Cisco ASA – Allowing external access to a secure server via RDP

ciscocisco-asanat;rdp

I am new to the forums and really hope someone can help me. I am pulling my hair out!
I have posted on both the Cisco forums and Windows forums in hopes anyone can suggest something but no one has even viewed my questions. I really hope this forum is a lot more active!

I am trying to allow a 3rd party to RDP to two of our servers using custom ports (3390 & 3391).
I have set up two access rules on our ASA 5515-X using the ASDM (I cannot do CLI).

Rules are as follows:

Source Criteria – Permit – Any Destination Criteria –
internal.server.local – (Service) RDP

Then I have applied a NAT rule as follows:

Match Source Interface – Internet – Source Address – Any Destination
Interface – LAN – Destination Address – 1.2.3.4 (Our public IP) –
Service – 3390 (Custom RDP)

Action Source NAT Type – Static – Source Address – Original –
Destination Address – internal.server.local – Service – RDP

And again for the other server using a NAT rule using 3391 for the custom port.

This rule seems to be working and the logs show that the connection attempt is made but then it looks like the Windows server on the other end is refusing the connection.

6   Dec 22 2015 08:18:43    302014  213.205.x.x 49639   10.11.200.55    3389    Teardown TCP connection 20423786 for BTnet:213.205.x.x/49639 to LAN:10.11.200.55/3389 duration 0:00:30 bytes 0 SYN Timeout

I have double checked the server, firewall is off and there is also an exception rule in place to allow RDP connections anyway, plus RDP is enabled.

This morning I have also noticed the following error after performing a trace:

5   Dec 22 2015 07:34:08    305013  213.205.x.x 49345   10.11.200.55    3389    Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src BTnet:213.205.x.x/49345 dst LAN:10.11.200.55/3389 denied due to NAT reverse path failure

Could this be the actual reason its failing? I would be eternally grateful for any suggestions.

Best Answer

Well, the NAT rules don't seem to be correctly set up. The port forwarding concept for Cisco ASA is a bit tricky:

Port Redirection (Forwarding) with Static

Port forwarding or port redirection is a useful feature where the outside users try to access an internal server on a specific port. In order to achieve this, the internal server, which has a private IP address, will be translated to a public IP address which in turn is allowed access for the specific port.

So, for port forwarding to an internal server threre are two steps you will need to take:

Translate the internal server IP, 10.11.200.55 on port 3389, to the public IP address, x.x.x.x of your ASA at port 3390.
Allow access to the public IP, x.x.x.x on port 3390.

Detailed step-by-step instructions are available on Cisco site: Port Redirection (Forwarding) with Static

Related Solutions

Cisco ASA 5510 Configuration using ASDM to block outgoing SMTP

You've got it right; the destination on SMTP traffic is going to be the server that it's attempting to send to, which could be anywhere.

Building the rule on the inside interface was the correct thing to do, as it's controlling traffic that's coming into the inside interface from your internal network.

Should be good to go!

Cisco – Setting up a simple QoS priority flag for VoIP traffic on a Cisco ASA 5505 device through ASDM

To begin -- simple is not a word that should be used to describe Quality of Service. The entire word itself is a loaded term.

Instead of rehashing a lot of details about ASA QoS here, reference this answer.

Below is the ASA 8.4 CLI necessary to create a priority queue and handle a specific volume of calls based on a certain bitrate.

Understand that policing only happens in the out direction on the ASA interface on which it is configured.
Based on G.711 voice codec @ 87.5 kilobits per second Ethernet layer 2 data rate (includes all overheads)
Based on a 218 byte average complete Ethernet frame size per voice payload interval. For more see this.
Based on a need to handle 10 calls at a time (87.5 Kilobits per second * 10 = 875 Kilobits per second). Note that this is only in the out direction. We can't "prioritize" incoming traffic unless you control that path as well.
Based on a maximum delay of 200 milliseconds between the VoIP endpoints.
Using an extended access-list with source and destination IP for matching VoIP traffic. Another option is to use IP DSCP if the phones are marking. By using a simple ACL we can verify the service-policy later on with show service-policy flow.

Numbers used for queue-limit and tx-ring-limit determined using the worksheet in the configuration guide and then massaged. The numbers used here could be drastically different depending on your requirements.

access-list voip-traffic remark [[ match inside to Call Manager ]]
access-list voip-traffic extended permit ip 10.0.0.0 255.255.255.0 host 1.2.3.4

priority-queue outside
queue-limit 100  ! based on factors listed earlier, very important number
tx-ring-limit 5  ! based on factors listed earlier

! create class-map

class-map voip-class
 match access-list voip-traffic

! create policy-map, advise not using a global policy

policy-map outside-policy
 class voip-class
  priority

! assign policy to interface, in this case outside

service-policy outside-policy interface outside

In this case the outside-policy can be assigned to the outside interface and you can still implement a global-policy that is by its nature assigned to the outside interface as well -- as long as there are not QoS actions on any of the class's listed in the global-policy. The QoS actions of the outside-policy will be in effect and the non-QoS actions (inspects, etc.) of the global-policy will stay effect.

You can view priority-queue statistics with show priority-queue statistics outside.

You can verify that the traffic itself will hit the priority queue with a command like show service-policy flow host 10.0.0.100 host 1.2.3.4 which will show you how the existing service policies on all interfaces would react to the traffic specified.

Best Answer

Related Solutions

Cisco ASA 5510 Configuration using ASDM to block outgoing SMTP

Cisco – Setting up a simple QoS priority flag for VoIP traffic on a Cisco ASA 5505 device through ASDM

Related Topic