Solved

Unable to RDP to some computers inside ASA 5520 through VPN

Posted on 2009-05-08
22
739 Views
Last Modified: 2013-11-16
I just moved from a Pix 506e to an ASA 5520.  A third part set it up and there wasn't anything wrong with their original config.  I do not know if it happened before the move to the ASA but now I cannot VPN to my ASA and then use remote desktop to get to any computers on half of my network.  I can remote desktop to computers on the same /24 subnet as the ASA but I cannot get to anything on the /22 subnets that are superscoped from a 192.1.4.0 network.  I can ping just fine after VPNing and RDP out to the machine connected to the VPN but I cannot RDP from the VPNed machine to the computers on the 192.1.5.0 network.  Please see my config below and thanks for any help:
ASA Version 7.2(4) 

!

names

dns-guard

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address *.*.*.* 255.255.255.248 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.1.4.2 255.255.252.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 no nameif

 no security-level

 no ip address

!

boot system disk0:/asa724-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name UES

access-list 120 extended permit ip 192.168.5.0 255.255.255.0 172.16.10.0 255.255.255.0 

access-list 120 extended permit ip 192.168.6.0 255.255.255.0 172.16.10.0 255.255.255.0 

access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.10.0 255.255.255.0 

access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0 

access-list outside extended permit gre any any 

access-list outside extended permit udp any any eq isakmp 

access-list outside extended permit tcp any host *.*.*.* eq https 

access-list outside extended permit icmp any any 

access-list outside extended permit tcp host *.*.*.* host *.*.*.* eq ftp 

access-list outside extended permit ip any host *.*.*.* 

access-list outside extended permit tcp any host *.*.*.* eq https 

access-list outside extended permit ip any host *.*.*.*

access-list outside extended permit ip any host *.*.*.*

access-list inside extended permit tcp any any eq h323 

access-list inside extended permit tcp any any eq domain 

access-list inside extended permit udp any any eq domain 

access-list inside extended permit tcp any any eq ftp 

access-list inside extended permit tcp any any eq ftp-data 

access-list inside extended permit ip any 10.1.1.0 255.255.255.0 

access-list inside extended permit ip any 172.16.10.0 255.255.255.0 

access-list inside extended permit tcp host 192.1.4.10 any eq smtp 

access-list inside extended permit udp host 192.1.4.30 any eq ntp 

access-list inside extended permit ip host 192.1.4.14 any 

access-list inside extended permit udp host 192.1.4.3 any eq ntp 

access-list inside extended permit udp host 192.1.4.8 any eq ntp 

access-list inside extended permit udp host 192.1.4.10 any eq ntp 

access-list inside extended permit ip host 192.168.5.44 any 

access-list inside extended permit tcp host 192.1.4.3 any eq smtp 

access-list inside extended permit ip host 192.168.6.14 any 

access-list inside extended permit tcp host 192.1.4.19 any eq smtp 

access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.5.0 255.255.255.0 

access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.6.0 255.255.255.0 

access-list inside extended permit udp host 192.1.4.13 any eq 3101 

access-list inside extended permit tcp host 192.1.4.13 any eq 3101 

access-list inside extended permit tcp any any eq www 

access-list inside extended permit tcp any any eq https 

access-list inside extended permit tcp host 192.168.5.56 host *.*.*.* eq smtp 

access-list inside extended permit icmp any any 

access-list inside extended permit ip any 172.16.20.0 255.255.255.0 

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging trap warnings

logging asdm warnings

logging host inside 192.1.4.30 17/1025

mtu outside 1492

mtu inside 1500

ip local pool POOL1 172.16.10.200-172.16.10.220

ip local pool POOL2 172.16.20.200-172.16.20.220

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 *.*.*.*

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) *.*.*.* 192.1.4.30 netmask 255.255.255.255 

static (inside,outside) 198.69.223.149 192.1.4.8 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.14 netmask 255.255.255.255 

static (inside,outside) 198.69.223.150 192.168.5.44 netmask 255.255.255.255 

static (outside,inside) 192.1.4.14 *.*.*.* netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.168.6.14 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.19 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.3 netmask 255.255.255.255 

