ASA 5505 Configuration Problems

Discussion in 'Cisco' started by tman, Apr 10, 2008.

  1. tman

    tman Guest

    I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
    from outside to a host on the inside network. I created a Security
    Policy and a Static NAT Rule. But it does not work. Here is my
    configuration. Any suggestions would be appreciated. This is my
    first experience with a Cisco security device. I used the ASDM to
    configure the ASA 5505.


    sh run

    : Saved


    ASA Version 7.2(3)


    hostname nurm


    enable password X7L14fUbqxvIsSKn encrypted



    interface Vlan1

    nameif inside

    security-level 100

    ip address


    interface Vlan2

    nameif outside

    security-level 0

    ip address


    interface Ethernet0/0

    switchport access vlan 2


    interface Ethernet0/1


    interface Ethernet0/2


    interface Ethernet0/3


    interface Ethernet0/4


    interface Ethernet0/5


    interface Ethernet0/6


    interface Ethernet0/7


    passwd 2KFQnbNIdI.2KYOU encrypted

    ftp mode passive

    dns server-group DefaultDNS


    object-group service nurem_services_udp udp

    description port_forwarding_nurem_udp

    port-object range 3389 3389

    access-list outside_access_in extended permit udp any object-group
    nurem_services_udp host object-group nurem_services_udp

    pager lines 24

    logging enable

    logging asdm informational

    mtu inside 1500

    mtu outside 1500

    icmp unreachable rate-limit 1 burst-size 1

    asdm image disk0:/asdm-523.bin

    no asdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1

    static (outside,inside) netmask

    access-group outside_access_in in interface outside

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    http server enable

    http inside

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    telnet inside

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    dhcpd auto_config outside


    dhcpd address inside

    dhcpd enable inside



    class-map inspection_default

    match default-inspection-traffic



    policy-map type inspect dns preset_dns_map


    message-length maximum 512

    policy-map global_policy

    class inspection_default

    inspect dns preset_dns_map

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect rsh

    inspect rtsp

    inspect esmtp

    inspect sqlnet

    inspect skinny

    inspect sunrpc

    inspect xdmcp

    inspect sip

    inspect netbios

    inspect tftp


    service-policy global_policy global

    prompt hostname context


    : end

    tman, Apr 10, 2008
    1. Advertisements

  2. I don't know if it matters, but you did not 'switchport' vlan 1 against
    any ports, the way you did vlan 2. And do you really want the
    outside interface to be a tagged vlan?
    That would only work if both the source and destination port as 3389.
    Possible for udp -- but on the other hand the last time I checked,
    RDP was TCP, not UDP, and for the TCP case, you would *not* want
    to restrict the source port to 3389.

    Also, in an ACL being applied to the outside interface, the destination
    IP needs to be the IP *before de-nat*, the public IP. Like the other
    poster indicated, you probably want 'interface' there instead
    of 'host' . You might need to use 'interface outside' --
    at least that's what you would need for PIX 6.2/6.3
    Walter Roberson, Apr 10, 2008
    1. Advertisements

  3. tman

    tman Guest

    Still doesn't work. I must be missing something.
    tman, Apr 10, 2008
  4. tman

    tman Guest

    sh access-list

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
    alert-interval 300
    access-list outside_access_in; 1 elements
    access-list outside_access_in line 1 extended permit tcp any host eq 3
    389 (hitcnt=0) 0x2b9d88ad

    sh nat

    NAT policies on Interface inside:
    match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
    match ip inside any outside any
    dynamic translation to pool 1 ( [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
    match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

    NAT policies on Interface outside:
    match ip outside host inside any
    static translation to
    translate_hits = 0, untranslate_hits = 0
    tman, Apr 10, 2008
  5. You cannot static your entire outside interface to the inside. When
    you are dealing with your outside interface, static only the ports
    you need.

    You have likely also reversed the order of the interfaces for the static.

    Thirdly, you need to use the keyword 'interface' instead of the
    outside IP address.

    Fourthly (if I recall correctly) you are attempting to configure RDP
    on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock
    the source port to 3389 but with TCP it does not.

    static (inside,outside) tcp interface 3389 3389 netmask

    access-list outside_access_in extended permit tcp any interface outside eq 3389

    access-group outside_access_in in interface outside
    Walter Roberson, Apr 11, 2008
  6. tman

    tman Guest


    Thanks for the help. I had messed up my config, so I reset the ASA to
    factory default, did a basic configuration using the setup wizard,
    then used your commands to configure NAT and the ACL and it worked
    just fine.

    Do I need to make a service group to allow other services such as
    smtp, pop3 etc or just add lines to my ACL and NAT entries?

    Thanks again.
    tman, Apr 11, 2008
  7. Either way works fine.

    The time we started creating object groups was when we started
    doing mass blocking of problematic IP source addresses. Updating them
    one by one in the config was a pain, but updating the object group
    was fairly easy.

    Eventually we started using object groups extensively, which was
    in the context of an PIX configuration generator that I wrote
    that allowed me to create configuration templates and couple
    of small host-specific files, and use the templates to generate
    *consistant* configurations for all of our PIX. When you start working
    with meshes of PIXes, you really want to stop dealing in
    individual IP addresses and instead deal in named groups.
    Walter Roberson, Apr 11, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.