[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unable to RDP to some computers inside ASA 5520 through VPN

Posted on 2009-05-08
22
Medium Priority
?
765 Views
Last Modified: 2013-11-16
I just moved from a Pix 506e to an ASA 5520.  A third part set it up and there wasn't anything wrong with their original config.  I do not know if it happened before the move to the ASA but now I cannot VPN to my ASA and then use remote desktop to get to any computers on half of my network.  I can remote desktop to computers on the same /24 subnet as the ASA but I cannot get to anything on the /22 subnets that are superscoped from a 192.1.4.0 network.  I can ping just fine after VPNing and RDP out to the machine connected to the VPN but I cannot RDP from the VPNed machine to the computers on the 192.1.5.0 network.  Please see my config below and thanks for any help:
ASA Version 7.2(4) 
!
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.1.4.2 255.255.252.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name UES
access-list 120 extended permit ip 192.168.5.0 255.255.255.0 172.16.10.0 255.255.255.0 
access-list 120 extended permit ip 192.168.6.0 255.255.255.0 172.16.10.0 255.255.255.0 
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.10.0 255.255.255.0 
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0 
access-list outside extended permit gre any any 
access-list outside extended permit udp any any eq isakmp 
access-list outside extended permit tcp any host *.*.*.* eq https 
access-list outside extended permit icmp any any 
access-list outside extended permit tcp host *.*.*.* host *.*.*.* eq ftp 
access-list outside extended permit ip any host *.*.*.* 
access-list outside extended permit tcp any host *.*.*.* eq https 
access-list outside extended permit ip any host *.*.*.*
access-list outside extended permit ip any host *.*.*.*
access-list inside extended permit tcp any any eq h323 
access-list inside extended permit tcp any any eq domain 
access-list inside extended permit udp any any eq domain 
access-list inside extended permit tcp any any eq ftp 
access-list inside extended permit tcp any any eq ftp-data 
access-list inside extended permit ip any 10.1.1.0 255.255.255.0 
access-list inside extended permit ip any 172.16.10.0 255.255.255.0 
access-list inside extended permit tcp host 192.1.4.10 any eq smtp 
access-list inside extended permit udp host 192.1.4.30 any eq ntp 
access-list inside extended permit ip host 192.1.4.14 any 
access-list inside extended permit udp host 192.1.4.3 any eq ntp 
access-list inside extended permit udp host 192.1.4.8 any eq ntp 
access-list inside extended permit udp host 192.1.4.10 any eq ntp 
access-list inside extended permit ip host 192.168.5.44 any 
access-list inside extended permit tcp host 192.1.4.3 any eq smtp 
access-list inside extended permit ip host 192.168.6.14 any 
access-list inside extended permit tcp host 192.1.4.19 any eq smtp 
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.5.0 255.255.255.0 
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.6.0 255.255.255.0 
access-list inside extended permit udp host 192.1.4.13 any eq 3101 
access-list inside extended permit tcp host 192.1.4.13 any eq 3101 
access-list inside extended permit tcp any any eq www 
access-list inside extended permit tcp any any eq https 
access-list inside extended permit tcp host 192.168.5.56 host *.*.*.* eq smtp 
access-list inside extended permit icmp any any 
access-list inside extended permit ip any 172.16.20.0 255.255.255.0 
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging trap warnings
logging asdm warnings
logging host inside 192.1.4.30 17/1025
mtu outside 1492
mtu inside 1500
ip local pool POOL1 172.16.10.200-172.16.10.220
ip local pool POOL2 172.16.20.200-172.16.20.220
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 192.1.4.30 netmask 255.255.255.255 
static (inside,outside) 198.69.223.149 192.1.4.8 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.14 netmask 255.255.255.255 
static (inside,outside) 198.69.223.150 192.168.5.44 netmask 255.255.255.255 
static (outside,inside) 192.1.4.14 *.*.*.* netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.168.6.14 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.19 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.3 netmask 255.255.255.255 
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.0.0 255.255.0.0 192.1.4.20 1
route inside 192.168.5.0 255.255.255.0 192.1.4.20 1
route inside 192.168.6.0 255.255.255.0 192.1.4.20 1
route inside 192.1.30.0 255.255.255.0 192.1.4.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:25:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.1.4.30
 key ********************
http server enable
http 192.1.4.0 255.255.252.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 
crypto dynamic-map dynamap 10 set transform-set SET1
crypto map map2 99 ipsec-isakmp dynamic dynamap
crypto map map2 interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 172.16.10.0 255.255.255.0 inside
telnet 192.1.4.0 255.255.252.0 inside
telnet timeout 5
console timeout 0
group-policy Groupa internal
group-policy Groupa attributes
 wins-server value 192.1.4.30
 dns-server value 192.1.4.30
 vpn-idle-timeout 720
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value asdf
 address-pools value POOL1
group-policy Groupb internal
group-policy Groupb attributes
 vpn-idle-timeout 720
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 default-domain value asdf
 address-pools value POOL2
tunnel-group User1 type ipsec-ra
tunnel-group User1 general-attributes
 authentication-server-group partnerauth
 default-group-policy Groupa
tunnel-group User1 ipsec-attributes
 pre-shared-key *
tunnel-group User2 type ipsec-ra
tunnel-group User2 general-attributes
 authentication-server-group partnerauth
 default-group-policy Groupb
tunnel-group User2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sip 
  inspect tftp 
  inspect http 
  inspect ils 
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:uescjp
  • 11
  • 11
22 Comments
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24337672
I don't see a Access List entry for RDP to that network and or host
0
 