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

route inside 192.168.0.0 255.255.0.0 192.1.4.20 1

route inside 192.168.5.0 255.255.255.0 192.1.4.20 1

route inside 192.168.6.0 255.255.255.0 192.1.4.20 1

route inside 192.1.30.0 255.255.255.0 192.1.4.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:25:00 absolute

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 192.1.4.30

 key ********************

http server enable

http 192.1.4.0 255.255.252.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public

crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 

crypto dynamic-map dynamap 10 set transform-set SET1

crypto map map2 99 ipsec-isakmp dynamic dynamap

crypto map map2 interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication rsa-sig

 encryption des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 172.16.10.0 255.255.255.0 inside

telnet 192.1.4.0 255.255.252.0 inside

telnet timeout 5

console timeout 0

group-policy Groupa internal

group-policy Groupa attributes

 wins-server value 192.1.4.30

 dns-server value 192.1.4.30

 vpn-idle-timeout 720

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 default-domain value asdf

 address-pools value POOL1

group-policy Groupb internal

group-policy Groupb attributes

 vpn-idle-timeout 720

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 default-domain value asdf

 address-pools value POOL2

tunnel-group User1 type ipsec-ra

tunnel-group User1 general-attributes

 authentication-server-group partnerauth

 default-group-policy Groupa

tunnel-group User1 ipsec-attributes

 pre-shared-key *

tunnel-group User2 type ipsec-ra

tunnel-group User2 general-attributes

 authentication-server-group partnerauth

 default-group-policy Groupb

tunnel-group User2 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sip 

  inspect tftp 

  inspect http 

  inspect ils 

!

service-policy global_policy global

prompt hostname context

Open in new window

0
Comment
Question by:uescjp
  • 11
  • 11
22 Comments
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
I don't see a Access List entry for RDP to that network and or host
0
 

Author Comment

by:uescjp
Comment Utility
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0

shouldn't this take care of all ip including the 3389 port for rdp?
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
I would put something like this obviously put in your network info and access list #

access-list RDP extended permit tcp interface outside interface inside eq 3389

Possibly might need the outbound rule as well

access-list INSIDE_ACL_OUT line 1 permit ip any any
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
access-list inside extended permit tcp any any eq 3389 or port your using
0
 

Author Comment

by:uescjp
Comment Utility
just this:
access-list inside extended permit tcp any any eq 3389

or the two in the previous post as well?

Isn't the first in the previous post effectively the same?
0
 

Author Comment

by:uescjp
Comment Utility
I added the "access-list inside extended permit tcp any any eq 3389" line exactly and nothing changed.  It doesn't seem like anything is actually being blocked is the weird thing because I do not see anything in syslogd.

Don't I need to tie the RDP access list to something for nat-ing?  If I do how should I do that?
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
You have to allow incoming and outgoing Access Lists for RDP the first one allows the incoming the 2nd one allows the outgoing.


access-list RDP extended permit tcp interface outside interface inside eq 3389

access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
Your coming in for RDP through the VPN not the public IP the NAT is used for the internet interface. Once your VPN is connected. You could try and hit RDP from the outside interface instead of the VPN IP. I dont know your IP scheme's really its hard if you could lay out your network setup a little better for me that would be great. What VPN client are you using?
0
 

Author Comment

by:uescjp
Comment Utility
I added both of those lines and still the same result of "This computer can't connect to the remote computer" when trying to use Remote desktop connection.
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
Can you give me a network layout Inside - IP Scheme etc etc...VPN IP's you can use private e-mail if you prefer.
0
 

