns-server value 10.10.8.10

vpn-tunnel-protocol IPSec

default-domain value hga.org

tunnel-group VPN-Users type remote-access

tunnel-group VPN-Users general-attributes

address-pool VPN-Pool

default-group-policy VPN-Users

tunnel-group VPN-Users ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Labels:
0 Helpful
6 Replies 6

mvsheik123
Level 7
Level 7

‎08-18-2011 08:02 AM

Hi Dale,

Pretty straight config. I am not sure why you need the entry.. :

static (Outside,inside) 10.10.8.10 1.1.1.4 netmask 255.255.255.255

Can you remove this and try RDP?

Thx

MS

0 Helpful

cosguy699
Level 1
Level 1
In response to mvsheik123

‎08-18-2011 08:25 AM

MS,

I removed the entry, but still does not work.  That line was my static nat to the inside server  x.x.x.4

Thanks

0 Helpful

varrao
Level 10
Level 10
In response to cosguy699

‎08-18-2011 08:31 AM

I see everything is fine with your configuration, would you mind, doing a write mem first and then reloading the ASA and the ISP device once, you might just need to clear the arp cache on the devices after replacing the firewalls.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

cosguy699
Level 1
Level 1
In response to varrao

‎08-18-2011 08:37 AM

Hi Varun,

I did everything you suggested last evening EXCEPT for reloading the ISP device.  I'll do that now and report back.  As od now, before ISP reload, I am able to ASDM to the ASA from the outside.

Thanks

0 Helpful

varrao
Level 10
Level 10
In response to cosguy699

‎08-18-2011 09:04 AM

Sure let me know how it goes.

-Varun

Thanks,
Varun Rao
0 Helpful

cosguy699
Level 1
Level 1
In response to cosguy699

‎08-18-2011 09:08 AM

Varun,

I reloaded the ISP device, but still was not working.  I then looked at my statics and saw that I had reversed the direction. ie:  should have been static (inside,outside) x.x.x.4 10.10.8.10 NOT static (outside,inside) 10.10.8.10 x.x.x.4

Everything is working fine.  Thanks for you assistance.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card