Screen OS

Hello - 

perhaps someone can help as I think I am missing something as this simple procedure is not working.

 

I want some people to access a windows term server via RDP over the wan via VIP.

 

This is what i have done:

 

Created the custom RDP

using a nonstandard port of 3525. So the end game is that when a user connected via remote desktop it wouldbe untrusted_ip:3525

 

I have the VIP 3525 mapped to 3389 to the internal server of 192.168.2.125

Servers are running and all shows OK

 

I then created a policy with from address of Any and destination of the vip

with the rdp_3389 and rdp_3525 services.

action is permit.. Policy is enabled

but cannot connect.

 

running a ns5gt with firmware5.3.0r4.0 (Firewall+VPN)

 

any tips appreciated

Hello.

 

Can you make sure the policy is at the top of the list?

 

If it still doesn't work, then debug will be helpful:

 

clear db
unset ff (repeat until 'invalid id')
set ff dst-ip <public ip> dst-port 3525
set ff src-ip 192.168.2.125 dst-ip <public ip>
debug flow basic

*** inititate RDP connection ***

undebug all
get db stream

 

 

Regards,

Sam 

This is all I got from the debug.

 

get db stream
MSS found 0x05b4
MSS found 0x05b4
MSS found 0x05b4
myfirewall>

Hi. 

 

Well, either the debug is not working properly or our expected traffic is not hitting the firewall.

 

Can we try this?  Public ip refers to the IP on the internet where the RDP request is originating, and not the public ip configured on the firewall.

 

clear db
set dbuf size 4096
unset ff "until 'invalid id'"
set ff src-ip <pubilc ip>
set ff dst-ip <public ip>
debug flow basic

*** initiate RDP ***

undebug all
get db stream

 

Perhaps this will help us catch what's going on.

 

Regards,

Sam

DOH! Ok anyhow after I did a whatsmyip I used that ip as the "public-ip" entry.

And after all that I get nothing 😞 after i type get db stream it just gives me the prompt. I would expect to see debug info scrolling correct?

 

LCO-> set ff dst-ip 216.240.30.23 dst-port 3525
filter added
myfw-> set ff src-ip 192.168.2.125 dst-ip 216.240.30.23
filter added
myfw-> debug flow basic

tried connecting via remote desktop..

then

myfw-> undebug all
myfw-> get db stream
myfw->

 

I even tried it with the new commands you posted and same result.

 

p.s. I appreciate your patience 🙂

 

I assume you're not consoled into the firewall?  What does "get console" show?  The first line should read "debug:  buffer"

 

If it reads, "debug:  console", then type "set console dbuf".

 

It's possible the dbuf portion may be broken in your version of code.   As a final test, i would try "debug flow basic" with no filters (unset ff).  And see if you get anything.  If not, then the debug part is broken on the firewall -- you'll require a reboot or upgrade.

 

clear db

unset dbuf size

unset ff (repeat until 'invalid id')

debug flow basic

**** pass some traffic through the firewall ****

undebug all

get db stream

 

 

 

Regards,

Sam

it shows:

myfw-> get console
Console timeout: 10(minute), Page size: 22/22, debug: buffer
privilege 250, config was changed and not saved!, default save prompt on exit/re set: yes
ID State Duration Task Type Host
0 Login 19 21842144 Telnet 192.168.2.5:54246
1 Logout 0 21843760 Local
2 Logout 0 21822752 Local
myfw->

 

 

 

got soem debug info per your last post

get db stream
****** 67480.0: <Trust/trust> packet received [125]******
ipid = 5600(15e0), @022b1b50
packet passed sanity check.
trust:192.168.2.5/3389->216.240.30.5/6407,6<Root>
existing session found. sess token 4
flow got session.
flow session id 1732
****** 67480.0: <Untrust/untrust> packet received [40]******
ipid = 7038(1b7e), @02256850
packet passed sanity check.
untrust:74.207.213.15/110->96.11.113.115/1678,6<Root>
existing session found. sess token 6
flow got session.
flow session id 2032
flow_tcp_fin_vector()
existing vector list 3-291a1e0.
post addr xlation: 74.207.213.15->192.168.2.21.
****** 67480.0: <Trust/trust> packet received [48]******
ipid = 29841(7491), @022b0b50
packet passed sanity check.
trust:192.168.2.21/1548->74.207.213.15/110,6<Root>
flow_first_sanity_check: in <trust>, out <N/A>
--- more ---

AHH Ha! I got it!