Author Comment

by:uescjp
Comment Utility
                      VPN Router---n
                     /                     e
internet router                       t
                     \                     w
                      ASA--------------o
                                           rk

lan network has static ips of 192.1.4.0/24 dhcp ips of 192.1.5.0/24 and subnet mask of /22 so they all can see each other.  There are two remote access VPNs terminating on the ASA with 172.16.10.0/24 and 172.16.20.0/24 as their VPN pools.  Neither one can rdp to the 192.1.5.0 network but can ping it.  Both can RDP to the 192.1.4.0/24 network.  There is to WAN VPN connections terminating on the VPN router as well but they aren't really important for this.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0  add a line like this

access-list 120 extended permit ip 172.168.20.0 255.255.255.0 192.168.1.4.0 (source to destination) as I take the RDP session is coming from the 172.16.20.0 network add the 172.16.10.0 if you would like as well
0
 

Author Comment

by:uescjp
Comment Utility
I've tried that and tried it again just now but it does not work.
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
how are you trying to RDP like DNS name or IP address?
0
 

Author Comment

by:uescjp
Comment Utility
IP address
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
Is the port standard as well?
0
 

Author Comment

by:uescjp
Comment Utility
yes 3389
0
 
LVL 1

Expert Comment

by:etbservices_pete
Comment Utility
This is perplexing me, let me study the setup. Can you give me a new sh run please.
0
 

Author Comment

by:uescjp
Comment Utility

ASA Version 7.2(4) 

!

names

dns-guard

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address *.*.*.* 255.255.255.248 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.1.4.2 255.255.252.0 

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 no nameif

 no security-level

 no ip address

!

boot system disk0:/asa724-k8.bin

ftp mode passive

dns server-group DefaultDNS

access-list 120 extended permit ip 192.168.5.0 255.255.255.0 172.16.10.0 255.255.255.0 

access-list 120 extended permit ip 192.168.6.0 255.255.255.0 172.16.10.0 255.255.255.0 

