[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1055
  • Last Modified:

Problem with RDP on Cisco ASA 5505 When connected to VPN

I am having issues with accessing my company thrugh RDP using my Cisco ASA 5505.
I am able to connect with the any connect vpn client and I can ping the internal interface from the outside  but am unable to RDP to anything in my network.
All of my users will be accessing my company through this VPN and then RDP to servers on my network.
I am only wanting to use this ASA for VPN and RDP access to my network. This is a emergency secondary way to get to my network from the outside.

Here is my config file

Result of the command: "show run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name levelone.local
enable password XXXXwm4JELJXrOoK encrypted
passwd XXXXnbNIdI.2KYOU encrypted
names
name 10.10.0.0 Internal
name 172.1.1.0 VPN
name XX.XX.18.0 Company Name description Company Name
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address XX.XX.39.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.230.158 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone AST 3
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server xx.xx.10.1
 domain-name Company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_nat0_outbound extended permit ip any any
access-list outside_access_in extended permit tcp any Company 255.255.255.0 eq 3389
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq ssh
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq pptp
access-list outside_access_in extended permit tcp any XX.XX.39.0 255.255.255.0 eq 1701
access-list outside_access_in extended permit udp any XX.XX.39.0 255.255.255.0 eq isakmp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp VPN 255.255.255.0 any eq 3389
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit ip VPN 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging history warnings
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.168.20.1-172.168.20.50 mask 255.255.255.0
ip local pool WebvpnSSL 172.1.1.1-172.1.1.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (inside) 1 LevelOne-XX.XX.18.254 netmask 255.0.0.0
global (outside) 101 172.168.10.10-172.168.10.11 netmask 255.255.255.0
nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
static (outside,inside) Internal VPN netmask 255.255.255.0
access-group inside_access_in in interface inside per-user-override
access-group outside_access_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 68.115.230.157 1
route inside 10.0.0.0 255.0.0.0 xx.xx.39.253 1
route outside VPN 255.255.255.0 xx.xx.39.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 email it@company.com
 subject-name CN=ciscoasa
 ip-address 74.223.115.42
 keypair xxxxxxxxxxxxxxxxxx
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 subject-name CN=ciscoasa.levelone.local,O=LevelOne,C=us
 keypair firstcentralizedleasingoffice
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 8003324b
    3082028a 308201f3 a0030201 02020480 03324b30 0d06092a 864886f7 0d010104
    05003057 3111300f 06035504 03130863 6973636f 61736131 42301a06 092a8648
    86f70d01 0908130d 37342e32 32332e31 31352e34 32302406 092a8648 86f70d01
    09021617 63697363 6f617361 2e6c6576 656c6f6e 652e6c6f 63616c30 1e170d30
    39313232 33313134 3831365a 170d3139 31323231 31313438 31365a30 57311130
    0f060355 04031308 63697363 6f617361 3142301a 06092a86 4886f70d 01090813
    0d37342e 3232332e 3131352e 34323024 06092a86 4886f70d 01090216 17636973
    636f6173 612e6c65 76656c6f 6e652e6c 6f63616c 30819f30 0d06092a 864886f7
    0d010101 05000381 8d003081 89028181 00c00607 c81076d5 dd79a844 962104da
    6d02e324 1f8ad665 d584f174 232ca340 3a2220e3 a9ff6a36 eda0489e 86bfb9dd
    2c27e439 8328c030 a6c94fad 68deb62b 13b2de3e 49bc149c fe94c2e6 73a347bb
    5265e1d4 2ea46606 008253ba 1b6c2f1c 4db8c4cd c9ffae72 02f51423 2369241e
    8da2d611 e1249ca6 4e5bda4e ad80d811 8b020301 0001a363 3061300f 0603551d
    130101ff 04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355
    1d230418 30168014 4429d9ed 3f769d7b 18fdd9b2 4e373480 a0faa1ab 301d0603
    551d0e04 16041444 29d9ed3f 769d7b18 fdd9b24e 373480a0 faa1ab30 0d06092a
    864886f7 0d010104 05000381 81003d1c b1245d83 14b35ee5 d1535477 24675a98
    2cf160f6 1749ed84 8f6d547a 4c1e95ee 24371061 62eb081c 2e19652e c8ea0ce4
    dc6839fa bcb74700 d2c45eb0 f70273ac 9d90a8f0 3de2132c e8fd48d5 7cd7baa1
    320cd868 61690762 6e138859 4a4330d4 83dd08ee a3fcf2e3 cfaee47a 512b28ca
    02fd5a5f 1b856108 f96821c9 6960
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 10
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcp-client broadcast-flag
dhcpd auto_config outside
!
dhcpd dns xx.xx.1.225 interface inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
 svc image disk0:/anyconnect-dart-win-2.4.0202-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.4.0202-k9.pkg 3
 svc image disk0:/anyconnect-macosx-powerpc-2.4.0202-k9.pkg 4
 svc image disk0:/anyconnect-macosx-i386-2.4.0202-k9.pkg 5
 svc enable
group-policy testgroup internal
group-policy testgroup attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy NewGreg internal
group-policy NewGreg attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list none
  svc ask enable
username XXXX password XXXXf0NaK03UDH9Z encrypted privilege 15
username XXXX password XXXXfuIMl2tPjQ9l encrypted privilege 10
username XXXX password XXXXCkJoG5WR0nqK encrypted
username XXXX password XXXXsP9fGsh1HcOv encrypted privilege 10
username XXXX password XXXXNuIdWs9R193B encrypted privilege 15
username XXXX password XXXXNs3zeqgG9ULH encrypted privilege 10
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool WebvpnSSL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias AnyConnect enable
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
 address-pool vpnpool
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
tunnel-group Greg type remote-access
tunnel-group Greg general-attributes
 address-pool vpnpool
 default-group-policy NewGreg
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:90b7355a9e663610ff71552428f681a5
: end
0
L1Technology
Asked:
L1Technology
  • 8
  • 6
1 Solution
 
