ASA 5505 Configuration Problems
in [Cisco]
|
From: tman on 10 Apr 2008 13:45 I am trying to configure an ASA 5505 to allow Remote Desktop Protocol from outside to a host on the inside network. I created a Security Policy and a Static NAT Rule. But it does not work. Here is my configuration. Any suggestions would be appreciated. This is my first experience with a Cisco security device. I used the ASDM to configure the ASA 5505. Thanks sh run : Saved : ASA Version 7.2(3) ! hostname nurm domain-name mydomain.com enable password X7L14fUbqxvIsSKn encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.1.1.20 255.0.0.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name orthodyne.de object-group service nurem_services_udp udp description port_forwarding_nurem_udp port-object range 3389 3389 access-list outside_access_in extended permit udp any object-group nurem_services_udp host 192.168.1.2 object-group nurem_services_udp pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:ff8b7826af792853aa7af84742245a7f : end nurm#
From: artie lange on 10 Apr 2008 13:49 tman wrote: > I am trying to configure an ASA 5505 to allow Remote Desktop Protocol > from outside to a host on the inside network. I created a Security > Policy and a Static NAT Rule. But it does not work. Here is my > configuration. Any suggestions would be appreciated. This is my > first experience with a Cisco security device. I used the ASDM to > configure the ASA 5505. > You have created the NAT statement, but you now need to create an ACL to allow packets to the host. access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389 access-group outside_access_in in interface outside In the access-list you could probably also use: access-list outside_access_in permit tcp any interface eq 3380
From: Walter Roberson on 10 Apr 2008 15:10 In article <b9189e42-71cc-4dfd-ba2a-e609435ba75c(a)t54g2000hsg.googlegroups.com>, tman <naves.tom(a)gmail.com> wrote: >I am trying to configure an ASA 5505 to allow Remote Desktop Protocol >interface Vlan1 > > nameif inside > > security-level 100 > > ip address 192.168.1.1 255.255.255.0 I don't know if it matters, but you did not 'switchport' vlan 1 against any ports, the way you did vlan 2. And do you really want the outside interface to be a tagged vlan? >access-list outside_access_in extended permit udp any object-group >nurem_services_udp host 192.168.1.2 object-group nurem_services_udp That would only work if both the source and destination port as 3389. Possible for udp -- but on the other hand the last time I checked, RDP was TCP, not UDP, and for the TCP case, you would *not* want to restrict the source port to 3389. Also, in an ACL being applied to the outside interface, the destination IP needs to be the IP *before de-nat*, the public IP. Like the other poster indicated, you probably want 'interface' there instead of 'host 192.168.1.2' . You might need to use 'interface outside' -- at least that's what you would need for PIX 6.2/6.3
From: tman on 10 Apr 2008 15:21 On Apr 10, 10:49 am, artie lange <Ar...(a)lange.com> wrote: > tman wrote: > > I am trying to configure an ASA 5505 to allow Remote Desktop Protocol > > from outside to a host on the inside network. I created a Security > > Policy and a Static NAT Rule. But it does not work. Here is my > > configuration. Any suggestions would be appreciated. This is my > > first experience with a Cisco security device. I used the ASDM to > > configure the ASA 5505. > > You have created the NAT statement, but you now need to create an ACL to > allow packets to the host. > > access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389 > > access-group outside_access_in in interface outside > > In the access-list you could probably also use: > > access-list outside_access_in permit tcp any interface eq 3380 Still doesn't work. I must be missing something.
From: artie lange on 10 Apr 2008 15:28
tman wrote: > On Apr 10, 10:49 am, artie lange <Ar...(a)lange.com> wrote: >> tman wrote: >>> I am trying to configure an ASA 5505 to allow Remote Desktop Protocol >>> from outside to a host on the inside network. I created a Security >>> Policy and a Static NAT Rule. But it does not work. Here is my >>> configuration. Any suggestions would be appreciated. This is my >>> first experience with a Cisco security device. I used the ASDM to >>> configure the ASA 5505. >> You have created the NAT statement, but you now need to create an ACL to >> allow packets to the host. >> >> access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389 >> >> access-group outside_access_in in interface outside >> >> In the access-list you could probably also use: >> >> access-list outside_access_in permit tcp any interface eq 3380 > ^^^ that should read eq 3389 can you post the contents of sh access-list and sh nat ... |