access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.10.0 255.255.255.0 

access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0 

access-list outside extended permit gre any any 

access-list outside extended permit udp any any eq isakmp 

access-list outside extended permit tcp any host *.*.*.* eq https 

access-list outside extended permit icmp any any 

access-list outside extended permit tcp host *.*.*.* host *.*.*.* eq ftp 

access-list outside extended permit ip any host *.*.*.* 

access-list outside extended permit tcp any host *.*.*.* eq 3230 

access-list outside extended permit tcp any host *.*.*.* eq 3231 

access-list outside extended permit tcp any host *.*.*.* eq 3232 

access-list outside extended permit tcp any host *.*.*.* eq 3233 

access-list outside extended permit tcp any host *.*.*.* eq 3234 

access-list outside extended permit tcp any host *.*.*.* eq 3235 

access-list outside extended permit udp any host *.*.*.* eq 3230 

access-list outside extended permit udp any host *.*.*.* eq 3231 

access-list outside extended permit udp any host *.*.*.* eq 3232 

access-list outside extended permit udp any host *.*.*.* eq 3233 

access-list outside extended permit udp any host *.*.*.* eq 3234 

access-list outside extended permit udp any host *.*.*.* eq 3235 

access-list outside extended permit udp any host *.*.*.* eq 3236 

access-list outside extended permit udp any host *.*.*.* eq 3237 

access-list outside extended permit udp any host *.*.*.* eq 3238 

access-list outside extended permit udp any host *.*.*.* eq 3239 

access-list outside extended permit udp any host *.*.*.* eq 3240 

access-list outside extended permit udp any host *.*.*.* eq 3241 

access-list outside extended permit udp any host *.*.*.* eq 3242 

access-list outside extended permit udp any host *.*.*.* eq 3243 

access-list outside extended permit udp any host *.*.*.* eq 3244 

access-list outside extended permit udp any host *.*.*.* eq 3245 

access-list outside extended permit udp any host *.*.*.* eq 3246 

access-list outside extended permit udp any host *.*.*.* eq 3247 

access-list outside extended permit udp any host *.*.*.* eq 3248 

access-list outside extended permit udp any host *.*.*.* eq 3249 

access-list outside extended permit udp any host *.*.*.* eq 3250 

access-list outside extended permit udp any host *.*.*.* eq 3251 

access-list outside extended permit udp any host *.*.*.* eq 3252 

access-list outside extended permit udp any host *.*.*.* eq 3253 

access-list outside extended permit tcp any host *.*.*.* eq h323 

access-list outside extended permit tcp any host *.*.*.* eq https 

access-list outside extended permit ip any host *.*.*.* 

access-list outside extended permit ip any host *.*.*.* 

access-list inside extended permit tcp any any eq h323 

access-list inside extended permit tcp any any eq domain 

access-list inside extended permit udp any any eq domain 

access-list inside extended permit tcp any any eq ftp 

access-list inside extended permit tcp any any eq ftp-data 

access-list inside extended permit ip any 10.1.1.0 255.255.255.0 

access-list inside extended permit ip any 172.16.10.0 255.255.255.0 

access-list inside extended permit tcp host 192.1.4.10 any eq smtp 

access-list inside extended permit udp host 192.1.4.30 any eq ntp 

access-list inside extended permit ip host 192.1.4.14 any 

access-list inside extended permit udp host 192.1.4.3 any eq ntp 

access-list inside extended permit udp host 192.1.4.8 any eq ntp 

access-list inside extended permit udp host 192.1.4.10 any eq ntp 

access-list inside extended permit ip host 192.168.5.44 any 

access-list inside extended permit tcp host 192.1.4.3 any eq smtp 

access-list inside extended permit ip host 192.168.6.14 any 

access-list inside extended permit tcp host 192.1.4.19 any eq smtp 

access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.5.0 255.255.255.0 

access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.6.0 255.255.255.0 

access-list inside extended permit udp host 192.1.4.13 any eq 3101 

access-list inside extended permit tcp host 192.1.4.13 any eq 3101 

access-list inside extended permit tcp any any eq www 

access-list inside extended permit tcp any any eq https 

access-list inside extended permit tcp host 192.168.5.56 host 207.18.56.93 eq smtp 

access-list inside extended permit icmp any any 

access-list inside extended permit ip any 172.16.20.0 255.255.255.0 

access-list RDP extended permit tcp interface outside interface inside eq 3389 

access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389 

pager lines 24

logging enable

logging monitor debugging

logging buffered debugging

logging trap warnings

logging asdm warnings

logging host inside 192.1.4.30 17/1025

mtu outside 1492

mtu inside 1500

ip local pool POOLA 172.16.10.200-172.16.10.220

ip local pool POOLB 172.16.20.200-172.16.20.220

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 *.*.*.*

nat (inside) 0 access-list 120

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) *.*.*.* 192.1.4.30 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.8 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.14 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.168.5.44 netmask 255.255.255.255 

static (outside,inside) 192.1.4.14 *.*.*.* netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.168.6.14 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.19 netmask 255.255.255.255 

static (inside,outside) *.*.*.* 192.1.4.3 netmask 255.255.255.255 

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 208.10.57.233 1

route inside 192.168.0.0 255.255.0.0 192.1.4.20 1

route inside 192.168.5.0 255.255.255.0 192.1.4.20 1

route inside 192.168.6.0 255.255.255.0 192.1.4.20 1

route inside 192.1.30.0 255.255.255.0 192.1.4.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:25:00 absolute

