Solved

Cisco ASA 5505 Remote VPN Issue with Remote Desktop

Posted on 2010-09-05
18
694 Views
Last Modified: 2012-05-10
I need to be able to VPN to my computer at home from school. Actually all I want to do is to connect to home and then Remote Desktop to my computer. I know nothing about this ASA thing. My dad set it up but he is in Iraq. My school has a VPN so I kinda know how it should work. Can you help me?

Here's what I did. I found this VPN wizard in the ASA and I went through it. I got some help from a guy that works on our computers at school but we can't make it work :(

I have the Cisco VPN client on my laptop I take to school. I tried connecting and it seems to work. For some reason I cannot remote desktop to my computer. I know how to paste the config stuff so here it is:

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password U9kSw encrypted
passwd 2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPool 192.168.2.1-192.168.2.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

ntp server 192.43.244.18 source outside prefer
group-policy VPNTunnelGroup internal
group-policy VPNTunnelGroup attributes
 vpn-tunnel-protocol IPSec
username sdrach password cJX3yi encrypted privilege 0
username sdrach attributes
 vpn-group-policy VPNTunnelGroup
tunnel-group VPNTunnelGroup type ipsec-ra
tunnel-group VPNTunnelGroup general-attributes
 address-pool VPNPool
 default-group-policy VPNTunnelGroup
tunnel-group VPNTunnelGroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ecd148d7e298c2b3a17871a400f620e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Thanks!
Ashleigh

0
Comment
Question by:Ashleigh_
  • 9
  • 4
  • 2
  • +2
18 Comments
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 33610464
What kind og vpn your school is having ? Is it Remote VPN ?

Thanks,
Sandy
0
 

Author Comment

by:Ashleigh_
ID: 33612206
Yes it is remote VPN. That's not my issue. My issue is connecting to our ASA at home from school. Or connecting to it from anywhere else. I tried from a friends house also.
0
 

Author Comment

by:Ashleigh_
ID: 33612225
I should add that the VPN connects but I can't remote desktop to the computer in my bedroom.
0
 
LVL 4

Expert Comment

by:lpacker
ID: 33612325
I will assume you can RDP successfully within your home network.
Once you successfully connect to your VPN (1) are you getting the IP address you expect, (2) can you reach any part of your internal network?
 
0
 

Author Comment

by:Ashleigh_
ID: 33613209
Yes, we have 3 computers at home and I can remote desktop from any one of them to my computer in the bedroom.

(1) I am getting the IP address of 192.168.2.1 on my laptop when I am connected to the VPN. My computer at home is 192.168.1.2

(2) I can't remote desktop to any of the computers at home when I'm on the VPN. I tried doing a ping of the computer while I was on the VPN.

c:/>ping 192.168.1.2

and it says timed out.
0
 
LVL 3

Expert Comment

by:sudeep_mib
ID: 33615385
Give this command this command will bypass the access-list that is applied to the interface

ASA(config)#sysopt connection permit-ipsec

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33620754
try after adding the below command

crypto isakmp nat-traversal 60
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33620787
also make sure that u have  enabled transparent tunneling in ur VPN client
Untitled.gif
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 14

Expert Comment

by:anoopkmr
ID: 33620801
+

check the gateway of your pCs at home . it has to be 192.168.1.253
0
 

Author Comment

by:Ashleigh_
ID: 33627196
Ok I added sudeep_mib suggestion:

ASA(config)#sysopt connection permit-ipsec

It still doesn't work. I will try anoopkmr suggestion next. I want to only do one thing at a time so I know in the end what made it work.

All our PC's at home show the gateway is 192.168.1.253. Also in the software the "Enable Transparent Tunneling" box is checked.

When I check the IP settings on the VPN I get this.

ipconfig.JPG
0
 

Author Comment

by:Ashleigh_
ID: 33627250
Here are my settings. I have Local LAN Access checked. Is that wrong?

cisco.JPG
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33627793
did u  add my nat-traversla comand on asa

if so
give me the output of "show crypto ipsec sa" while testing

0
 

Author Comment

by:Ashleigh_
ID: 33633182
I added that command and I will try it at school tomorrow.
0
 

Author Comment

by:Ashleigh_
ID: 33636449
Ok I tried it and it still doesn't work. When you say, "give me the output of "show crypto ipsec sa" while testing"" do mean I should enter that command on the ASA while my laptop is connected to the VPN.
0
 

Author Comment

by:Ashleigh_
ID: 33638303
Here is the newest config:


: Saved

:

ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password yU9kSw encrypted

passwd 2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group network VPNPool

 network-object 192.168.2.0 255.255.255.248

access-list RemoteVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.248 

access-list outside_cryptomap extended permit ip any 192.168.2.0 255.255.255.248 

access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPool 

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool RemotePool 192.168.2.1-192.168.2.5 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

client-update enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!



ntp server 192.43.244.18 source outside prefer

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteVPN_splitTunnelAcl

username sdrach password JX3yi encrypted privilege 0

username sdrach attributes

 vpn-group-policy RemoteVPN

tunnel-group RemoteVPN type ipsec-ra

tunnel-group RemoteVPN general-attributes

 address-pool RemotePool

 default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect icmp 

  inspect icmp error 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
 

Accepted Solution

by:
Ashleigh_ earned 0 total points
ID: 33756360
The IT guy at my school looked at this config and said it should be working. He thought the software on the ASA was bad. So he showed me how to update it. I went home and updated it to 8.3(2) from 7.2(4) and the VPN magically started working.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34376070
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now