L1Technology
asked on
Problem with RDP on Cisco ASA 5505 When connected to VPN
I am having issues with accessing my company thrugh RDP using my Cisco ASA 5505.
I am able to connect with the any connect vpn client and I can ping the internal interface from the outside but am unable to RDP to anything in my network.
All of my users will be accessing my company through this VPN and then RDP to servers on my network.
I am only wanting to use this ASA for VPN and RDP access to my network. This is a emergency secondary way to get to my network from the outside.
Here is my config file
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name levelone.local
enable password XXXXwm4JELJXrOoK encrypted
passwd XXXXnbNIdI.2KYOU encrypted
names
name 10.10.0.0 Internal
name 172.1.1.0 VPN
name XX.XX.18.0 Company Name description Company Name
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address XX.XX.39.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.230.158 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone AST 3
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.10.1
domain-name Company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip any any
access-list outside_access_in extended permit tcp any Company 255.255.255.0 eq 3389
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq ssh
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq pptp
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq 1701
access-list outside_access_in extended permit udp any XX.XX.39.0 255.255.255.0 eq isakmp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp VPN 255.255.255.0 any eq 3389
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit ip VPN 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging history warnings
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.168.20.1-172.168.20.50 mask 255.255.255.0
ip local pool WebvpnSSL 172.1.1.1-172.1.1.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (inside) 1 LevelOne-XX.XX.18.254 netmask 255.0.0.0
global (outside) 101 172.168.10.10-172.168.10.1 1 netmask 255.255.255.0
nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
static (outside,inside) Internal VPN netmask 255.255.255.0
access-group inside_access_in in interface inside per-user-override
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 68.115.230.157 1
route inside 10.0.0.0 255.0.0.0 xx.xx.39.253 1
route outside VPN 255.255.255.0 xx.xx.39.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email it@company.com
subject-name CN=ciscoasa
ip-address 74.223.115.42
keypair xxxxxxxxxxxxxxxxxx
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
subject-name CN=ciscoasa.levelone.local ,O=LevelOn e,C=us
keypair firstcentralizedleasingoff ice
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 8003324b
3082028a 308201f3 a0030201 02020480 03324b30 0d06092a 864886f7 0d010104
05003057 3111300f 06035504 03130863 6973636f 61736131 42301a06 092a8648
86f70d01 0908130d 37342e32 32332e31 31352e34 32302406 092a8648 86f70d01
09021617 63697363 6f617361 2e6c6576 656c6f6e 652e6c6f 63616c30 1e170d30
39313232 33313134 3831365a 170d3139 31323231 31313438 31365a30 57311130
0f060355 04031308 63697363 6f617361 3142301a 06092a86 4886f70d 01090813
0d37342e 3232332e 3131352e 34323024 06092a86 4886f70d 01090216 17636973
636f6173 612e6c65 76656c6f 6e652e6c 6f63616c 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00c00607 c81076d5 dd79a844 962104da
6d02e324 1f8ad665 d584f174 232ca340 3a2220e3 a9ff6a36 eda0489e 86bfb9dd
2c27e439 8328c030 a6c94fad 68deb62b 13b2de3e 49bc149c fe94c2e6 73a347bb
5265e1d4 2ea46606 008253ba 1b6c2f1c 4db8c4cd c9ffae72 02f51423 2369241e
8da2d611 e1249ca6 4e5bda4e ad80d811 8b020301 0001a363 3061300f 0603551d
130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355
1d230418 30168014 4429d9ed 3f769d7b 18fdd9b2 4e373480 a0faa1ab 301d0603
551d0e04 16041444 29d9ed3f 769d7b18 fdd9b24e 373480a0 faa1ab30 0d06092a
864886f7 0d010104 05000381 81003d1c b1245d83 14b35ee5 d1535477 24675a98
2cf160f6 1749ed84 8f6d547a 4c1e95ee 24371061 62eb081c 2e19652e c8ea0ce4
dc6839fa bcb74700 d2c45eb0 f70273ac 9d90a8f0 3de2132c e8fd48d5 7cd7baa1
320cd868 61690762 6e138859 4a4330d4 83dd08ee a3fcf2e3 cfaee47a 512b28ca
02fd5a5f 1b856108 f96821c9 6960
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcp-client broadcast-flag
dhcpd auto_config outside
!
