asked on Cisco ASA 5505 Remote VPN Issue with Remote Desktop
I need to be able to VPN to my computer at home from school. Actually all I want to do is to connect to home and then Remote Desktop to my computer. I know nothing about this ASA thing. My dad set it up but he is in Iraq. My school has a VPN so I kinda know how it should work. Can you help me?
Here's what I did. I found this VPN wizard in the ASA and I went through it. I got some help from a guy that works on our computers at school but we can't make it work :(
I have the Cisco VPN client on my laptop I take to school. I tried connecting and it seems to work. For some reason I cannot remote desktop to my computer. I know how to paste the config stuff so here it is:
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U9kSw encrypted
passwd 2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.2.1-192.168.2.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
ntp server 192.43.244.18 source outside prefer
group-policy VPNTunnelGroup internal
group-policy VPNTunnelGroup attributes
vpn-tunnel-protocol IPSec
username sdrach password cJX3yi encrypted privilege 0
username sdrach attributes
vpn-group-policy VPNTunnelGroup
tunnel-group VPNTunnelGroup type ipsec-ra
tunnel-group VPNTunnelGroup general-attributes
address-pool VPNPool
default-group-policy VPNTunnelGroup
tunnel-group VPNTunnelGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ecd148d7e2
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
Thanks!
Ashleigh
Here's what I did. I found this VPN wizard in the ASA and I went through it. I got some help from a guy that works on our computers at school but we can't make it work :(
I have the Cisco VPN client on my laptop I take to school. I tried connecting and it seems to work. For some reason I cannot remote desktop to my computer. I know how to paste the config stuff so here it is:
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U9kSw encrypted
passwd 2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.2.1-192.168.2.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
ntp server 192.43.244.18 source outside prefer
group-policy VPNTunnelGroup internal
group-policy VPNTunnelGroup attributes
vpn-tunnel-protocol IPSec
username sdrach password cJX3yi encrypted privilege 0
username sdrach attributes
vpn-group-policy VPNTunnelGroup
tunnel-group VPNTunnelGroup type ipsec-ra
tunnel-group VPNTunnelGroup general-attributes
address-pool VPNPool
default-group-policy VPNTunnelGroup
tunnel-group VPNTunnelGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ecd148d7e2
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
Thanks!
Ashleigh
CiscoVPNHardware Firewalls
Last Comment
Qlemo
ASKER
Yes it is remote VPN. That's not my issue. My issue is connecting to our ASA at home from school. Or connecting to it from anywhere else. I tried from a friends house also.
ASKER
I should add that the VPN connects but I can't remote desktop to the computer in my bedroom.
I will assume you can RDP successfully within your home network.
Once you successfully connect to your VPN (1) are you getting the IP address you expect, (2) can you reach any part of your internal network?
Once you successfully connect to your VPN (1) are you getting the IP address you expect, (2) can you reach any part of your internal network?
ASKER
Yes, we have 3 computers at home and I can remote desktop from any one of them to my computer in the bedroom.
(1) I am getting the IP address of 192.168.2.1 on my laptop when I am connected to the VPN. My computer at home is 192.168.1.2
(2) I can't remote desktop to any of the computers at home when I'm on the VPN. I tried doing a ping of the computer while I was on the VPN.
c:/>ping 192.168.1.2
and it says timed out.
(1) I am getting the IP address of 192.168.2.1 on my laptop when I am connected to the VPN. My computer at home is 192.168.1.2
(2) I can't remote desktop to any of the computers at home when I'm on the VPN. I tried doing a ping of the computer while I was on the VPN.
c:/>ping 192.168.1.2
and it says timed out.
Give this command this command will bypass the access-list that is applied to the interface
ASA(config)#sysopt connection permit-ipsec
ASA(config)#sysopt connection permit-ipsec
try after adding the below command
crypto isakmp nat-traversal 60
crypto isakmp nat-traversal 60
also make sure that u have enabled transparent tunneling in ur VPN client
Untitled.gif
Untitled.gif
+
check the gateway of your pCs at home . it has to be 192.168.1.253
check the gateway of your pCs at home . it has to be 192.168.1.253
ASKER
Ok I added sudeep_mib suggestion:
ASA(config)#sysopt connection permit-ipsec
It still doesn't work. I will try anoopkmr suggestion next. I want to only do one thing at a time so I know in the end what made it work.
All our PC's at home show the gateway is 192.168.1.253. Also in the software the "Enable Transparent Tunneling" box is checked.
When I check the IP settings on the VPN I get this.
ipconfig.JPG
ASA(config)#sysopt connection permit-ipsec
It still doesn't work. I will try anoopkmr suggestion next. I want to only do one thing at a time so I know in the end what made it work.
All our PC's at home show the gateway is 192.168.1.253. Also in the software the "Enable Transparent Tunneling" box is checked.
When I check the IP settings on the VPN I get this.
ipconfig.JPG
ASKER
did u add my nat-traversla comand on asa
if so
give me the output of "show crypto ipsec sa" while testing
if so
give me the output of "show crypto ipsec sa" while testing
ASKER
I added that command and I will try it at school tomorrow.
ASKER
Ok I tried it and it still doesn't work. When you say, "give me the output of "show crypto ipsec sa" while testing"" do mean I should enter that command on the ASA while my laptop is connected to the VPN.
ASKER
Here is the newest config:
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password yU9kSw encrypted
passwd 2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network VPNPool
network-object 192.168.2.0 255.255.255.248
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.248
access-list outside_cryptomap extended permit ip any 192.168.2.0 255.255.255.248
access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPool
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool RemotePool 192.168.2.1-192.168.2.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
ntp server 192.43.244.18 source outside prefer
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteVPN_splitTunnelAcl
username sdrach password JX3yi encrypted privilege 0
username sdrach attributes
vpn-group-policy RemoteVPN
tunnel-group RemoteVPN type ipsec-ra
tunnel-group RemoteVPN general-attributes
address-pool RemotePool
default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Thanks,
Sandy