Site A (VPN L2L 5505) to Site B (L2L VPN) to Router to remote Router

First off thank you ahead of time for reading this and, hopefully, helping.
Our network has a colo. At our colo we use 5510 ASA 8.2. This ASA handles mutiple L2L VPN connections for all our Main office and  branch offices.
One particular site just uses a switch and L2L VPN that connect to our Colo. Our main office connects to our Colo via DS3 connection on our router. My goal is this:

Site A (L2L VPN) ---> Site B( ASA at Colo) -->Site B (Router at Colo) ---> Site C (Branch Router that has DS3 connection)

I want Site A to be able to remote into Site C, as well as Site C to be able to remote into Site A using rdp

Please let me know if you need me to attach a sanitized copy of our configuration.
Thanks,
RenoGryphonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dash AmrSenior Specialist(PM)Commented:
I think you looking at enabling RDP on your ASA between site A and Site C ,.


Have a look at this it might help you.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml
0
RenoGryphonAuthor Commented:
Thanks for the link. I'm wondering would I need to configure this on our Colo ASA or on Site A's ASA?

Site C's subnet: 172.18.0.0 needs to be able to initiate a rdp connection to Site C subnet: 172.16.11.0
0
Dash AmrSenior Specialist(PM)Commented:
you need to configure site A ASA - and within Site C you should be able to rdp without no problem
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

RenoGryphonAuthor Commented:
Thank you again. Sorry about the typo.  I meant Site C rdp to Site A. I'll give it a shot and let you know if that resolves the issue.
0
Dash AmrSenior Specialist(PM)Commented:
Sure thing :)
0
RenoGryphonAuthor Commented:
Didn't seem to resolve the issue.
Here are the commands I configured for SiteA ASA (inside subnet 172.16.11.0/24), based on the Cisco article. Not sure what I'm missing.

SitA-ASA:
static (inside,outside) interface 172.16.11.226 netmask 255.255.255.255

access-list outside-in extended permit tcp 172.18.0.0 255.255.0.0 (site C subnet) interface outside object-group RDP

access-group outside-in in interface outside

Packet-tracer output:
packet-tracer input inside tcp 172.18.0.10 3389 172.16.11.226 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.11.0     255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
             
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Sit B (ASA) Packet-tracer output:
packet-tracer input inside tcp 172.18.0.10 3389 172.16.11.226 3389

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0
RenoGryphonAuthor Commented:
Stil waiting on some further input, if anyone can help. Thanks ahead of time.
0
RenoGryphonAuthor Commented:
I figured it out!

Here are the necessary commands I needed:
CiscoASA(config)#class-map rdpmss
CiscoASA(config-cmap)#match access-list outside_in
CiscoASA(config-cmap)#exit
CiscoASA(config)#tcp-map mss-map
CiscoASA(config-tcp-map)#exceed-mss allow
CiscoASA(config-tcp-map)#exit
CiscoASA(config)#policy-map rdpmss
CiscoASA(config-pmap)#class rdpmss
CiscoASA(config-pmap-c)#set connection advanced-options mss-map
CiscoASA(config-pmap-c)#exit
CiscoASA(config-pmap)#exit
CiscoASA(config)#service-policy rdpmss interface outside

Also, I need to add a few ACLs on the branch ASA and Colo ASA. Thank you again for your help!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dash AmrSenior Specialist(PM)Commented:
Any Time :)
0
RenoGryphonAuthor Commented:
Due to this configuration I was able to resolve the issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.