Home / server / Questions / 744655
In Process
Becky
Asked: 2015-12-23 00:31:50 +0800 CST

Cisco ASA - Allowing external access to a secure server via RDP

  • 772

I am new to the forums and really hope someone can help me. I am pulling my hair out! I have posted on both the Cisco forums and Windows forums in hopes anyone can suggest something but no one has even viewed my questions. I really hope this forum is a lot more active!

I am trying to allow a 3rd party to RDP to two of our servers using custom ports (3390 & 3391). I have set up two access rules on our ASA 5515-X using the ASDM (I cannot do CLI).

Rules are as follows:

Source Criteria - Permit - Any Destination Criteria - internal.server.local - (Service) RDP

Then I have applied a NAT rule as follows:

Match Source Interface - Internet - Source Address - Any Destination Interface - LAN - Destination Address - 1.2.3.4 (Our public IP) - Service - 3390 (Custom RDP)

Action Source NAT Type - Static - Source Address - Original - Destination Address - internal.server.local - Service - RDP

And again for the other server using a NAT rule using 3391 for the custom port.

This rule seems to be working and the logs show that the connection attempt is made but then it looks like the Windows server on the other end is refusing the connection.

6   Dec 22 2015 08:18:43    302014  213.205.x.x 49639   10.11.200.55    3389    Teardown TCP connection 20423786 for BTnet:213.205.x.x/49639 to LAN:10.11.200.55/3389 duration 0:00:30 bytes 0 SYN Timeout

I have double checked the server, firewall is off and there is also an exception rule in place to allow RDP connections anyway, plus RDP is enabled.

This morning I have also noticed the following error after performing a trace:

5   Dec 22 2015 07:34:08    305013  213.205.x.x 49345   10.11.200.55    3389    Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src BTnet:213.205.x.x/49345 dst LAN:10.11.200.55/3389 denied due to NAT reverse path failure

Could this be the actual reason its failing? I would be eternally grateful for any suggestions.

cisco

1 Answers

  1. Well, the NAT rules don't seem to be correctly set up. The port forwarding concept for Cisco ASA is a bit tricky:

    Port Redirection (Forwarding) with Static

    Port forwarding or port redirection is a useful feature where the outside users try to access an internal server on a specific port. In order to achieve this, the internal server, which has a private IP address, will be translated to a public IP address which in turn is allowed access for the specific port.

    So, for port forwarding to an internal server threre are two steps you will need to take:

    1. Translate the internal server IP, 10.11.200.55 on port 3389, to the public IP address, x.x.x.x of your ASA at port 3390.
    2. Allow access to the public IP, x.x.x.x on port 3390.

    Detailed step-by-step instructions are available on Cisco site: Port Redirection (Forwarding) with Static

    • 2