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 192.1.4.30

 key ****************

http server enable

http 192.1.4.0 255.255.252.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server community public 

crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 

crypto dynamic-map dynamap 10 set transform-set SET1

crypto map map2 99 ipsec-isakmp dynamic dynamap

crypto map map2 interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication rsa-sig

 encryption des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 172.16.10.0 255.255.255.0 inside

telnet 192.1.4.0 255.255.252.0 inside

telnet timeout 5

console timeout 0

group-policy User1 internal

group-policy User1 attributes

 wins-server value 192.1.4.30

 dns-server value 192.1.4.30

 vpn-idle-timeout 720

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 address-pools value POOLA

group-policy User2 internal

group-policy User2 attributes

 vpn-idle-timeout 720

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value 120

 address-pools value POOLB

tunnel-group Group1 type ipsec-ra

tunnel-group Group1 general-attributes

 authentication-server-group partnerauth

 default-group-policy User1

tunnel-group Group1 ipsec-attributes

 pre-shared-key *

tunnel-group Group2 type ipsec-ra

tunnel-group Group2 general-attributes

 authentication-server-group partnerauth

 default-group-policy User2

tunnel-group Group2 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sip 

  inspect tftp 

  inspect http 

  inspect ils 

!

service-policy global_policy global

prompt hostname context

Open in new window

0
 
LVL 1

Assisted Solution

by:etbservices_pete
etbservices_pete earned 250 total points
Comment Utility
Alright first off I would try to clean up some of the access-lists maybe do port ranges instead of individual ports for below

access-list outside extended permit tcp any host *.*.*.* eq 3230
access-list outside extended permit tcp any host *.*.*.* eq 3231
access-list outside extended permit tcp any host *.*.*.* eq 3232
access-list outside extended permit tcp any host *.*.*.* eq 3233
access-list outside extended permit tcp any host *.*.*.* eq 3234
access-list outside extended permit tcp any host *.*.*.* eq 3235
access-list outside extended permit udp any host *.*.*.* eq 3230
access-list outside extended permit udp any host *.*.*.* eq 3231
access-list outside extended permit udp any host *.*.*.* eq 3232
access-list outside extended permit udp any host *.*.*.* eq 3233
access-list outside extended permit udp any host *.*.*.* eq 3234
access-list outside extended permit udp any host *.*.*.* eq 3235
access-list outside extended permit udp any host *.*.*.* eq 3236
access-list outside extended permit udp any host *.*.*.* eq 3237
access-list outside extended permit udp any host *.*.*.* eq 3238
access-list outside extended permit udp any host *.*.*.* eq 3239
access-list outside extended permit udp any host *.*.*.* eq 3240
access-list outside extended permit udp any host *.*.*.* eq 3241
access-list outside extended permit udp any host *.*.*.* eq 3242
access-list outside extended permit udp any host *.*.*.* eq 3243
access-list outside extended permit udp any host *.*.*.* eq 3244
access-list outside extended permit udp any host *.*.*.* eq 3245
access-list outside extended permit udp any host *.*.*.* eq 3246
access-list outside extended permit udp any host *.*.*.* eq 3247
access-list outside extended permit udp any host *.*.*.* eq 3248
access-list outside extended permit udp any host *.*.*.* eq 3249
access-list outside extended permit udp any host *.*.*.* eq 3250
access-list outside extended permit udp any host *.*.*.* eq 3251
access-list outside extended permit udp any host *.*.*.* eq 3252
access-list outside extended permit udp any host *.*.*.* eq 3253
access-list outside extended permit tcp any host *.*.*.* eq h323

Here is the command that should solve the issue

access-list inside extended permit tcp host 172.16.1.40 192.168.5.0 0.0.0.255 eq 3389

the 172.16.1.40 needs to be your HOST ip the IP you receive VIA VPN. 0.0.0.255 is a wildcard which you need!

eq obviously fort port 3389 give that command a shot. If that doesn't work there is a more of an issue deeper in these access lists.
0
 

Author Comment

by:uescjp
Comment Utility
It won't let me use a wildcard like that.  Invalid input detected.
0
 

Accepted Solution

by:
uescjp earned 0 total points
Comment Utility
I determined the router was the problem not the ASA.  Everything was right from my original post on how to allow the VPN traffic in.  Nothing else was needed.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now