dhcpd dns xx.xx.1.225 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4. 0202-k9.pk g 1
svc image disk0:/anyconnect-dart-win -2.4.0202- k9.pkg 2
svc image disk0:/anyconnect-linux-2. 4.0202-k9. pkg 3
svc image disk0:/anyconnect-macosx-p owerpc-2.4 .0202-k9.p kg 4
svc image disk0:/anyconnect-macosx-i 386-2.4.02 02-k9.pkg 5
svc enable
group-policy testgroup internal
group-policy testgroup attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testgroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy NewGreg internal
group-policy NewGreg attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
username XXXX password XXXXf0NaK03UDH9Z encrypted privilege 15
username XXXX password XXXXfuIMl2tPjQ9l encrypted privilege 10
username XXXX password XXXXCkJoG5WR0nqK encrypted
username XXXX password XXXXsP9fGsh1HcOv encrypted privilege 10
username XXXX password XXXXNuIdWs9R193B encrypted privilege 15
username XXXX password XXXXNs3zeqgG9ULH encrypted privilege 10
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool WebvpnSSL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias AnyConnect enable
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool vpnpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
pre-shared-key *
tunnel-group Greg type remote-access
tunnel-group Greg general-attributes
address-pool vpnpool
default-group-policy NewGreg
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:90b7355a9e6 63610ff715 52428f681a 5
: end
I am able to connect with the any connect vpn client and I can ping the internal interface from the outside but am unable to RDP to anything in my network.
All of my users will be accessing my company through this VPN and then RDP to servers on my network.
I am only wanting to use this ASA for VPN and RDP access to my network. This is a emergency secondary way to get to my network from the outside.
Here is my config file
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name levelone.local
enable password XXXXwm4JELJXrOoK encrypted
passwd XXXXnbNIdI.2KYOU encrypted
names
name 10.10.0.0 Internal
name 172.1.1.0 VPN
name XX.XX.18.0 Company Name description Company Name
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address XX.XX.39.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.230.158 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone AST 3
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server xx.xx.10.1
domain-name Company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip any any
access-list outside_access_in extended permit tcp any Company 255.255.255.0 eq 3389
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq ssh
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq pptp
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq 1701
access-list outside_access_in extended permit udp any XX.XX.39.0 255.255.255.0 eq isakmp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp VPN 255.255.255.0 any eq 3389
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit ip VPN 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging history warnings
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.168.20.1-172.168.20.50
ip local pool WebvpnSSL 172.1.1.1-172.1.1.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (inside) 1 LevelOne-XX.XX.18.254 netmask 255.0.0.0
global (outside) 101 172.168.10.10-172.168.10.1
nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
static (outside,inside) Internal VPN netmask 255.255.255.0
access-group inside_access_in in interface inside per-user-override
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 68.115.230.157 1
route inside 10.0.0.0 255.0.0.0 xx.xx.39.253 1
route outside VPN 255.255.255.0 xx.xx.39.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email it@company.com
subject-name CN=ciscoasa
ip-address 74.223.115.42
keypair xxxxxxxxxxxxxxxxxx
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
subject-name CN=ciscoasa.levelone.local
keypair firstcentralizedleasingoff
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 8003324b
3082028a 308201f3 a0030201 02020480 03324b30 0d06092a 864886f7 0d010104