Author Comment

by:uescjp
ID: 24337915
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0

shouldn't this take care of all ip including the 3389 port for rdp?
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24337980
I would put something like this obviously put in your network info and access list #

access-list RDP extended permit tcp interface outside interface inside eq 3389

Possibly might need the outbound rule as well

access-list INSIDE_ACL_OUT line 1 permit ip any any
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24337986
access-list inside extended permit tcp any any eq 3389 or port your using
0
 

Author Comment

by:uescjp
ID: 24338303
just this:
access-list inside extended permit tcp any any eq 3389

or the two in the previous post as well?

Isn't the first in the previous post effectively the same?
0
 

Author Comment

by:uescjp
ID: 24338344
I added the "access-list inside extended permit tcp any any eq 3389" line exactly and nothing changed.  It doesn't seem like anything is actually being blocked is the weird thing because I do not see anything in syslogd.

Don't I need to tie the RDP access list to something for nat-ing?  If I do how should I do that?
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24338362
You have to allow incoming and outgoing Access Lists for RDP the first one allows the incoming the 2nd one allows the outgoing.


access-list RDP extended permit tcp interface outside interface inside eq 3389

access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24338393
Your coming in for RDP through the VPN not the public IP the NAT is used for the internet interface. Once your VPN is connected. You could try and hit RDP from the outside interface instead of the VPN IP. I dont know your IP scheme's really its hard if you could lay out your network setup a little better for me that would be great. What VPN client are you using?
0
 

Author Comment

by:uescjp
ID: 24338409
I added both of those lines and still the same result of "This computer can't connect to the remote computer" when trying to use Remote desktop connection.
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24338418
Can you give me a network layout Inside - IP Scheme etc etc...VPN IP's you can use private e-mail if you prefer.
0
 

Author Comment

by:uescjp
ID: 24338627
                      VPN Router---n
                     /                     e
internet router                       t
                     \                     w
                      ASA--------------o
                                           rk

lan network has static ips of 192.1.4.0/24 dhcp ips of 192.1.5.0/24 and subnet mask of /22 so they all can see each other.  There are two remote access VPNs terminating on the ASA with 172.16.10.0/24 and 172.16.20.0/24 as their VPN pools.  Neither one can rdp to the 192.1.5.0 network but can ping it.  Both can RDP to the 192.1.4.0/24 network.  There is to WAN VPN connections terminating on the VPN router as well but they aren't really important for this.
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24338746
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0  add a line like this

access-list 120 extended permit ip 172.168.20.0 255.255.255.0 192.168.1.4.0 (source to destination) as I take the RDP session is coming from the 172.16.20.0 network add the 172.16.10.0 if you would like as well
0
 

Author Comment

by:uescjp
ID: 24339212
I've tried that and tried it again just now but it does not work.
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24339215
how are you trying to RDP like DNS name or IP address?
0
 

Author Comment

by:uescjp
ID: 24339344
IP address
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24339351
Is the port standard as well?
0
 

Author Comment

by:uescjp
ID: 24339370
yes 3389
0
 
LVL 1

Expert Comment

by:etbservices_pete
ID: 24339527
This is perplexing me, let me study the setup. Can you give me a new sh run please.
0
 

