Go Premium for a chance to win a PS4. Enter to Win


Issues with Cisco routing and MPLS network

Posted on 2014-02-14
Medium Priority
Last Modified: 2014-02-21

We just changed internet companies recently.  I have attached a diagram of our new MPLS network.  I edited some private info but you should get an idea of what kind of service we get from our ISP.  We have managed to configure our ASA 5505 router to give internet access to all our remote location (the internet resides on our main site on the left of the diagram).  Computers can also ping each other both way from the main site and remote location.  But for whatever reason we are unable to remote desktop from one site to the other.  Here is the copy of the ASA configuration...

Just to make it a little clearer we have a pc on the main site with IP  I can remote desktop to that computer with no issues when I use the outside interface IP (public IP).  So I know the computer is listening on port 3389.  But yet when I try to remote desktop from a computer on the 192.168.2.x network I get no answer.

PLS Help


If you are in the Montreal, PQ,  we might have something for you if you are interested.

ASA Version 8.2(5)
hostname ciscoasa
domain-name XXXX
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxx
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq 3389
access-list test extended permit ip host host
access-list test extended permit ip host host
access-list test extended permit ip host host
access-list test extended permit ip host host
pager lines 24
logging enable
logging buffer-size 16384
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface 3389 3389 netmask
static (inside,inside) netmask
static (inside,inside) netmask
static (inside,inside) netmask
static (inside,inside) netmask
access-group outside_access_in in interface outside
route outside 1
route inside 1
route inside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http inside
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 524efb52
    308201d9 30820142 a0030201 02020452 4efb5230 0d06092a 864886f7 0d010105
    05003031 3111300f 06035504 03130863 6973636f 61736131 1c301a06 092a8648
    86f70d01 0902160d 63697363 6f617361 2e535042 30301e17 0d313430 32313231
    30343434 315a170d 32343032 31303130 34343431 5a303131 11300f06 03550403
    13086369 73636f61 7361311c 301a0609 2a864886 f70d0109 02160d63 6973636f
    6173612e 53504230 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081
    89028181 00a3e612 b5038e33 58fe836d f6cc292e 44de4b4b 35a05e90 f9bf6a98
    18b6f3f8 f4d0ca31 5eb1d887 6e41561f 72047b33 caacc4ee 04077fdf b9fe7079
    eaa50ee9 f8fdf40d ff231f0d e9431ecb fa4e5286 3b004a10 6c314ec7 92257535
    2c62febd 29236739 bc537b9f bd0a56d9 35dfd8e4 bb664735 8d60e8e0 cb688533
    d3b8f97d e3020301 0001300d 06092a86 4886f70d 01010505 00038181 0096022f
    5530ee71 31df0a76 d6ac123b 2af15592 76487777 b6f72976 25083858 2ff2e47d
    3e222358 da252686 f0789a43 66f0bc7d 24d1ccea 7e8dcd6b 1ab10bf2 20e1dc54
    a24e4423 1456db47 fa3d82c8 da04fbf1 c3f63c1a 87fb2f48 be1f3715 0b333236
    30fb811d 854321b3 09d24306 94720cba 005049f4 2ee08ee1 ae8224ed 52
telnet timeout 5
ssh inside
ssh outside
ssh timeout 30
console timeout 0
dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username root password xxxxxxxxxxxx encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Question by:LVMB1417
  • 6
  • 6
LVL 47

Expert Comment

by:Craig Beck
ID: 39860206
You'll need some routing configured if your ASAs can see each-other directly over the MPLS.

Each ASA will need to know which other ASA it needs to go through to get to each 192.168.x network.

You'll also need to create some no-nat rules on each ASA so you don't NAT traffic to the 192.168.x subnets.

Author Comment

ID: 39860220
Understand that on each of our remote sites our ISP handles the DHCP with their equipment.  Only on the main site do we need our own Firewall.  Not sure why you are talking about 2 ASA.
LVL 47

Expert Comment

by:Craig Beck
ID: 39860223
Ok so if you don't have a firewall at each site the routing should be sorted by the ISP if they manage the routers at each site.

You just need to make sure traffic leaving the main site isn't being NAT'ed when it goes to the remote sites.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39860247
Any idea on how to configure the ASA?  And why can I ping from one site to the other but no luck with RDP or SMB?
LVL 47

Expert Comment

by:Craig Beck
ID: 39860288
I think you need to look at the design again.

If I'm looking at it correctly you have two links from the Longueuil LAN to the internet - one via the ASA and one via the router directly??

So what I think is happening is all traffic on your LAN at Longueuil is using the ASA as the default gateway.  When traffic comes to the outside interface of the ASA, NAT translates the traffic, and the internal hosts send the return traffic via the ASA.

The issue here is that when you try to use the internal IP address the traffic is going directly towards the Longueuil LAN via the ISP router.  All return traffic will go via the ASA though, so the routing gets broken.

As a test, change the default gateway on the RDP server to and try again from a remote site.

Author Comment

ID: 39860400
To make it a little clearer...  We were given at the main site an Cisco switch by our ISP.  Port 1 is used to connect that switch to the fiber POI of the ISP.  Port 2 is giving us access to the internet. (If I setup a pc with a static public ip in the range given to us by the ISP with the public gateway  we have access to the internet.)  Port 3 is the port that I can use if I want to communicate with my remote location.  So our challenge is to connect port 2 (internet) to eth0, and port 3 to eth1.  

I dont know if that is clear,  and so far everything is ok as per the remote site connecting to the internet as well as seeing the pc on the different subnet.  But that is it after that...  Why can't I remote desktop???
LVL 47

Expert Comment

by:Craig Beck
ID: 39860409
Do a traceroute from each site to a remote PC.  Post the result here.

Author Comment

ID: 39860466
Here you go...

Author Comment

ID: 39860469
By the way it is from
LVL 47

Expert Comment

by:Craig Beck
ID: 39860492
Ok and what about the other way from to

Author Comment

ID: 39860506
Unfortunately I am not on site so I no longer have access to the machine...  Doesn't really matter,  I have access to the pc and I cannot RDP to the pc.  If I solve that then it should work both ways...
LVL 47

Accepted Solution

Craig Beck earned 2000 total points
ID: 39860529
That's what we're trying to solve.  Just because ICMP works doesn't mean that TCP-based traffic will.

I need to see which way the traffic comes back from the 2.102 PC - that is important.  I can wait until you can get to the PC to do the traceroute.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question