Windows Remote Desktop from Outside to Inside Problem

[Eventius]

Hi there,

I am doing some testing in the office for this new ASA 5510. The connection is very simple. I connect e0/0 (outside : 192.168.100.115) to a PC (192.168.100.6) and the e0/1 (inside : 10.1.1.1) to a notebook (10.1.1.2).

I used Windows Remote Desktop for the test. I permit port 3389 on both "inside" and "outside" interface.

Result :-

From "inside" (10.1.1.2), I able to remote access to "outside" PC (192.168.100.6).

But when I tried to remote access from "outside" (192.168.100.6) to "inside" (10.1.1.2), it gave me this error message => [106023eny tcp src outside:192.168.100.6/3541 dst inside:10.1.1.2/3389 by access-group "outside".]

*** It is the same even I permit ICMP. PLS HELP ME....!!!!

Here I attached my configuration for the post mortem :-

sh run
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.100.115 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 0
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq www
access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq domain
access-list inside extended permit udp 10.0.0.0 255.0.0.0 any eq domain
access-list inside extended permit icmp any any
access-list inside extended permit tcp 10.0.0.0 255.0.0.0 any eq 3389
access-list outside extended permit icmp any host 192.168.100.6
access-list outside extended permit tcp any host 192.168.100.6 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 192.168.100.116
nat (inside) 100 10.0.0.0 255.0.0.0
static (inside,outside) 192.168.100.6 10.1.1.2 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map class_sip_tcp
match port tcp eq sip
class-map class_http
match port tcp eq 14506
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect http
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect h323 h225
inspect icmp
inspect dns
inspect h323 ras
inspect xdmcp
inspect tftp
inspect icmp error
inspect rtsp
inspect sunrpc
inspect mgcp
inspect sip
inspect netbios
inspect pptp
inspect ctiqbe
inspect snmp
inspect ils
class class_sip_tcp
inspect sip
class class_http
inspect http
!
service-policy global_policy global
Cryptochecksum:8b52e2a1c52479b4f3c45c3ff7d76969
: end
ciscoasa#


Its the configuration OK..??? PLS help me...!! Your reply is very much appreciated. Thanks..!!!

 

[Supergrrover]

You have to send the request to address that the ASA controls and not the "real" inside address.

Use this static
static (inside,outside) 192.168.100.115 10.1.1.2 netmask 255.255.255.255 *** you could also use this instead
static (inside,outside) interface 10.1.1.2 netmask 255.255.255.255

Remove the inside ACL - all traffic is allowed by default and it will just screw things up unless you really know what you are doing. Now change the outside ACL to this
access-list outside extended permit icmp any host 192.168.100.115
access-list outside extended permit tcp any host 192.168.100.115 eq 3389

Here is the basic setup link

http://www.cisco.com/en/US/products...s_configuration_example09186a00807d287e.shtml

Give that a try




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Eventius]

Hi Brent,
Thanks for the explanation and info. I have tested accordingly but still the same result => OUTSIDE CANNOT ACCESS INSIDE. I also have already refer to the link you provided but same result. Below is the error message :-

Ping Test Error Message
=======================
106023eny icmp src outside:192.168.100.6 dst inside:10.1.1.2 (type 8, code 0) by access-group "outside"

Windows Remote Desktop Test Error Message
=========================================
106023eny icmp src outside:192.168.100.6/3557 dst inside:10.1.1.2/3389 by access-group "outside"

Here, I don't quite understand since I have already permitted the access, why it still block..? Pls help......!

Below is the configuration.
(Connectivity : Laptop to "inside interface" and PC to "outside interface")


sh run

: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.100.115 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list outside extended permit icmp any host 192.168.100.115
access-list outside extended permit tcp any host 192.168.100.115 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 100 192.168.100.116
nat (inside) 100 10.0.0.0 255.0.0.0
static (inside,outside) 192.168.100.115 10.1.1.2 netmask 255.255.255.255
access-group outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
Cryptochecksum:0b2a8bf43ce9f5be3d02bbf74054e85c
: end
ciscoasa(config)#

Your help greatly appreciated...!!!! Thanks.

 

[Supergrrover]

What are you trying to connect to?
From the outside PC you want to connect to 192.168.100.115 not 10.1.1.2.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Eventius]

Hi Brent,
I pasted the wrong message for the Remote Desktop test previously. Pls refer below for the connectivity and test I did.

Connectivity
=============

PC ------> Outside (e0/0) | Inside (e0/1) <-- Laptop
(100.6) (192.168.100.115) (10.1.1.1) (10.1.1.2)

Ping Test
=========
From PC (100.6) to Laptop (10.1.1.2)
------------------------------------
106023eny icmp src outside:192.168.100.6 dst inside:10.1.1.2 (type 8, code 0) by access-group "outside"

Windows Remote Desktop Test
===========================
From PC (100.6) to Laptop (10.1.1.2)
------------------------------------

106023eny tcp src outside:192.168.100.6/128 dst inside:10.1.1.2/3389 by access-group "outside"

Pls advise. Thanks..!!!

 

[Supergrrover]

Yes, do not try to ping the laptops assigned IP, rather the IP on the PIX interface that will pass that traffic on to the laptop.
You will ping
192.168.100.115 from the PC.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Eventius]

Hi Brent,
Thanks for the reply. I understood why you ask me to ping 192.168.100.115 but I will definitely get the reply coz that ip is the gateway to the PC connected to it.

Instead of PING..! I've tried using the Remote Desktop to point to 192.168.100.115 but there is "NO LOG MESSAGE AT ALL". (That means, there is nothing going to 192.168.100.115).

If I point it to 10.1.1.2, here the error message...


==>> Deny tcp src outside:192.168.100.6/4150 dst inside: 10.1.1.2/3389 by access-group "outside_access_in"

I still CANNOT access to 10.1.1.2 (INSIDE) from "OUTSIDE".

PLS ADVISE.......THANKS..!!


Here the configuration again :-

sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.100.115 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any host 192.168.100.115 eq 3389
access-list outside_access_in extended permit icmp any host 192.168.100.115
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 100 192.168.100.222
nat (inside) 100 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.100.115 10.1.1.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:52be6a27fe9299a34578cf44403275bc
: end

ciscoasa(config)#

 

[Supergrrover]

You cannot try to connect to 10.1.1.2 directly. You will always get that message.

Change the ACL to add the log keyword
access-list outside_access_in extended permit tcp any host 192.168.100.115 eq 3389 log 3
access-list outside_access_in extended permit icmp any host 192.168.100.115 log 3

The config looks good. If you have a PC setup on the other side try reply to the RDP request? Is it's firewall turned on? Can you RDP to it from an inside PC? Is the firewall restricted to only reply to requests from the local LAN?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Eventius]

Hi Brent,
I have changed the ACL accordingly....!

Both PC and Laptop already turn off Firewall but still cannot access from "outside" to "inside". ***** Access from "inside" to "outside" no problem at all.


Pls Advise...Thanks.

 

[Supergrrover]

Post the log from the pix when you try to RDP through.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[finfrockg]

You have to NAT the private inside address to an external public address on the outside interface in order for the external remote desktop to work.

 

[Eventius]

Hi Brent,
I apologize for the late reply. FYI, the problem has been solved. Instead of pointing to the outside interface ip address (192.168.100.115), I point it to another outside address instead (192.168.100.100).

Thank very much for your great advise and help.

Best Regards,
Eventius Lew