Author Comment

by:uescjp
ID: 24339698

ASA Version 7.2(4) 
!
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.1.4.2 255.255.252.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
access-list 120 extended permit ip 192.168.5.0 255.255.255.0 172.16.10.0 255.255.255.0 
access-list 120 extended permit ip 192.168.6.0 255.255.255.0 172.16.10.0 255.255.255.0 
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.10.0 255.255.255.0 
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0 
access-list outside extended permit gre any any 
access-list outside extended permit udp any any eq isakmp 
access-list outside extended permit tcp any host *.*.*.* eq https 
access-list outside extended permit icmp any any 
access-list outside extended permit tcp host *.*.*.* host *.*.*.* eq ftp 
access-list outside extended permit ip any host *.*.*.* 
access-list outside extended permit tcp any host *.*.*.* eq 3230 
access-list outside extended permit tcp any host *.*.*.* eq 3231 
access-list outside extended permit tcp any host *.*.*.* eq 3232 
access-list outside extended permit tcp any host *.*.*.* eq 3233 
access-list outside extended permit tcp any host *.*.*.* eq 3234 
access-list outside extended permit tcp any host *.*.*.* eq 3235 
access-list outside extended permit udp any host *.*.*.* eq 3230 
access-list outside extended permit udp any host *.*.*.* eq 3231 
access-list outside extended permit udp any host *.*.*.* eq 3232 
access-list outside extended permit udp any host *.*.*.* eq 3233 
access-list outside extended permit udp any host *.*.*.* eq 3234 
access-list outside extended permit udp any host *.*.*.* eq 3235 
access-list outside extended permit udp any host *.*.*.* eq 3236 
access-list outside extended permit udp any host *.*.*.* eq 3237 
access-list outside extended permit udp any host *.*.*.* eq 3238 
access-list outside extended permit udp any host *.*.*.* eq 3239 
access-list outside extended permit udp any host *.*.*.* eq 3240 
access-list outside extended permit udp any host *.*.*.* eq 3241 
access-list outside extended permit udp any host *.*.*.* eq 3242 
access-list outside extended permit udp any host *.*.*.* eq 3243 
access-list outside extended permit udp any host *.*.*.* eq 3244 
access-list outside extended permit udp any host *.*.*.* eq 3245 
access-list outside extended permit udp any host *.*.*.* eq 3246 
access-list outside extended permit udp any host *.*.*.* eq 3247 
access-list outside extended permit udp any host *.*.*.* eq 3248 
access-list outside extended permit udp any host *.*.*.* eq 3249 
access-list outside extended permit udp any host *.*.*.* eq 3250 
access-list outside extended permit udp any host *.*.*.* eq 3251 
access-list outside extended permit udp any host *.*.*.* eq 3252 
access-list outside extended permit udp any host *.*.*.* eq 3253 
access-list outside extended permit tcp any host *.*.*.* eq h323 
access-list outside extended permit tcp any host *.*.*.* eq https 
access-list outside extended permit ip any host *.*.*.* 
access-list outside extended permit ip any host *.*.*.* 
access-list inside extended permit tcp any any eq h323 
access-list inside extended permit tcp any any eq domain 
access-list inside extended permit udp any any eq domain 
access-list inside extended permit tcp any any eq ftp 
access-list inside extended permit tcp any any eq ftp-data 
access-list inside extended permit ip any 10.1.1.0 255.255.255.0 
access-list inside extended permit ip any 172.16.10.0 255.255.255.0 
access-list inside extended permit tcp host 192.1.4.10 any eq smtp 
access-list inside extended permit udp host 192.1.4.30 any eq ntp 
access-list inside extended permit ip host 192.1.4.14 any 
access-list inside extended permit udp host 192.1.4.3 any eq ntp 
access-list inside extended permit udp host 192.1.4.8 any eq ntp 
access-list inside extended permit udp host 192.1.4.10 any eq ntp 
access-list inside extended permit ip host 192.168.5.44 any 
access-list inside extended permit tcp host 192.1.4.3 any eq smtp 
access-list inside extended permit ip host 192.168.6.14 any 
access-list inside extended permit tcp host 192.1.4.19 any eq smtp 
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.5.0 255.255.255.0 
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.6.0 255.255.255.0 
access-list inside extended permit udp host 192.1.4.13 any eq 3101 
access-list inside extended permit tcp host 192.1.4.13 any eq 3101 
access-list inside extended permit tcp any any eq www 
access-list inside extended permit tcp any any eq https 
access-list inside extended permit tcp host 192.168.5.56 host 207.18.56.93 eq smtp 
access-list inside extended permit icmp any any 
access-list inside extended permit ip any 172.16.20.0 255.255.255.0 
access-list RDP extended permit tcp interface outside interface inside eq 3389 
access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389 
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging trap warnings
logging asdm warnings
logging host inside 192.1.4.30 17/1025
mtu outside 1492
mtu inside 1500
ip local pool POOLA 172.16.10.200-172.16.10.220
ip local pool POOLB 172.16.20.200-172.16.20.220
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 192.1.4.30 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.8 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.14 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.168.5.44 netmask 255.255.255.255 
static (outside,inside) 192.1.4.14 *.*.*.* netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.168.6.14 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.19 netmask 255.255.255.255 
static (inside,outside) *.*.*.* 192.1.4.3 netmask 255.255.255.255 
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 208.10.57.233 1
route inside 192.168.0.0 255.255.0.0 192.1.4.20 1
route inside 192.168.5.0 255.255.255.0 192.1.4.20 1
route inside 192.168.6.0 255.255.255.0 192.1.4.20 1
route inside 192.1.30.0 255.255.255.0 192.1.4.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:25:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.1.4.30
 key ****************
http server enable
http 192.1.4.0 255.255.252.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public 
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac 
crypto dynamic-map dynamap 10 set transform-set SET1
crypto map map2 99 ipsec-isakmp dynamic dynamap
crypto map map2 interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 172.16.10.0 255.255.255.0 inside
telnet 192.1.4.0 255.255.252.0 inside
telnet timeout 5
console timeout 0
group-policy User1 internal
group-policy User1 attributes
 wins-server value 192.1.4.30
 dns-server value 192.1.4.30
 vpn-idle-timeout 720
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 address-pools value POOLA
group-policy User2 internal
group-policy User2 attributes
 vpn-idle-timeout 720
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 120
 address-pools value POOLB
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
 authentication-server-group partnerauth
 default-group-policy User1
tunnel-group Group1 ipsec-attributes
 pre-shared-key *
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
 authentication-server-group partnerauth
 default-group-policy User2
tunnel-group Group2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sip 
  inspect tftp 
  inspect http 
  inspect ils 
!
service-policy global_policy global
prompt hostname context

