I have 2 ASA5505's connected via VPN, VPN is up and running I can ping from both ends.  I'm trying to RDP back and forth for testing, what commands do I need to enter on both ASA's to accomplish this? Here's my config:

** I have configured this on ASA-2 and I'm trying to connect from a client on ASA-1.

ASA Version 7.2(4)
hostname ASA-2
domain-name default.domain.invalid
enable password 0bmo3eDt1sgljTdM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 19
access-list outside_1_cryptomap extended permit ip 192
access-list outside_access_in extended permit tcp any any eq 3389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 3389 3389 netmask 255.255.255.
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

since the outside_1_cryptomap says permit ip in the command, you should be able to access RDP over the L2L connection
please make sure the other end also has "permit ip" as the encryption domain
then on the machine check for RDP enable and windows firewall
please let me  know! thanks
seanramosAuthor Commented:
Thanks for the response.  Yes both ASA's have outside_1_cryptomap permit ip 192.168.x.x, i tried RDP and it did not work so I was looking around in the forums and i added this line on ASA-2 -- static (inside,outside) tcp interface 3389 3389 netmask, being the laptop i wanted to RDP to.  
seanramosAuthor Commented:
Even though it permits ip does port 3389 need to be forwarded?
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

No, not required. you dont need to exiplicity mention the RDP port. hope that RDP is accessable internally,. your conf seems to be ok. hope other experts can throw some light :)
I believe that this is your issue:

static (inside,outside) tcp interface 3389 3389 netmask

Is there a PC other then that you can attempt to RDP to? If you can, this will test if it is just that static entry. I know that in routers the device hits the static first and does not allow it to work. There is a work around but I would have to take some time to figure it out in an ASA if it was necessary.

If you can do a:

no static (inside,outside) tcp interface 3389 3389 netmask

And then test it would answer if this is the culprit. If you have this on both ends remove it on both ends

Good Luck,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seanramosAuthor Commented:
thanks for the response, I entered the static entry in only because I could not RDP from both sides, I looked it up and someone had mentioned that I would need to put an explicit static entry, apparently that's wrong.  Only one side has this static entry in, with a client on ASA-2 trying to RDP to, w/firewalls off.
So you have removed those entries.

and when you ping from PC to (PC on the other side) you get what?


seanramosAuthor Commented:
I will try and get back to you.
seanramosAuthor Commented:
Ok, I tried it.  I have an XP laptop and a Vista Home Premium (I know, I hate it), each connected to an ASA.  I had the Vista client connected to ASA-2 which was 192.168.2.X and had the XP client connected to ASA-1 which was 192.168.1.X.  I took out the static routes so both configs on both ASA's were identically mirrored, I could ping the XP machine from the Vista machine but I could not ping the Vista machine from XP.  I made sure all firewalls were off etc. I compared configs and they looked good.  Then I tried swapping ASA's putting the Vista machine on ASA-1 and XP on ASA-2, then voila! both can ping each other...I'm not sure why It was one way earlier?  RDP works as well, apparently you can't RDP in Home premium unless you dl an add-on.  
So is it all working then?

That vista thing is odd but I do not trust vista to many weird things with it.

Let me know,

seanramosAuthor Commented:
Yes both are working, I assume that if I put xp clients on both ends I wouldn't have a problem. Thanks again!~
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.