Cisco Firewall :: Unable To Access Port 3389 Over Vpn?
May 15, 2011
we are not able to access port 3389 on host 10.45.4.2 over our vpn connection. vpn is up and running and we can access othet tcp ports on the host but not 3389. hereunder part of the config:
It's been a while since I've done a lot with a PIX config so what is the best way to allow access for 2 IP addresses that need to RDP into a server here inside our network. They also wanted to have ports redirected, 3391 to 3389 and 3397 to 3389.
I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
At one of our client premises they have an Cisco 1841 router. We need to connect from outside (other location in another country) with Remote Desktop connection port 3389 to an internal IP address ( a server).From any IP address it have to permit a connection on port 3389 to be forwarded to the server.
Below is my show run of a Cisco 800 router (Two VLAN's, single WAN) that works fine. Problem is that in this senario port 3389 is open for everyone. Only two remote users are allowed to connect trough port 3389. Let's say WAN IP's : 22.33.44.55 and 66.77.88.99. How would a good access-rule look like to fix it?
no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryptionservice sequence-numbers!hostname cisco-867!boot-start-markerboot-end-marker!logging buffered 51200logging console criticalenable secret 5 ***!no aaa new-modelmemory-size iomem 10clock timezone GMT 1clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59!!no ip source-route!!ip dhcp excluded-address 192.168.10.200 192.168.10.254!ip dhcp pool Vlan2 network 192.168.10.0 255.255.255.0 domain-name dsl.local default-router 192.168.10.254 dns-server 213.144.235.1 213.144.235.2 lease 0 8!!ip cefno ip bootp serverno ip domain lookup!!!archive log config
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
192.168.1.10 --> ASA 1-----> ASA 2-------> ASA 3----> server (172.21.16.15)
We have opened 3389 , 80 & 445 ports on all firewalls ( ASA 1, ASA 2, ASA ) for server (172.21.16.15) from (192.168.1.10).We are able to see connection in ASA 1 under show connection for 3389, 445 ,80.
We are not able to see connections in ASA 2 & ASA 3 under show connection for 3389. But we are able to see hits in ACl.
I'm trying to get my ASA 5505 (IOS 8.4) to work, but got stuck on NAT because I would like to allow 3389 access for just a couple of WAN IP's. This is what I found so far:
I would like to know how can we allow traffic on ports 3389 (rdp) and 8007 which comes from any to 192.168.2.10 but pretend to be a Phones interface 192.168.2.1? [code]
I'm trying to determine whether Cisco has any equivalent (in any platform) to some of the existing firewall rules within our iptables infrastructure. [code] What this does, is allow port forwards on port 3389/rdp. However, if a single IP opens too many connections within a timeframe, it starts dropping new ones.This is a critical requirements for certain security scenarios, such as preventing RDP brute forcing. A similar principle can be applied to 22/ssh.I've had a look around, rate limiting searches generally land me on QoS based discussions. I've seen people ask similar questions and get referred to CBAC. Whilst I can see similarly worded functions there such as limiting "half open" connections, I don't see anything there that limits the actual number of connection attempts you can make.
1. I could not make an inbound access rule work for RDP. It is configured as follows WAN -> LAN for RDP (TCP 3389) , it didn't work even when I chose "All Traffic".
2. Single Port Forwarding seems to be working though.
3. Destination IP and QoS settings seem to be grayed out, I would like to know why.
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
I have a 4402 and recently I have not been able to access the device via the service-port interface. The service-port has an IP Address and it is connected to an access port in the Vlan which I am coming from, however it cannot even ping it's gateway, which as mentioned is within the same network. When I am at the console of the controller I can ping the service-port interface IP that I have assigned, just nothing else.
This problem applies (in my case) to our ASA5510. The issue here is that the http service on the ASA is runnnig off of the standard port 80. Login to the firewall and run the following.no http server enable http server enable 8080,Now you should be able to add a NAT/PAT on port 443 to another server of your liking. Just remember when you attempt to use ASDM to manage the ASA in the future to specify the new port 8080.
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0 description Connected To Internet Router switchport access vlan 10
I'm having a problem forwarding port 1723. What i'm trying to do is to use VPN to access my server pc and I don't want to use the VPN software that is in the router. When I telnet the port it goes through but when i try to access it outside of the office I can't get through. I've been using [URL] to check port 1723 and I get this:
Error: I could not see your service on XX.XX.XX.XX on port (1723) Reason: Connection refused
I not able to access cisco 2811 router (AC operated) through console port when I try to access it by selecting COM Port, but I able to access by selecting the TCP/IP option.
I have config ASA 5505 and it is conencted to layer 3 switch that connects to cable Modem.
ASA is config with DHCP option and PC is able to get the IP from ASA. But from PC i am unable to access the internet. From ASA itself i am able to ping the Websites fine.
ASA has config with DHCP for inside and also it is doing NAT.
