RenoGryphon
asked on
Site A (VPN L2L 5505) to Site B (L2L VPN) to Router to remote Router
First off thank you ahead of time for reading this and, hopefully, helping.
Our network has a colo. At our colo we use 5510 ASA 8.2. This ASA handles mutiple L2L VPN connections for all our Main office and branch offices.
One particular site just uses a switch and L2L VPN that connect to our Colo. Our main office connects to our Colo via DS3 connection on our router. My goal is this:
Site A (L2L VPN) ---> Site B( ASA at Colo) -->Site B (Router at Colo) ---> Site C (Branch Router that has DS3 connection)
I want Site A to be able to remote into Site C, as well as Site C to be able to remote into Site A using rdp
Please let me know if you need me to attach a sanitized copy of our configuration.
Thanks,
Our network has a colo. At our colo we use 5510 ASA 8.2. This ASA handles mutiple L2L VPN connections for all our Main office and branch offices.
One particular site just uses a switch and L2L VPN that connect to our Colo. Our main office connects to our Colo via DS3 connection on our router. My goal is this:
Site A (L2L VPN) ---> Site B( ASA at Colo) -->Site B (Router at Colo) ---> Site C (Branch Router that has DS3 connection)
I want Site A to be able to remote into Site C, as well as Site C to be able to remote into Site A using rdp
Please let me know if you need me to attach a sanitized copy of our configuration.
Thanks,
ASKER
Thanks for the link. I'm wondering would I need to configure this on our Colo ASA or on Site A's ASA?
Site C's subnet: 172.18.0.0 needs to be able to initiate a rdp connection to Site C subnet: 172.16.11.0
Site C's subnet: 172.18.0.0 needs to be able to initiate a rdp connection to Site C subnet: 172.16.11.0
you need to configure site A ASA - and within Site C you should be able to rdp without no problem
ASKER
Thank you again. Sorry about the typo. I meant Site C rdp to Site A. I'll give it a shot and let you know if that resolves the issue.
Sure thing :)
ASKER
Didn't seem to resolve the issue.
Here are the commands I configured for SiteA ASA (inside subnet 172.16.11.0/24), based on the Cisco article. Not sure what I'm missing.
SitA-ASA:
static (inside,outside) interface 172.16.11.226 netmask 255.255.255.255
access-list outside-in extended permit tcp 172.18.0.0 255.255.0.0 (site C subnet) interface outside object-group RDP
access-group outside-in in interface outside
Packet-tracer output:
packet-tracer input inside tcp 172.18.0.10 3389 172.16.11.226 3389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.11.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Sit B (ASA) Packet-tracer output:
packet-tracer input inside tcp 172.18.0.10 3389 172.16.11.226 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Here are the commands I configured for SiteA ASA (inside subnet 172.16.11.0/24), based on the Cisco article. Not sure what I'm missing.
SitA-ASA:
static (inside,outside) interface 172.16.11.226 netmask 255.255.255.255
access-list outside-in extended permit tcp 172.18.0.0 255.255.0.0 (site C subnet) interface outside object-group RDP
access-group outside-in in interface outside
Packet-tracer output:
packet-tracer input inside tcp 172.18.0.10 3389 172.16.11.226 3389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.11.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Sit B (ASA) Packet-tracer output:
packet-tracer input inside tcp 172.18.0.10 3389 172.16.11.226 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASKER
Stil waiting on some further input, if anyone can help. Thanks ahead of time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Any Time :)
ASKER
Due to this configuration I was able to resolve the issue.
Have a look at this it might help you.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml