Unable to RDP to some computers inside ASA 5520 through VPN
I just moved from a Pix 506e to an ASA 5520. A third part set it up and there wasn't anything wrong with their original config. I do not know if it happened before the move to the ASA but now I cannot VPN to my ASA and then use remote desktop to get to any computers on half of my network. I can remote desktop to computers on the same /24 subnet as the ASA but I cannot get to anything on the /22 subnets that are superscoped from a 192.1.4.0 network. I can ping just fine after VPNing and RDP out to the machine connected to the VPN but I cannot RDP from the VPNed machine to the computers on the 192.1.5.0 network. Please see my config below and thanks for any help:
ASA Version 7.2(4)
!
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.1.4.2 255.255.252.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name UES
access-list 120 extended permit ip 192.168.5.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 120 extended permit ip 192.168.6.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.10.0 255.255.255.0
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0
access-list outside extended permit gre any any
access-list outside extended permit udp any any eq isakmp
access-list outside extended permit tcp any host *.*.*.* eq https
access-list outside extended permit icmp any any
access-list outside extended permit tcp host *.*.*.* host *.*.*.* eq ftp
access-list outside extended permit ip any host *.*.*.*
access-list outside extended permit tcp any host *.*.*.* eq https
access-list outside extended permit ip any host *.*.*.*
access-list outside extended permit ip any host *.*.*.*
access-list inside extended permit tcp any any eq h323
access-list inside extended permit tcp any any eq domain
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq ftp
access-list inside extended permit tcp any any eq ftp-data
access-list inside extended permit ip any 10.1.1.0 255.255.255.0
access-list inside extended permit ip any 172.16.10.0 255.255.255.0
access-list inside extended permit tcp host 192.1.4.10 any eq smtp
access-list inside extended permit udp host 192.1.4.30 any eq ntp
access-list inside extended permit ip host 192.1.4.14 any
access-list inside extended permit udp host 192.1.4.3 any eq ntp
access-list inside extended permit udp host 192.1.4.8 any eq ntp
access-list inside extended permit udp host 192.1.4.10 any eq ntp
access-list inside extended permit ip host 192.168.5.44 any
access-list inside extended permit tcp host 192.1.4.3 any eq smtp
access-list inside extended permit ip host 192.168.6.14 any
access-list inside extended permit tcp host 192.1.4.19 any eq smtp
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.5.0 255.255.255.0
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.6.0 255.255.255.0
access-list inside extended permit udp host 192.1.4.13 any eq 3101
access-list inside extended permit tcp host 192.1.4.13 any eq 3101
access-list inside extended permit tcp any any eq www
access-list inside extended permit tcp any any eq https
access-list inside extended permit tcp host 192.168.5.56 host *.*.*.* eq smtp
access-list inside extended permit icmp any any
access-list inside extended permit ip any 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging trap warnings
logging asdm warnings
logging host inside 192.1.4.30 17/1025
mtu outside 1492
mtu inside 1500
ip local pool POOL1 172.16.10.200-172.16.10.220
ip local pool POOL2 172.16.20.200-172.16.20.220
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 192.1.4.30 netmask 255.255.255.255
static (inside,outside) 198.69.223.149 192.1.4.8 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.14 netmask 255.255.255.255
static (inside,outside) 198.69.223.150 192.168.5.44 netmask 255.255.255.255
static (outside,inside) 192.1.4.14 *.*.*.* netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.168.6.14 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.19 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.3 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside 192.168.0.0 255.255.0.0 192.1.4.20 1
route inside 192.168.5.0 255.255.255.0 192.1.4.20 1
route inside 192.168.6.0 255.255.255.0 192.1.4.20 1
route inside 192.1.30.0 255.255.255.0 192.1.4.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:25:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.1.4.30
key ********************
http server enable
http 192.1.4.0 255.255.252.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
crypto dynamic-map dynamap 10 set transform-set SET1
crypto map map2 99 ipsec-isakmp dynamic dynamap
crypto map map2 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 172.16.10.0 255.255.255.0 inside
telnet 192.1.4.0 255.255.252.0 inside
telnet timeout 5
console timeout 0
group-policy Groupa internal
group-policy Groupa attributes
wins-server value 192.1.4.30
dns-server value 192.1.4.30
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 120
default-domain value asdf
address-pools value POOL1
group-policy Groupb internal
group-policy Groupb attributes
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 120
default-domain value asdf
address-pools value POOL2
tunnel-group User1 type ipsec-ra
tunnel-group User1 general-attributes
authentication-server-group partnerauth
default-group-policy Groupa
tunnel-group User1 ipsec-attributes
pre-shared-key *
tunnel-group User2 type ipsec-ra
tunnel-group User2 general-attributes
authentication-server-group partnerauth
default-group-policy Groupb
tunnel-group User2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sip
inspect tftp
inspect http
inspect ils
!
service-policy global_policy global
prompt hostname context
I don't see a Access List entry for RDP to that network and or host
ASKER
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0
shouldn't this take care of all ip including the 3389 port for rdp?
shouldn't this take care of all ip including the 3389 port for rdp?
I would put something like this obviously put in your network info and access list #
access-list RDP extended permit tcp interface outside interface inside eq 3389
Possibly might need the outbound rule as well
access-list INSIDE_ACL_OUT line 1 permit ip any any
access-list RDP extended permit tcp interface outside interface inside eq 3389
Possibly might need the outbound rule as well
access-list INSIDE_ACL_OUT line 1 permit ip any any
access-list inside extended permit tcp any any eq 3389 or port your using
ASKER
just this:
access-list inside extended permit tcp any any eq 3389
or the two in the previous post as well?
Isn't the first in the previous post effectively the same?
access-list inside extended permit tcp any any eq 3389
or the two in the previous post as well?
Isn't the first in the previous post effectively the same?
ASKER
I added the "access-list inside extended permit tcp any any eq 3389" line exactly and nothing changed. It doesn't seem like anything is actually being blocked is the weird thing because I do not see anything in syslogd.
Don't I need to tie the RDP access list to something for nat-ing? If I do how should I do that?
Don't I need to tie the RDP access list to something for nat-ing? If I do how should I do that?
You have to allow incoming and outgoing Access Lists for RDP the first one allows the incoming the 2nd one allows the outgoing.
access-list RDP extended permit tcp interface outside interface inside eq 3389
access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389
access-list RDP extended permit tcp interface outside interface inside eq 3389
access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389
Your coming in for RDP through the VPN not the public IP the NAT is used for the internet interface. Once your VPN is connected. You could try and hit RDP from the outside interface instead of the VPN IP. I dont know your IP scheme's really its hard if you could lay out your network setup a little better for me that would be great. What VPN client are you using?
ASKER
I added both of those lines and still the same result of "This computer can't connect to the remote computer" when trying to use Remote desktop connection.
Can you give me a network layout Inside - IP Scheme etc etc...VPN IP's you can use private e-mail if you prefer.
ASKER
VPN Router---n
/ e
internet router t
\ w
ASA--------------o
rk
lan network has static ips of 192.1.4.0/24 dhcp ips of 192.1.5.0/24 and subnet mask of /22 so they all can see each other. There are two remote access VPNs terminating on the ASA with 172.16.10.0/24 and 172.16.20.0/24 as their VPN pools. Neither one can rdp to the 192.1.5.0 network but can ping it. Both can RDP to the 192.1.4.0/24 network. There is to WAN VPN connections terminating on the VPN router as well but they aren't really important for this.
/ e
internet router t
\ w
ASA--------------o
rk
lan network has static ips of 192.1.4.0/24 dhcp ips of 192.1.5.0/24 and subnet mask of /22 so they all can see each other. There are two remote access VPNs terminating on the ASA with 172.16.10.0/24 and 172.16.20.0/24 as their VPN pools. Neither one can rdp to the 192.1.5.0 network but can ping it. Both can RDP to the 192.1.4.0/24 network. There is to WAN VPN connections terminating on the VPN router as well but they aren't really important for this.
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0 add a line like this
access-list 120 extended permit ip 172.168.20.0 255.255.255.0 192.168.1.4.0 (source to destination) as I take the RDP session is coming from the 172.16.20.0 network add the 172.16.10.0 if you would like as well
access-list 120 extended permit ip 172.168.20.0 255.255.255.0 192.168.1.4.0 (source to destination) as I take the RDP session is coming from the 172.16.20.0 network add the 172.16.10.0 if you would like as well
ASKER
I've tried that and tried it again just now but it does not work.
how are you trying to RDP like DNS name or IP address?
ASKER
IP address
Is the port standard as well?
ASKER
yes 3389
This is perplexing me, let me study the setup. Can you give me a new sh run please.
ASKER
ASA Version 7.2(4)
!
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.1.4.2 255.255.252.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
!
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
access-list 120 extended permit ip 192.168.5.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 120 extended permit ip 192.168.6.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.10.0 255.255.255.0
access-list 120 extended permit ip 192.1.4.0 255.255.252.0 172.16.20.0 255.255.255.0
access-list outside extended permit gre any any
access-list outside extended permit udp any any eq isakmp
access-list outside extended permit tcp any host *.*.*.* eq https
access-list outside extended permit icmp any any
access-list outside extended permit tcp host *.*.*.* host *.*.*.* eq ftp
access-list outside extended permit ip any host *.*.*.*
access-list outside extended permit tcp any host *.*.*.* eq 3230
access-list outside extended permit tcp any host *.*.*.* eq 3231
access-list outside extended permit tcp any host *.*.*.* eq 3232
access-list outside extended permit tcp any host *.*.*.* eq 3233
access-list outside extended permit tcp any host *.*.*.* eq 3234
access-list outside extended permit tcp any host *.*.*.* eq 3235
access-list outside extended permit udp any host *.*.*.* eq 3230
access-list outside extended permit udp any host *.*.*.* eq 3231
access-list outside extended permit udp any host *.*.*.* eq 3232
access-list outside extended permit udp any host *.*.*.* eq 3233
access-list outside extended permit udp any host *.*.*.* eq 3234
access-list outside extended permit udp any host *.*.*.* eq 3235
access-list outside extended permit udp any host *.*.*.* eq 3236
access-list outside extended permit udp any host *.*.*.* eq 3237
access-list outside extended permit udp any host *.*.*.* eq 3238
access-list outside extended permit udp any host *.*.*.* eq 3239
access-list outside extended permit udp any host *.*.*.* eq 3240
access-list outside extended permit udp any host *.*.*.* eq 3241
access-list outside extended permit udp any host *.*.*.* eq 3242
access-list outside extended permit udp any host *.*.*.* eq 3243
access-list outside extended permit udp any host *.*.*.* eq 3244
access-list outside extended permit udp any host *.*.*.* eq 3245
access-list outside extended permit udp any host *.*.*.* eq 3246
access-list outside extended permit udp any host *.*.*.* eq 3247
access-list outside extended permit udp any host *.*.*.* eq 3248
access-list outside extended permit udp any host *.*.*.* eq 3249
access-list outside extended permit udp any host *.*.*.* eq 3250
access-list outside extended permit udp any host *.*.*.* eq 3251
access-list outside extended permit udp any host *.*.*.* eq 3252
access-list outside extended permit udp any host *.*.*.* eq 3253
access-list outside extended permit tcp any host *.*.*.* eq h323
access-list outside extended permit tcp any host *.*.*.* eq https
access-list outside extended permit ip any host *.*.*.*
access-list outside extended permit ip any host *.*.*.*
access-list inside extended permit tcp any any eq h323
access-list inside extended permit tcp any any eq domain
access-list inside extended permit udp any any eq domain
access-list inside extended permit tcp any any eq ftp
access-list inside extended permit tcp any any eq ftp-data
access-list inside extended permit ip any 10.1.1.0 255.255.255.0
access-list inside extended permit ip any 172.16.10.0 255.255.255.0
access-list inside extended permit tcp host 192.1.4.10 any eq smtp
access-list inside extended permit udp host 192.1.4.30 any eq ntp
access-list inside extended permit ip host 192.1.4.14 any
access-list inside extended permit udp host 192.1.4.3 any eq ntp
access-list inside extended permit udp host 192.1.4.8 any eq ntp
access-list inside extended permit udp host 192.1.4.10 any eq ntp
access-list inside extended permit ip host 192.168.5.44 any
access-list inside extended permit tcp host 192.1.4.3 any eq smtp
access-list inside extended permit ip host 192.168.6.14 any
access-list inside extended permit tcp host 192.1.4.19 any eq smtp
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.5.0 255.255.255.0
access-list inside extended permit ip 192.1.4.0 255.255.252.0 192.168.6.0 255.255.255.0
access-list inside extended permit udp host 192.1.4.13 any eq 3101
access-list inside extended permit tcp host 192.1.4.13 any eq 3101
access-list inside extended permit tcp any any eq www
access-list inside extended permit tcp any any eq https
access-list inside extended permit tcp host 192.168.5.56 host 207.18.56.93 eq smtp
access-list inside extended permit icmp any any
access-list inside extended permit ip any 172.16.20.0 255.255.255.0
access-list RDP extended permit tcp interface outside interface inside eq 3389
access-list RDP-OUT extended permit tcp interface inside interface outside eq 3389
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging trap warnings
logging asdm warnings
logging host inside 192.1.4.30 17/1025
mtu outside 1492
mtu inside 1500
ip local pool POOLA 172.16.10.200-172.16.10.220
ip local pool POOLB 172.16.20.200-172.16.20.220
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 192.1.4.30 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.8 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.14 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.168.5.44 netmask 255.255.255.255
static (outside,inside) 192.1.4.14 *.*.*.* netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.168.6.14 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.19 netmask 255.255.255.255
static (inside,outside) *.*.*.* 192.1.4.3 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 208.10.57.233 1
route inside 192.168.0.0 255.255.0.0 192.1.4.20 1
route inside 192.168.5.0 255.255.255.0 192.1.4.20 1
route inside 192.168.6.0 255.255.255.0 192.1.4.20 1
route inside 192.1.30.0 255.255.255.0 192.1.4.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:25:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.1.4.30
key ****************
http server enable
http 192.1.4.0 255.255.252.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
crypto dynamic-map dynamap 10 set transform-set SET1
crypto map map2 99 ipsec-isakmp dynamic dynamap
crypto map map2 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 172.16.10.0 255.255.255.0 inside
telnet 192.1.4.0 255.255.252.0 inside
telnet timeout 5
console timeout 0
group-policy User1 internal
group-policy User1 attributes
wins-server value 192.1.4.30
dns-server value 192.1.4.30
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 120
address-pools value POOLA
group-policy User2 internal
group-policy User2 attributes
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 120
address-pools value POOLB
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
authentication-server-group partnerauth
default-group-policy User1
tunnel-group Group1 ipsec-attributes
pre-shared-key *
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
authentication-server-group partnerauth
default-group-policy User2
tunnel-group Group2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sip
inspect tftp
inspect http
inspect ils
!
service-policy global_policy global
prompt hostname contextSOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It won't let me use a wildcard like that. Invalid input detected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.