When i connect the ASA directly to Cable modem then pc is able to access the internet.
I've been struggling with gaining access to the inter through our Comcast business gateway. We have had Comcast configure the device fro true static IP subnetting. Turned of local DHCP on the device etc. Here is my config.
I am having trouble with routing in PIX501.I have one Pix 501 and one Cisco router.Cisco Router is configured for IPSEC VPN ( LAN interface 172.19.194.1) and PIX is configured for access the internet.Default gateway of Pcs in LAN are PIX inside interface ( 172.19.194.2) but people are unable to access to corporate network but can access the internet.If i set default gateway to Cisco router LAN interface ( 172.19.194.1)then i can access to corporate network.Purpose is to pass the internet traffic using PIX 501 and corporate network traffic using Cisco router.
I recently had a vendor configure our 2 firewalls (ASA5520). We are replacing a active-failover PIX525 firewall in 2 locations. After the vendor configured the new ASA5520's, I was unable to access the ASDM. The configurations are a basically modified versions of the config on the PIX525. I did find that they did not set the ASDM image path. [code]
I have tried from my browser as well as downloading and installing th ASDM on my computer.
I have recently deployed a Cisco ASA 5510 Security plus firewall on my companies network, but there is a problem that I am finding hard to get by and I think it is ASA related.
From (inside we are not able to hit any of our sites that are on the (outside). I have nat policies in place to translate the public to private, but I think I that I need some thing more. This seems to be occuring mainly with our external web sites as well as another animoly with regards to FTP (but it may be fixed if the http issue is resolved.)
I was hoping some with a lot more knowledge on ASA firewalls than my self can spot the error in my run-cfgs.
I am having FWSM in active /standby mode deployed on two different cat 6k chassis. Unable to access the fwsm module from switch using ' session module mod_no processor 1 ", it throws error " % telnet connections not permitted from this terminal" Running Version 3.2.6 on fwsm, Cat 6k is running 12.2.33.SXH1,
switch#session slot 3 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session % telnet connections not permitted from this terminal ---------------------------------------------------------------------------
have allowed telnet on line vty, configuration on Line vty is simple allowing all transport protocols
line vty 0 4 exec-timeout 5 0 transport input all transport output all line vty 5 15 exec-timeout 5 0 transport input all transport output all
I am unable to remove an access list. Currently this this access list contains 4 lines of remarks. I was unsure if I was entering the command correctly and now I have 4 lines of "trash" that needs to be removed.
Symptoms: The "sh run" command shows that I have access-list 100 defined. The "sh access-list" returns nothing.
Process I have tried: config t no access-list 100 no access-list remark Test (just trying anything at this point) clear configure access-list 100 (This returns "Invalid input detected at '^' marker" and the '^' is under the 'e' in clear.)
So the "clear configure" command is not working. The "no access-list" commands does not return an error but does not remove anything. What step am I missing? Let me know if I can provide any more information.
It's a problem about access ASA5500 Firewall mangement port. The customer request access ASA5500 by entering the default IP address https://192.168.1.1 to monitor data tracffic in Windows 7. But after entering the default IP in IE, no any page appear.
But that way can access ASA5500 magement port successfully in Windows XP. What the different between Windows 7 and Windows XP? Is there any way or any patch can access ASA5500 manemeng port in Windows 7?
We are running a FWSM and have created ACL's for a new Lync install. One of the rules needs to have port 5061 access from any source to our front edge server for communication. When looking at the logs I see a hit on the ACL but nothing ever actually connects.
One possible issue I see is possibly in the inspect: policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect sqlnet inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp class class_sip_tcp inspect sip
In the inspect sip this is only for port 5060. How do I set this up to allow port 5061?
i am unable to launch ASDM, and access https:// to run Asdm..everything worked find yesterday but now for some reason it wont work?When i am trying to log in with the asdm it just hangs on the connecting to device... please wait...When i am tryng access the https://... i get the ssl do you want to trust.. and i press proceed anyway and i get an error
Asa 5510 Device manager version 6.1 System image file is "disk0:/asa804-k8.bin
Also i am accessing the asa with ssh without any issues
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
I need to forward port 55443 to an internal address ( lets call it 15.15.15.15) from two outside ip's ( 5.5.5.5 and 6.6.6.6)These addresses need to see the server IP address (15.15.15.15) only and nothing else. It is an ASA 5510?
Basically after upgrade from ASA 8.4 to 9.0 (2) I have problems when certain types of NAT.Example:SA 8.4: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http while other ports can be accessed using the original IP (10.252.253.123).
ASA 9.0: nat (LAN, outside) 85 10.252.253.123 source static 192.168.3.2 192.168.3.2 192.168.3.104 static destination service http http In this form the host 192.168.3.2 uses the mapped ip (192.168.3.104) to access by http but unlike before now I cannot access to the original IP (10.252.253.123) using another port or ping from host 192.168.3.2.
