This example is going to go over confirming if a port is accessible across a Cisco ASA firewall for RDP/Remote Desktop which by default utilizes port 3389. In this example, we are going to confirm port 3389′s availability across the firewall itself. First, here’s what the translation should be
external: 219.128.68.18
internal: 10.55.1.20
port: 3389
The ASA will need two things, an ACL for the outside to inside traffic and a translation.
Static Map:
static (inside,outside) 219.128.68.18 10.55.1.20 netmask 255.255.255.255
// static mapping for all ports
ACL:
access-list ASA_outside extended permit tcp any host 219.128.68.18 eq 3389
// punches a hole for port 3389 mapped to the external IP address
If there’s trouble connecting to the RDP server there are a few ways to confirm that the port is open
1. NMAP – This will check for open ports on the specified IP
tbiskner@tbiskner-desktop:~$ nmap -PN 219.128.68.18
Starting Nmap 5.00 ( http://nmap.org ) at 2012-03-17 19:08 EDT
Interesting ports on ras.caclv.org (219.128.68.18):
Not shown: 998 filtered ports
PORT STATE SERVICE
113/tcp closed auth
3389/tcp open ms-term-serv // port 3389 is open
Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
2. Check the ASA’s ACL
Check the ACL to see if there are any hits for the specified port:
ASAt# show access-list | i 3389
…
access-list ASA_outside line 57 extended permit tcp any host 219.128.68.18 eq 3389 (hitcnt=27) 0×4379086
// We see there are 27 hits against that ACL which include port ’3389′. Try to connect using Remote Desktop then check the ACL again to see if it increments.
ASA# show access-list | i 3389
…
access-list ASA_outside line 57 extended permit tcp any host 219.128.68.18 eq 3389 (hitcnt=28) 0×4379086
If the count increments, RDP is going through on that port and it’s probably a client or server issue (username and password/firewall on the server/port mismatch/etc)
4. Finally, you can create an ACL that is similar to the ACL we created above for packet capturing. For example:
access-list CAPIN line extended permit tcp any host 219.128.68.18 eq 3389
// this will create an ACL that we will use to capture any incoming traffic heading for IP 219.128.68.18 on port 3389
Next, start a packet capture session using the new ACL. This will capture that specific traffic mentioned above.
ASA# capture CAPIN interface outside access-list CAPIN
// this command will capture packets from the time you enter it then display the results up until the time you enter the following command:
ASA# show capture CAPIN
4 packets captured
1: 15:14:34.749900 66.89.55.81.23505 > 219.128.68.18.3389: S 1404234842:1404234842(0) win 64512 <mss 1460,nop,nop,sackOK>
2: 15:14:34.779531 56.79.45.71.23505 > 219.128.68.18.3389: . ack 140020261 win 64512 // client 56.79.45.71 tries to connect to 219.128.68.18
3: 15:14:34.780202 56.79.35.71.23505 > 219.117.68.18.3389: P 1404234843:1404234885(42) ack 140020261 win 64512
4: 15:14:37.794026 56.79.45.71.23505 > 219.128.68.18.3389: P 1404234843:1404234885(42) ack 140020261 win 64512
4 packets shown
// the capture shows us that packets we’re getting sent across to the RDP server. At this point, the problem is probably username/password, a firewall on the RDP server or a port mismatch
Remove the capture ACL when you are done using it.
external: 219.128.68.18
internal: 10.55.1.20
port: 3389
The ASA will need two things, an ACL for the outside to inside traffic and a translation.
Static Map:
static (inside,outside) 219.128.68.18 10.55.1.20 netmask 255.255.255.255
// static mapping for all ports
ACL:
access-list ASA_outside extended permit tcp any host 219.128.68.18 eq 3389
// punches a hole for port 3389 mapped to the external IP address
If there’s trouble connecting to the RDP server there are a few ways to confirm that the port is open
1. NMAP – This will check for open ports on the specified IP
tbiskner@tbiskner-desktop:~$ nmap -PN 219.128.68.18
Starting Nmap 5.00 ( http://nmap.org ) at 2012-03-17 19:08 EDT
Interesting ports on ras.caclv.org (219.128.68.18):
Not shown: 998 filtered ports
PORT STATE SERVICE
113/tcp closed auth
3389/tcp open ms-term-serv // port 3389 is open
Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
2. Check the ASA’s ACL
Check the ACL to see if there are any hits for the specified port:
ASAt# show access-list | i 3389
…
access-list ASA_outside line 57 extended permit tcp any host 219.128.68.18 eq 3389 (hitcnt=27) 0×4379086
// We see there are 27 hits against that ACL which include port ’3389′. Try to connect using Remote Desktop then check the ACL again to see if it increments.
ASA# show access-list | i 3389
…
access-list ASA_outside line 57 extended permit tcp any host 219.128.68.18 eq 3389 (hitcnt=28) 0×4379086
If the count increments, RDP is going through on that port and it’s probably a client or server issue (username and password/firewall on the server/port mismatch/etc)
4. Finally, you can create an ACL that is similar to the ACL we created above for packet capturing. For example:
access-list CAPIN line extended permit tcp any host 219.128.68.18 eq 3389
// this will create an ACL that we will use to capture any incoming traffic heading for IP 219.128.68.18 on port 3389
Next, start a packet capture session using the new ACL. This will capture that specific traffic mentioned above.
ASA# capture CAPIN interface outside access-list CAPIN
// this command will capture packets from the time you enter it then display the results up until the time you enter the following command:
ASA# show capture CAPIN
4 packets captured
1: 15:14:34.749900 66.89.55.81.23505 > 219.128.68.18.3389: S 1404234842:1404234842(0) win 64512 <mss 1460,nop,nop,sackOK>
2: 15:14:34.779531 56.79.45.71.23505 > 219.128.68.18.3389: . ack 140020261 win 64512 // client 56.79.45.71 tries to connect to 219.128.68.18
3: 15:14:34.780202 56.79.35.71.23505 > 219.117.68.18.3389: P 1404234843:1404234885(42) ack 140020261 win 64512
4: 15:14:37.794026 56.79.45.71.23505 > 219.128.68.18.3389: P 1404234843:1404234885(42) ack 140020261 win 64512
4 packets shown
// the capture shows us that packets we’re getting sent across to the RDP server. At this point, the problem is probably username/password, a firewall on the RDP server or a port mismatch
Remove the capture ACL when you are done using it.
Posted by Unknown on Selasa, 17 April 2012 - Rating: 4.5
Title : Cisco RDP Connections (Remote Desktop)
Description : This example is going to go over confirming if a port is accessible across a Cisco ASA firewall for RDP/Remote Desktop which by default ut...
Description : This example is going to go over confirming if a port is accessible across a Cisco ASA firewall for RDP/Remote Desktop which by default ut...
0 Response to "Cisco RDP Connections (Remote Desktop)"
Posting Komentar