ASA 5505 Configuration Problems

Discussion in 'Cisco' started by tman, Apr 10, 2008.

  1. tman

    tman Guest

    I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
    from outside to a host on the inside network. I created a Security
    Policy and a Static NAT Rule. But it does not work. Here is my
    configuration. Any suggestions would be appreciated. This is my
    first experience with a Cisco security device. I used the ASDM to
    configure the ASA 5505.

    Thanks

    sh run

    : Saved

    :

    ASA Version 7.2(3)

    !

    hostname nurm

    domain-name mydomain.com

    enable password X7L14fUbqxvIsSKn encrypted

    names

    !

    interface Vlan1

    nameif inside

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    ip address 10.1.1.20 255.0.0.0

    !

    interface Ethernet0/0

    switchport access vlan 2

    !

    interface Ethernet0/1

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    passwd 2KFQnbNIdI.2KYOU encrypted

    ftp mode passive

    dns server-group DefaultDNS

    domain-name orthodyne.de

    object-group service nurem_services_udp udp

    description port_forwarding_nurem_udp

    port-object range 3389 3389

    access-list outside_access_in extended permit udp any object-group
    nurem_services_udp host 192.168.1.2 object-group nurem_services_udp

    pager lines 24

    logging enable

    logging asdm informational

    mtu inside 1500

    mtu outside 1500

    icmp unreachable rate-limit 1 burst-size 1

    asdm image disk0:/asdm-523.bin

    no asdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0.0.0.0 0.0.0.0

    static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255

    access-group outside_access_in in interface outside

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    http server enable

    http 192.168.1.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    telnet 192.168.1.0 255.255.255.0 inside

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd auto_config outside

    !

    dhcpd address 192.168.1.2-192.168.1.129 inside

    dhcpd enable inside

    !


    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

    parameters

    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp

    !

    service-policy global_policy global

    prompt hostname context

    Cryptochecksum:ff8b7826af792853aa7af84742245a7f

    : end


    nurm#
    tman, Apr 10, 2008
    #1
    1. Advertising

  2. In article <>,
    tman <> wrote:
    >I am trying to configure an ASA 5505 to allow Remote Desktop Protocol


    >interface Vlan1
    >
    > nameif inside
    >
    > security-level 100
    >
    > ip address 192.168.1.1 255.255.255.0


    I don't know if it matters, but you did not 'switchport' vlan 1 against
    any ports, the way you did vlan 2. And do you really want the
    outside interface to be a tagged vlan?

    >access-list outside_access_in extended permit udp any object-group
    >nurem_services_udp host 192.168.1.2 object-group nurem_services_udp


    That would only work if both the source and destination port as 3389.
    Possible for udp -- but on the other hand the last time I checked,
    RDP was TCP, not UDP, and for the TCP case, you would *not* want
    to restrict the source port to 3389.

    Also, in an ACL being applied to the outside interface, the destination
    IP needs to be the IP *before de-nat*, the public IP. Like the other
    poster indicated, you probably want 'interface' there instead
    of 'host 192.168.1.2' . You might need to use 'interface outside' --
    at least that's what you would need for PIX 6.2/6.3
    Walter Roberson, Apr 10, 2008
    #2
    1. Advertising

  3. tman

    tman Guest

    On Apr 10, 10:49 am, artie lange <> wrote:
    > tman wrote:
    > > I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
    > > from outside to a host on the inside network.  I created a Security
    > > Policy and a Static NAT Rule.  But it does not work.  Here is my
    > > configuration.  Any suggestions would be appreciated.  This is my
    > > first experience with a Cisco security device.  I used the ASDM to
    > > configure the ASA 5505.

    >
    > You have created the NAT statement, but you now need to create an ACL to
    > allow packets to the host.
    >
    > access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389
    >
    > access-group outside_access_in in interface outside
    >
    > In the access-list you could probably also use:
    >
    > access-list outside_access_in permit tcp any interface eq 3380


    Still doesn't work. I must be missing something.
    tman, Apr 10, 2008
    #3
  4. tman

    tman Guest

    On Apr 10, 12:28 pm, artie lange <> wrote:
    > tman wrote:
    > > On Apr 10, 10:49 am, artie lange <> wrote:
    > >> tman wrote:
    > >>> I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
    > >>> from outside to a host on the inside network.  I created a Security
    > >>> Policy and a Static NAT Rule.  But it does not work.  Here is my
    > >>> configuration.  Any suggestions would be appreciated.  This is my
    > >>> first experience with a Cisco security device.  I used the ASDM to
    > >>> configure the ASA 5505.
    > >> You have created the NAT statement, but you now need to create an ACL to
    > >> allow packets to the host.