 

I was connected VPN into one corporate network (forgot all about it) and working on that firewall on a totally different network (company) 

 

I disconnected the VPN so I was on starbucks BOOM connected!

 

thanks for sticking with me!

 

nice!  I'm glad you got it working!

@Sam. The policy is set at the top.
Once I get a chance I will attempt the debug option.

Mean time any other tips?

no. it should work.  i just tried it and it works for me.

 

PC----bgroup0[SSG]eth0/1-------RDP server

     Trust                                DMZ

 

Here's my config.  I tested from Trust -> DMZ zones, but the config is the same.

 

 

set service "rdp3525" protocol tcp src-port 0-65535 dst-port 3525-3525
set service "rdp3389" protocol tcp src-port 0-65535 dst-port 3389-3389

set interface bgroup0 ip 192.168.1.1/24

set interface ethernet0/1 ip 192.168.80.70/27

set interface bgroup0 vip interface-ip 3525 "rdp3389" 192.168.80.71 manual

set policy id 8 from "Trust" to "DMZ"  "Any" "VIP(bgroup0)" "rdp3525" permit log

 

 

My debug/snoop output:  Notice packet is sent to TCP port 3525, but leaves the firewall with dst-port 3389

 

1978650.0: bgroup0(i) len=66:e4115b3e7181->0017cb898b4b/0800
              192.168.1.33 -> 192.168.1.1/6
              vhl=45, tos=00, id=3051, frag=4000, ttl=128 tlen=52
              tcp:ports 36734->3525, seq=1018173189, ack=0, flag=8002/SYN

 

****** 1978650.0: <Trust/bgroup0> packet received [52]******
  ipid = 3051(0beb), @03a3fa90
  packet passed sanity check.
  flow_decap_vector IPv4 process
  bgroup0:192.168.1.33/36734->192.168.1.1/3525,6<Root>
  no session found
  flow_first_sanity_check: in <bgroup0>, out <N/A>
  self check, not for us
  chose interface bgroup0 as incoming nat if.
  flow_first_routing: in <bgroup0>, out <N/A>
  search route to (bgroup0, 192.168.1.33->192.168.80.71) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 3.route 192.168.80.71->192.168.80.71, to ethernet0/1
  routed (x_dst_ip 192.168.80.71) from bgroup0 (bgroup0 in 0) to ethernet0/1
  policy search from zone 2-> zone 3
 policy_flow_search  policy search nat_crt from zone 2-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.1, port 3525, proto 6)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 8/0/0x9
  Permitted by policy 8
  No src xlate   choose interface ethernet0/1 as outgoing phy if
  no loop on ifp ethernet0/1.
  session application type 0, name None, nas_id 0, timeout 1800sec
  service lookup identified service 0.
  flow_first_final_check: in <bgroup0>, out <ethernet0/1>
  existing vector list 103-43d959c.
  Session (id:7958) created for first pak 103
  flow_first_install_session======>
  route to 192.168.80.71
  arp entry found for 192.168.80.71
  ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/1, 192.168.80.71->192.168.1.33) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
  [ Dest] 7.route 192.168.1.33->192.168.1.33, to bgroup0
  route to 192.168.1.33
  arp entry found for 192.168.1.33
  ifp2 bgroup0, out_ifp bgroup0, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 7958
  flow_main_body_vector in ifp bgroup0 out ifp ethernet0/1
  flow vector index 0x103, vector addr 0x43d959c, orig vector 0x43d959c
  adjust tcp mss.
  tcp seq check.
  Got syn, 192.168.1.33(36734)->192.168.1.1(3525), nspflag 0x801801, 0x800800
  post addr xlation: 192.168.1.33->192.168.80.71.
  packet send out to 001122334455 through ethernet0/1

1978650.0: ethernet0/1(o) len=66:0017cb898b45->001122334455/0800
              192.168.1.33 -> 192.168.80.71/6
              vhl=45, tos=00, id=3051, frag=4000, ttl=127 tlen=52
              tcp:ports 36734->3389, seq=1018173189, ack=0, flag=8002/SYN

 

 

Regards,

Sam

Interesting. Then why am I not having such luck 😞

Seems like mine needs a kick of sorts
BTW I appreciate your prompt replies!

5.3 is pretty old.  It's possilbe there's a bug in that version???  debug is our friend  🙂

 

If you are NOT running any UTM -- web-filtering, AV, DI, then you can upgrade to the latest 6.2.x

If you ARE running any UTM, then you can upgrade to the latest 5.4.x.

 

Regards,

Sam

Thank you for sticking with me.