JDLoanerCommented:
You are able to ping the hosts you are trying to RDP to?
0
 
Istvan KalmarCommented:
there is a problem with nonat statement
0
 
Istvan KalmarCommented:
I think you want this:

access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.1.1.0 255.255.255.0

no nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
nat (inside) 1 XX.XX.230.156 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound

clear xlate



0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
L1TechnologyAuthor Commented:
JDLoaner;

No I am not. I can only ping the internal interface on the ASA itself.
I can get to the ASA from the inside the network and also from outside the comapny but once I vpn from the outside I get a VPN ipaddress and can ping the inside interface but can not get any further.
0
 
Istvan KalmarCommented:
Please read this article for more information:

http://www.petenetlive.com/KB/Article/0000070.htm
0
 
L1TechnologyAuthor Commented:
ikalmar:

I actually used this link to set up the ASA origionally.
 If I use this
access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip x.x.x.x 255.255.255.0 172.1.1.0 255.255.255.0

no nat (inside) 0 XX.XX.230.156 255.255.255.252 outside
nat (inside) 1 XX.XX.230.156 255.255.255.252 outside
nat (inside) 0 access-list inside_nat0_outbound

clear xlate

What do I use as the IP after the extended permit ip x.x.x.x 255.255.255.0 on thse two? and also what is the 172.168.20.0 255.255.255.0 ?
0
 
Istvan KalmarCommented:
hi,


What do I use as the IP after the extended permit ip x.x.x.x 255.255.255.0 on thse two? and also what is the 172.168.20.0 255.255.255.0 ?

this is tha address pools of remote vpn client...

ip local pool vpnpool 172.168.20.1-172.168.20.50 mask 255.255.255.0
ip local pool WebvpnSSL 172.1.1.1-172.1.1.10 mask 255.255.255.0
0
 
L1TechnologyAuthor Commented:
I am still not having any luck.
0
 
L1TechnologyAuthor Commented:
ikalmar,

Do you think it would be wise to blow away the configuration I currently have and start from sratch? Is there some one who could send me a bsic cookie cutter configuration that  Icould set this up with? Every thing I have used has not worked. I get close but never get all the way in to the network.
0
 
Istvan KalmarCommented:
please show the whole config, and what do you want to reah via VPN?

or try rebulid the configuration
0
 
L1TechnologyAuthor Commented:
maybe this will help. Here is my basic ip setup and what i need to accomplish

My basic ip configuration looks like this:
(Static)
wan ip: 111.111.111.111
Mask: 255.255.255.252
Gateway ip: 111.111.111.157
DNS 1: 111.111.222.132
DNS 2: 111.111.222.134

(Static)
LAN IP: 192.40.39.253
mask: 255.255.255.0
I do not use DHCP for LAN. I would like to use static. I would like the static range of 192.40.39.1-192.40.39.10


Now I need to be able to have a client from outside my company use the Cisco anyConnect VPN client to connect to my company and access the entire 10.0.0.0.internal network with Windows RDP
I would like the VPN IP Pool to be 172.1.1.1-172.1.1.25

I also need the user to be able to use the internet while connected to this VPN.

I can completely start from scratch and load a totally new configuration to the ASA.

Thanks in advance for any help I can get, if  Iwas not already bald I would have pulled out all my hair by now!

0
 
L1TechnologyAuthor Commented:
If anyone can help me I would appreciate it
0
 
Istvan KalmarCommented:
please show us the running config, and please show us :

sh cry isa sa
sh cry ips sa

when you connected, an probing rdp
0
 
L1TechnologyAuthor Commented:
n/a
0
 
L1TechnologyAuthor Commented:
N/A
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now