Announcement

Collapse
No announcement yet.

Access-list for ASA 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access-list for ASA 5505

    Hello, all

    In order to allow remote access to my comp. via RDP I'm trying to configure access-list of ASA to permit RDP session from WAN to LAN throught my Cisco ASA 5505

    Internet - (212.143.a.b) ASA (192.168.1.1) - (192.168.1.200) LAN

    There is sh run:

    ASA Version 7.2(2)
    !
    hostname ciscoasa
    enable password HJlhKJHJHJhj encrypted
    names
    !
    interface Vlan1
    description LAN
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    description WAN
    nameif outside
    security-level 0
    ip address 212.143.a.b 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    shutdown
    !
    passwd 0JHBKKJHGJHghgh encrypted
    ftp mode passive
    clock timezone UTC 3
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list RDP extended permit tcp any interface outside eq 3389 log
    access-list RDP extended permit tcp interface outside interface inside eq 3389 log
    pager lines 22
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any echo inside
    icmp permit any echo-reply inside
    icmp permit any unreachable inside
    icmp permit any echo outside
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255
    access-group RDP out interface inside
    access-group RDP in interface outside
    route outside 0.0.0.0 0.0.0.0 212.143.a.b 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 212.143.a.b 255.255.255.248 outside
    ssh timeout 5
    console timeout 0
    dhcpd dns 194.90.1.5 212.143.212.143
    dhcpd lease 86400
    !
    dhcpd address 192.168.1.2-192.168.1.129 inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    ntp server 194.90.1.3
    prompt hostname context
    Cryptochecksum:24cae1091c2e70d2c53ba1414b002a80
    : end


    NAPT is configured well 100% because when I'm removing both lines of access-group and changing security-level of vlan2 (outside) to 100, as inside is, I'm able to create RDP session.
    There is some problem of access-list that I couldn't find and recognize.
    May be someone may help me in discovering of the problem.

    10x

  • #2
    Re: Access-list for ASA 5505

    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 192.168.1.200 3389 netmask 255.255.255.255
    access-group RDP out interface inside
    access-group RDP in interface outside
    route outside 0.0.0.0 0.0.0.0 212.143.a.b 1

    What subnet mask you given for the last entry ?

    One more question > Are you connecting via Cisco VPN client software ? [ Connection from kiosk to your PC inside ur company LAN via RDP ]
    Last edited by sco1984; 22nd May 2007, 08:37.
    All in 1
    Solaris,Linux & Windows admin + networking.

    Comment


    • #3
      Re: Access-list for ASA 5505

      Don't need this line first off:

      access-group RDP out interface inside

      The "in" ACL contrls traffic going IN to the PIX interface, and the "out" ACL controls traffic going OUT of the PIX interface. Just visualize this traffic flow whenever you're confused on the ACL direction

      Don't need this either:
      access-list RDP extended permit tcp interface outside interface inside eq 3389 log

      You likley need to put a permit any any rule for the INSIDE interface in the OUT direction e.g.:

      access-list INSIDE_ACL_OUT line 1 permit ip any any
      Thanks,
      Brian Desmond
      Microsoft MVP - Directory Services
      www.briandesmond.com

      Comment

      Working...
      X