Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA 5505 Configuration Problems

Reply
Thread Tools

ASA 5505 Configuration Problems

 
 
tman
Guest
Posts: n/a
 
      04-10-2008
I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
from outside to a host on the inside network. I created a Security
Policy and a Static NAT Rule. But it does not work. Here is my
configuration. Any suggestions would be appreciated. This is my
first experience with a Cisco security device. I used the ASDM to
configure the ASA 5505.

Thanks

sh run

: Saved

:

ASA Version 7.2(3)

!

hostname nurm

domain-name mydomain.com

enable password X7L14fUbqxvIsSKn encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.20 255.0.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name orthodyne.de

object-group service nurem_services_udp udp

description port_forwarding_nurem_udp

port-object range 3389 3389

access-list outside_access_in extended permit udp any object-group
nurem_services_udp host 192.168.1.2 object-group nurem_services_udp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ff8b7826af792853aa7af84742245a7f

: end


nurm#
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      04-10-2008
In article <(E-Mail Removed)>,
tman <(E-Mail Removed)> wrote:
>I am trying to configure an ASA 5505 to allow Remote Desktop Protocol


>interface Vlan1
>
> nameif inside
>
> security-level 100
>
> ip address 192.168.1.1 255.255.255.0


I don't know if it matters, but you did not 'switchport' vlan 1 against
any ports, the way you did vlan 2. And do you really want the
outside interface to be a tagged vlan?

>access-list outside_access_in extended permit udp any object-group
>nurem_services_udp host 192.168.1.2 object-group nurem_services_udp


That would only work if both the source and destination port as 3389.
Possible for udp -- but on the other hand the last time I checked,
RDP was TCP, not UDP, and for the TCP case, you would *not* want
to restrict the source port to 3389.

Also, in an ACL being applied to the outside interface, the destination
IP needs to be the IP *before de-nat*, the public IP. Like the other
poster indicated, you probably want 'interface' there instead
of 'host 192.168.1.2' . You might need to use 'interface outside' --
at least that's what you would need for PIX 6.2/6.3
 
Reply With Quote
 
 
 
 
tman
Guest
Posts: n/a
 
      04-10-2008
On Apr 10, 10:49*am, artie lange <(E-Mail Removed)> wrote:
> tman wrote:
> > I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
> > from outside to a host on the inside network. *I created a Security
> > Policy and a Static NAT Rule. *But it does not work. *Here is my
> > configuration. *Any suggestions would be appreciated. *This is my
> > first experience with a Cisco security device. *I used the ASDM to
> > configure the ASA 5505.

>
> You have created the NAT statement, but you now need to create an ACL to
> allow packets to the host.
>
> access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389
>
> access-group outside_access_in in interface outside
>
> In the access-list you could probably also use:
>
> access-list outside_access_in permit tcp any interface eq 3380


Still doesn't work. I must be missing something.
 
Reply With Quote
 
tman
Guest
Posts: n/a
 
      04-10-2008
On Apr 10, 12:28*pm, artie lange <(E-Mail Removed)> wrote:
> tman wrote:
> > On Apr 10, 10:49 am, artie lange <(E-Mail Removed)> wrote:
> >> tman wrote:
> >>> I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
> >>> from outside to a host on the inside network. *I created a Security
> >>> Policy and a Static NAT Rule. *But it does not work. *Here is my
> >>> configuration. *Any suggestions would be appreciated. *This is my
> >>> first experience with a Cisco security device. *I used the ASDM to
> >>> configure the ASA 5505.
> >> You have created the NAT statement, but you now need to create an ACL to
> >> allow packets to the host.

>
> >> access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389

>
> >> access-group outside_access_in in interface outside

>
> >> In the access-list you could probably also use:

>
> >> access-list outside_access_in permit tcp any interface eq 3380

>
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ^^^ that should read eq 3389
>
> can you post the contents of sh access-list and sh nat ...- Hide quoted text -
>
> - Show quoted text -


sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
4096)
alert-interval 300
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 extended permit tcp any host
10.1.1.20 eq 3
389 (hitcnt=0) 0x2b9d88ad


sh nat

NAT policies on Interface inside:
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (10.1.1.20 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:
match ip outside host 10.1.1.20 inside any
static translation to 192.168.1.2
translate_hits = 0, untranslate_hits = 0
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-11-2008
In article <(E-Mail Removed)>,
tman <(E-Mail Removed)> wrote:

>ASA Version 7.2(3)


>interface Vlan2
> nameif outside
> security-level 0
> ip address 10.1.1.20 255.0.0.0


>static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255


You cannot static your entire outside interface to the inside. When
you are dealing with your outside interface, static only the ports
you need.

You have likely also reversed the order of the interfaces for the static.

Thirdly, you need to use the keyword 'interface' instead of the
outside IP address.

Fourthly (if I recall correctly) you are attempting to configure RDP
on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock
the source port to 3389 but with TCP it does not.

static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside
 
Reply With Quote
 
tman
Guest
Posts: n/a
 
      04-11-2008
On Apr 10, 6:22*pm, (E-Mail Removed) (Walter Roberson) wrote:
> In article <(E-Mail Removed)>,
>
> tman *<(E-Mail Removed)> wrote:
> >ASA Version 7.2(3)
> >interface Vlan2
> > nameif outside
> > security-level 0
> > ip address 10.1.1.20 255.0.0.0
> >static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255

>
> You cannot static your entire outside interface to the inside. When
> you are dealing with your outside interface, static only the ports
> you need.
>
> You have likely also reversed the order of the interfaces for the static.
>
> Thirdly, you need to use the keyword 'interface' instead of the
> outside IP address.
>
> Fourthly (if I recall correctly) you are attempting to configure RDP
> on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock
> the source port to 3389 but with TCP it does not.
>
> static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
>
> access-list outside_access_in extended permit tcp any interface outside eq 3389
>
> access-group outside_access_in in interface outside


Walter,

Thanks for the help. I had messed up my config, so I reset the ASA to
factory default, did a basic configuration using the setup wizard,
then used your commands to configure NAT and the ACL and it worked
just fine.

Do I need to make a service group to allow other services such as
smtp, pop3 etc or just add lines to my ACL and NAT entries?

Thanks again.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-11-2008
In article <(E-Mail Removed)>,
tman <(E-Mail Removed)> wrote:

>Do I need to make a service group to allow other services such as
>smtp, pop3 etc or just add lines to my ACL and NAT entries?


Either way works fine.

The time we started creating object groups was when we started
doing mass blocking of problematic IP source addresses. Updating them
one by one in the config was a pain, but updating the object group
was fairly easy.

Eventually we started using object groups extensively, which was
in the context of an PIX configuration generator that I wrote
that allowed me to create configuration templates and couple
of small host-specific files, and use the templates to generate
*consistant* configurations for all of our PIX. When you start working
with meshes of PIXes, you really want to stop dealing in
individual IP addresses and instead deal in named groups.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5550 behind ASA 5505 Dogg Child Cisco 4 06-08-2010 06:56 PM
Re: ASA 5505 behind ASA 5505 Dogg Child Cisco 0 06-07-2010 12:13 PM
ASA 5505 Configuration Questions tman Cisco 2 04-18-2008 07:18 PM
Cisco ASA 5505 configuration for PPPOE/BellSouth JASZTECH Cisco 2 08-13-2007 07:16 PM
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated bjorn@kumlait.se Cisco 1 06-17-2007 12:43 PM



Advertisments