    >
    > >> access-list outside_access_in extended permit tcp any host 10.1.1.20 eq 3389

    >
    > >> access-group outside_access_in in interface outside

    >
    > >> In the access-list you could probably also use:

    >
    > >> access-list outside_access_in permit tcp any interface eq 3380

    >
    >                                                                 ^^^ that should read eq 3389
    >
    > can you post the contents of sh access-list and sh nat ...- Hide quoted text -
    >
    > - Show quoted text -


    sh access-list

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
    4096)
    alert-interval 300
    access-list outside_access_in; 1 elements
    access-list outside_access_in line 1 extended permit tcp any host
    10.1.1.20 eq 3
    389 (hitcnt=0) 0x2b9d88ad


    sh nat

    NAT policies on Interface inside:
    match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
    match ip inside any outside any
    dynamic translation to pool 1 (10.1.1.20 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
    match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

    NAT policies on Interface outside:
    match ip outside host 10.1.1.20 inside any
    static translation to 192.168.1.2
    translate_hits = 0, untranslate_hits = 0
    tman, Apr 10, 2008
    #4
  5. In article <>,
    tman <> wrote:

    >ASA Version 7.2(3)


    >interface Vlan2
    > nameif outside
    > security-level 0
    > ip address 10.1.1.20 255.0.0.0


    >static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255


    You cannot static your entire outside interface to the inside. When
    you are dealing with your outside interface, static only the ports
    you need.

    You have likely also reversed the order of the interfaces for the static.

    Thirdly, you need to use the keyword 'interface' instead of the
    outside IP address.

    Fourthly (if I recall correctly) you are attempting to configure RDP
    on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock
    the source port to 3389 but with TCP it does not.

    static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255

    access-list outside_access_in extended permit tcp any interface outside eq 3389

    access-group outside_access_in in interface outside
    Walter Roberson, Apr 11, 2008
    #5
  6. tman

    tman Guest

    On Apr 10, 6:22 pm, (Walter Roberson) wrote:
    > In article <>,
    >
    > tman  <> wrote:
    > >ASA Version 7.2(3)
    > >interface Vlan2
    > > nameif outside
    > > security-level 0
    > > ip address 10.1.1.20 255.0.0.0
    > >static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255

    >
    > You cannot static your entire outside interface to the inside. When
    > you are dealing with your outside interface, static only the ports
    > you need.
    >
    > You have likely also reversed the order of the interfaces for the static.
    >
    > Thirdly, you need to use the keyword 'interface' instead of the
    > outside IP address.
    >
    > Fourthly (if I recall correctly) you are attempting to configure RDP
    > on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock
    > the source port to 3389 but with TCP it does not.
    >
    > static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
    >
    > access-list outside_access_in extended permit tcp any interface outside eq 3389
    >
    > access-group outside_access_in in interface outside


    Walter,

    Thanks for the help. I had messed up my config, so I reset the ASA to
    factory default, did a basic configuration using the setup wizard,
    then used your commands to configure NAT and the ACL and it worked
    just fine.

    Do I need to make a service group to allow other services such as
    smtp, pop3 etc or just add lines to my ACL and NAT entries?

    Thanks again.
    tman, Apr 11, 2008
    #6
  7. In article <>,
    tman <> wrote:

    >Do I need to make a service group to allow other services such as
    >smtp, pop3 etc or just add lines to my ACL and NAT entries?


    Either way works fine.

    The time we started creating object groups was when we started
    doing mass blocking of problematic IP source addresses. Updating them
    one by one in the config was a pain, but updating the object group
    was fairly easy.

    Eventually we started using object groups extensively, which was
    in the context of an PIX configuration generator that I wrote
    that allowed me to create configuration templates and couple
    of small host-specific files, and use the templates to generate
    *consistant* configurations for all of our PIX. When you start working
    with meshes of PIXes, you really want to stop dealing in
    individual IP addresses and instead deal in named groups.
    Walter Roberson, Apr 11, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,312
  2. JASZTECH
    Replies:
    2
    Views:
    2,815
  3. tman
    Replies:
    2
    Views:
    620
    News Reader
    Apr 18, 2008
  4. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    591
    Dogg Child
    Jun 7, 2010
  5. Dogg Child

    ASA 5550 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    4
    Views:
    1,033
    Morph
    Jun 8, 2010
Loading...

Share This Page