ASA 5505 Configuration Problems

I am trying to configure an ASA 5505 to allow Remote Desktop Protocol
from outside to a host on the inside network. I created a Security
Policy and a Static NAT Rule. But it does not work. Here is my
configuration. Any suggestions would be appreciated. This is my
first experience with a Cisco security device. I used the ASDM to
configure the ASA 5505.

Thanks

sh run

: Saved

:

ASA Version 7.2(3)

!

hostname nurm

domain-name mydomain.com

enable password X7L14fUbqxvIsSKn encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.20 255.0.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name orthodyne.de

object-group service nurem_services_udp udp

description port_forwarding_nurem_udp

port-object range 3389 3389

access-list outside_access_in extended permit udp any object-group
nurem_services_udp host 192.168.1.2 object-group nurem_services_udp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 192.168.1.2 10.1.1.20 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ff8b7826af792853aa7af84742245a7f

: end


nurm#

 

I don't know if it matters, but you did not 'switchport' vlan 1 against
any ports, the way you did vlan 2. And do you really want the
outside interface to be a tagged vlan?

That would only work if both the source and destination port as 3389.
Possible for udp -- but on the other hand the last time I checked,
RDP was TCP, not UDP, and for the TCP case, you would *not* want
to restrict the source port to 3389.

Also, in an ACL being applied to the outside interface, the destination
IP needs to be the IP *before de-nat*, the public IP. Like the other
poster indicated, you probably want 'interface' there instead
of 'host 192.168.1.2' . You might need to use 'interface outside' --
at least that's what you would need for PIX 6.2/6.3

 

Still doesn't work. I must be missing something.

 

sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max
4096)
alert-interval 300
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 extended permit tcp any host
10.1.1.20 eq 3
389 (hitcnt=0) 0x2b9d88ad


sh nat

NAT policies on Interface inside:
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (10.1.1.20 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:
match ip outside host 10.1.1.20 inside any
static translation to 192.168.1.2
translate_hits = 0, untranslate_hits = 0

 

You cannot static your entire outside interface to the inside. When
you are dealing with your outside interface, static only the ports
you need.

You have likely also reversed the order of the interfaces for the static.

Thirdly, you need to use the keyword 'interface' instead of the
outside IP address.

Fourthly (if I recall correctly) you are attempting to configure RDP
on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock
the source port to 3389 but with TCP it does not.

static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside

 

Walter,

Thanks for the help. I had messed up my config, so I reset the ASA to
factory default, did a basic configuration using the setup wizard,
then used your commands to configure NAT and the ACL and it worked
just fine.

Do I need to make a service group to allow other services such as
smtp, pop3 etc or just add lines to my ACL and NAT entries?

Thanks again.

 

Either way works fine.

The time we started creating object groups was when we started
doing mass blocking of problematic IP source addresses. Updating them
one by one in the config was a pain, but updating the object group
was fairly easy.

Eventually we started using object groups extensively, which was
in the context of an PIX configuration generator that I wrote
that allowed me to create configuration templates and couple
of small host-specific files, and use the templates to generate
*consistant* configurations for all of our PIX. When you start working
with meshes of PIXes, you really want to stop dealing in
individual IP addresses and instead deal in named groups.