05003057 3111300f 06035504 03130863 6973636f 61736131 42301a06 092a8648
86f70d01 0908130d 37342e32 32332e31 31352e34 32302406 092a8648 86f70d01
09021617 63697363 6f617361 2e6c6576 656c6f6e 652e6c6f 63616c30 1e170d30
39313232 33313134 3831365a 170d3139 31323231 31313438 31365a30 57311130
0f060355 04031308 63697363 6f617361 3142301a 06092a86 4886f70d 01090813
0d37342e 3232332e 3131352e 34323024 06092a86 4886f70d 01090216 17636973
636f6173 612e6c65 76656c6f 6e652e6c 6f63616c 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00c00607 c81076d5 dd79a844 962104da
6d02e324 1f8ad665 d584f174 232ca340 3a2220e3 a9ff6a36 eda0489e 86bfb9dd
2c27e439 8328c030 a6c94fad 68deb62b 13b2de3e 49bc149c fe94c2e6 73a347bb
5265e1d4 2ea46606 008253ba 1b6c2f1c 4db8c4cd c9ffae72 02f51423 2369241e
8da2d611 e1249ca6 4e5bda4e ad80d811 8b020301 0001a363 3061300f 0603551d
130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355
1d230418 30168014 4429d9ed 3f769d7b 18fdd9b2 4e373480 a0faa1ab 301d0603
551d0e04 16041444 29d9ed3f 769d7b18 fdd9b24e 373480a0 faa1ab30 0d06092a
864886f7 0d010104 05000381 81003d1c b1245d83 14b35ee5 d1535477 24675a98
2cf160f6 1749ed84 8f6d547a 4c1e95ee 24371061 62eb081c 2e19652e c8ea0ce4
dc6839fa bcb74700 d2c45eb0 f70273ac 9d90a8f0 3de2132c e8fd48d5 7cd7baa1
320cd868 61690762 6e138859 4a4330d4 83dd08ee a3fcf2e3 cfaee47a 512b28ca
02fd5a5f 1b856108 f96821c9 6960
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcp-client broadcast-flag
dhcpd auto_config outside
!
dhcpd dns xx.xx.1.225 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.
svc image disk0:/anyconnect-dart-win
svc image disk0:/anyconnect-linux-2.
svc image disk0:/anyconnect-macosx-p
svc image disk0:/anyconnect-macosx-i
svc enable
group-policy testgroup internal
group-policy testgroup attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testgroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy NewGreg internal
group-policy NewGreg attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
username XXXX password XXXXf0NaK03UDH9Z encrypted privilege 15
username XXXX password XXXXfuIMl2tPjQ9l encrypted privilege 10
username XXXX password XXXXCkJoG5WR0nqK encrypted
username XXXX password XXXXsP9fGsh1HcOv encrypted privilege 10
username XXXX password XXXXNuIdWs9R193B encrypted privilege 15
username XXXX password XXXXNs3zeqgG9ULH encrypted privilege 10
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool WebvpnSSL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias AnyConnect enable
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool vpnpool
default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
pre-shared-key *
tunnel-group Greg type remote-access
tunnel-group Greg general-attributes
address-pool vpnpool
default-group-policy NewGreg
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:90b7355a9e6
: end
You are able to ping the hosts you are trying to RDP to?
there is a problem with nonat statement
I think you want this:
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.1.1.0 255.255.255.0
no nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
nat (inside) 1 XX.XX.230.156 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound
clear xlate
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.1.1.0 255.255.255.0
no nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
nat (inside) 1 XX.XX.230.156 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound
clear xlate
ASKER
JDLoaner;
No I am not. I can only ping the internal interface on the ASA itself.
I can get to the ASA from the inside the network and also from outside the comapny but once I vpn from the outside I get a VPN ipaddress and can ping the inside interface but can not get any further.
No I am not. I can only ping the internal interface on the ASA itself.
I can get to the ASA from the inside the network and also from outside the comapny but once I vpn from the outside I get a VPN ipaddress and can ping the inside interface but can not get any further.
ASKER
ikalmar:
I actually used this link to set up the ASA origionally.