Open in new window

0
 
LVL 1

Assisted Solution

by:etbservices_pete
etbservices_pete earned 1000 total points
ID: 24339983
Alright first off I would try to clean up some of the access-lists maybe do port ranges instead of individual ports for below

access-list outside extended permit tcp any host *.*.*.* eq 3230
access-list outside extended permit tcp any host *.*.*.* eq 3231
access-list outside extended permit tcp any host *.*.*.* eq 3232
access-list outside extended permit tcp any host *.*.*.* eq 3233
access-list outside extended permit tcp any host *.*.*.* eq 3234
access-list outside extended permit tcp any host *.*.*.* eq 3235
access-list outside extended permit udp any host *.*.*.* eq 3230
access-list outside extended permit udp any host *.*.*.* eq 3231
access-list outside extended permit udp any host *.*.*.* eq 3232
access-list outside extended permit udp any host *.*.*.* eq 3233
access-list outside extended permit udp any host *.*.*.* eq 3234
access-list outside extended permit udp any host *.*.*.* eq 3235
access-list outside extended permit udp any host *.*.*.* eq 3236
access-list outside extended permit udp any host *.*.*.* eq 3237
access-list outside extended permit udp any host *.*.*.* eq 3238
access-list outside extended permit udp any host *.*.*.* eq 3239
access-list outside extended permit udp any host *.*.*.* eq 3240
access-list outside extended permit udp any host *.*.*.* eq 3241
access-list outside extended permit udp any host *.*.*.* eq 3242
access-list outside extended permit udp any host *.*.*.* eq 3243
access-list outside extended permit udp any host *.*.*.* eq 3244
access-list outside extended permit udp any host *.*.*.* eq 3245
access-list outside extended permit udp any host *.*.*.* eq 3246
access-list outside extended permit udp any host *.*.*.* eq 3247
access-list outside extended permit udp any host *.*.*.* eq 3248
access-list outside extended permit udp any host *.*.*.* eq 3249
access-list outside extended permit udp any host *.*.*.* eq 3250
access-list outside extended permit udp any host *.*.*.* eq 3251
access-list outside extended permit udp any host *.*.*.* eq 3252
access-list outside extended permit udp any host *.*.*.* eq 3253
access-list outside extended permit tcp any host *.*.*.* eq h323

Here is the command that should solve the issue

access-list inside extended permit tcp host 172.16.1.40 192.168.5.0 0.0.0.255 eq 3389

the 172.16.1.40 needs to be your HOST ip the IP you receive VIA VPN. 0.0.0.255 is a wildcard which you need!

eq obviously fort port 3389 give that command a shot. If that doesn't work there is a more of an issue deeper in these access lists.
0
 

Author Comment

by:uescjp
ID: 24354068
It won't let me use a wildcard like that.  Invalid input detected.
0
 

Accepted Solution

by:
uescjp earned 0 total points
ID: 24950749
I determined the router was the problem not the ASA.  Everything was right from my original post on how to allow the VPN traffic in.  Nothing else was needed.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 8 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question