VPN issue also, can connect but cannot RDP to server

Unanswered Question
Aug 4th, 2007

I have an ASA 5510 that is an endpoint for two site to site VPN tunnels.

It is in our corporate office and I need to VPN to the ASA and be able to RDP to some servers. I can connect L2TP to ASA 5510 with Microsoft client on Windows XP workstation SP2. I cannot RDP to any servers though.And I can't ping any servers other than the GW [the inside interface of the ASA] Any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Sat, 08/04/2007 - 13:14

Hi, try to change your vpn pool to something that is not being used, for example:

ip local pool VPNpool mask

And add it to the nonat access list:

access-list nonat extended permit ip

ptlane123 Sat, 08/04/2007 - 13:39

Thanks, it didn't work.

I still can't RDP or ping any servers once I'm connected.

mattiaseriksson Sat, 08/04/2007 - 15:09

Ok, it should probably work either way.

Can you show some info about the tunnel:

show vpn-sessiondb detail remote filter protocol L2TPOverIPSec

ptlane123 Sat, 08/04/2007 - 15:26

Here it is. I just connected from my WS with the VPN I setup and here is what I got:

FW2# show vpn-sessiondb detail remote filter protocol L2TPOverIPSec

INFO: There are presently no active sessions of the type specified

How can this be?

Thanks for you assistance.

mattiaseriksson Sat, 08/04/2007 - 15:32

What about show crypto ipsec sa and show crypto isakmp sa?

You can also run debug crypto ipsec 7 and debug crypto isakmp 7 to get more information.

mattiaseriksson Sat, 08/04/2007 - 16:07

It looks like nat-t is used.

Try this: show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtT

mattiaseriksson Sun, 08/05/2007 - 00:39

It looks ok.

Check the logfile during a test, to see what happens with the return packets. Do your servers know how to reach the network?

TX and RX counters are incrementing, but that is when you ping the firewall itself?

Check for dropped packet from internal servers in the logfile. If they get sent out to the tunnel without NAT applied, it should be a client side problem.

ptlane123 Sun, 08/05/2007 - 02:57

What can I add on the ASA to allow the .2 subnet to access the .3 subnet?


ptlane123 Sun, 08/05/2007 - 12:52

The sales folks are connecting from all over. In the Microsoft client, there is no place to add a gateway.


This Discussion