If I use this
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.1.1.0 255.255.255.0
no nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
nat (inside) 1 XX.XX.230.156 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound
clear xlate
What do I use as the IP after the extended permit ip x.x.x.x 255.255.255.0 on thse two? and also what is the 172.168.20.0 255.255.255.0 ?
I actually used this link to set up the ASA origionally.
If I use this
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.1.1.0 255.255.255.0
no nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
nat (inside) 1 XX.XX.230.156 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound
clear xlate
What do I use as the IP after the extended permit ip x.x.x.x 255.255.255.0 on thse two? and also what is the 172.168.20.0 255.255.255.0 ?
hi,
What do I use as the IP after the extended permit ip x.x.x.x 255.255.255.0 on thse two? and also what is the 172.168.20.0 255.255.255.0 ?
this is tha address pools of remote vpn client...
ip local pool vpnpool 172.168.20.1-172.168.20.50 mask 255.255.255.0
ip local pool WebvpnSSL 172.1.1.1-172.1.1.10 mask 255.255.255.0
What do I use as the IP after the extended permit ip x.x.x.x 255.255.255.0 on thse two? and also what is the 172.168.20.0 255.255.255.0 ?
this is tha address pools of remote vpn client...
ip local pool vpnpool 172.168.20.1-172.168.20.50
ip local pool WebvpnSSL 172.1.1.1-172.1.1.10 mask 255.255.255.0
ASKER
I am still not having any luck.
ASKER
ikalmar,
Do you think it would be wise to blow away the configuration I currently have and start from sratch? Is there some one who could send me a bsic cookie cutter configuration that Icould set this up with? Every thing I have used has not worked. I get close but never get all the way in to the network.
Do you think it would be wise to blow away the configuration I currently have and start from sratch? Is there some one who could send me a bsic cookie cutter configuration that Icould set this up with? Every thing I have used has not worked. I get close but never get all the way in to the network.
please show the whole config, and what do you want to reah via VPN?
or try rebulid the configuration
or try rebulid the configuration
ASKER
maybe this will help. Here is my basic ip setup and what i need to accomplish
My basic ip configuration looks like this:
(Static)
wan ip: 111.111.111.111
Mask: 255.255.255.252
Gateway ip: 111.111.111.157
DNS 1: 111.111.222.132
DNS 2: 111.111.222.134
(Static)
LAN IP: 192.40.39.253
mask: 255.255.255.0
I do not use DHCP for LAN. I would like to use static. I would like the static range of 192.40.39.1-192.40.39.10
Now I need to be able to have a client from outside my company use the Cisco anyConnect VPN client to connect to my company and access the entire 10.0.0.0.internal network with Windows RDP
I would like the VPN IP Pool to be 172.1.1.1-172.1.1.25
I also need the user to be able to use the internet while connected to this VPN.
I can completely start from scratch and load a totally new configuration to the ASA.
Thanks in advance for any help I can get, if Iwas not already bald I would have pulled out all my hair by now!
My basic ip configuration looks like this:
(Static)
wan ip: 111.111.111.111
Mask: 255.255.255.252
Gateway ip: 111.111.111.157
DNS 1: 111.111.222.132
DNS 2: 111.111.222.134
(Static)
LAN IP: 192.40.39.253
mask: 255.255.255.0
I do not use DHCP for LAN. I would like to use static. I would like the static range of 192.40.39.1-192.40.39.10
Now I need to be able to have a client from outside my company use the Cisco anyConnect VPN client to connect to my company and access the entire 10.0.0.0.internal network with Windows RDP
I would like the VPN IP Pool to be 172.1.1.1-172.1.1.25
I also need the user to be able to use the internet while connected to this VPN.
I can completely start from scratch and load a totally new configuration to the ASA.
Thanks in advance for any help I can get, if Iwas not already bald I would have pulled out all my hair by now!
ASKER
If anyone can help me I would appreciate it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
n/a
ASKER
N/A