ASA 5505 Configuration Problems

I am trying to configure an ASA 5505 to allow Remote Desktop Protocol from outside to a host on the inside network. I created a Security Policy and a Static NAT Rule. But it does not work. Here is my configuration. Any suggestions would be appreciated. This is my first experience with a Cisco security device. I used the ASDM to configure the ASA 5505.


sh run

: Saved


ASA Version 7.2(3)


hostname nurm


enable password X7L14fUbqxvIsSKn encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS


object-group service nurem_services_udp udp

description port_forwarding_nurem_udp

port-object range 3389 3389

access-list outside_access_in extended permit udp any object-group nurem_services_udp host object-group nurem_services_udp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (outside,inside) netmask

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic

! !

policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end


Reply to
Loading thread data ...

You have created the NAT statement, but you now need to create an ACL to allow packets to the host.

access-list outside_access_in extended permit tcp any host eq 3389

access-group outside_access_in in interface outside

In the access-list you could probably also use:

access-list outside_access_in permit tcp any interface eq 3380

Reply to
artie lange

I don't know if it matters, but you did not 'switchport' vlan 1 against any ports, the way you did vlan 2. And do you really want the outside interface to be a tagged vlan?

That would only work if both the source and destination port as 3389. Possible for udp -- but on the other hand the last time I checked, RDP was TCP, not UDP, and for the TCP case, you would *not* want to restrict the source port to 3389.

Also, in an ACL being applied to the outside interface, the destination IP needs to be the IP *before de-nat*, the public IP. Like the other poster indicated, you probably want 'interface' there instead of 'host' . You might need to use 'interface outside' -- at least that's what you would need for PIX 6.2/6.3

Reply to
Walter Roberson

Still doesn't work. I must be missing something.

Reply to

^^^ that should read eq 3389

can you post the contents of sh access-list and sh nat ...

Reply to
artie lange

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ^^^ that should read= eq 3389

sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max

4096) alert-interval 300 access-list outside_access_in; 1 elements access-list outside_access_in line 1 extended permit tcp any host eq 3 389 (hitcnt=3D0) 0x2b9d88ad

sh nat

NAT policies on Interface inside: match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits =3D 0, untranslate_hits =3D 0 match ip inside any outside any dynamic translation to pool 1 ( [Interface PAT]) translate_hits =3D 0, untranslate_hits =3D 0 match ip inside any _internal_loopback any dynamic translation to pool 1 (No matching global) translate_hits =3D 0, untranslate_hits =3D 0

NAT policies on Interface outside: match ip outside host inside any static translation to translate_hits =3D 0, untranslate_hits =3D 0

Reply to

You cannot static your entire outside interface to the inside. When you are dealing with your outside interface, static only the ports you need.

You have likely also reversed the order of the interfaces for the static.

Thirdly, you need to use the keyword 'interface' instead of the outside IP address.

Fourthly (if I recall correctly) you are attempting to configure RDP on UDP, but RDP is a TCP protocol. With UDP it might make sense to lock the source port to 3389 but with TCP it does not.

static (inside,outside) tcp interface 3389 3389 netmask

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside

Reply to
Walter Roberson


Thanks for the help. I had messed up my config, so I reset the ASA to factory default, did a basic configuration using the setup wizard, then used your commands to configure NAT and the ACL and it worked just fine.

Do I need to make a service group to allow other services such as smtp, pop3 etc or just add lines to my ACL and NAT entries?

Thanks again.

Reply to

Either way works fine.

The time we started creating object groups was when we started doing mass blocking of problematic IP source addresses. Updating them one by one in the config was a pain, but updating the object group was fairly easy.

Eventually we started using object groups extensively, which was in the context of an PIX configuration generator that I wrote that allowed me to create configuration templates and couple of small host-specific files, and use the templates to generate

*consistant* configurations for all of our PIX. When you start working with meshes of PIXes, you really want to stop dealing in individual IP addresses and instead deal in named groups.
Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.