VPN issue also, can connect but cannot RDP to server

Unanswered Question
Aug 4th, 2007
User Badges:

I have an ASA 5510 that is an endpoint for two site to site VPN tunnels.

It is in our corporate office and I need to VPN to the ASA and be able to RDP to some servers. I can connect L2TP to ASA 5510 with Microsoft client on Windows XP workstation SP2. I cannot RDP to any servers though.And I can't ping any servers other than the GW [the inside interface of the ASA] Any help would be appreciated.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Sat, 08/04/2007 - 13:14
User Badges:
  • Bronze, 100 points or more

Hi, try to change your vpn pool to something that is not being used, for example:


ip local pool VPNpool 192.168.17.10-192.168.17.20 mask 255.255.255.255


And add it to the nonat access list:


access-list nonat extended permit ip 192.168.0.0 255.255.240.0 192.168.17.0 255.255.255.0

ptlane123 Sat, 08/04/2007 - 13:39
User Badges:

Thanks, it didn't work.

I still can't RDP or ping any servers once I'm connected.

mattiaseriksson Sat, 08/04/2007 - 15:09
User Badges:
  • Bronze, 100 points or more

Ok, it should probably work either way.


Can you show some info about the tunnel:


show vpn-sessiondb detail remote filter protocol L2TPOverIPSec

ptlane123 Sat, 08/04/2007 - 15:26
User Badges:

Here it is. I just connected from my WS with the VPN I setup and here is what I got:

FW2# show vpn-sessiondb detail remote filter protocol L2TPOverIPSec

INFO: There are presently no active sessions of the type specified

How can this be?


Thanks for you assistance.

mattiaseriksson Sat, 08/04/2007 - 15:32
User Badges:
  • Bronze, 100 points or more

What about show crypto ipsec sa and show crypto isakmp sa?


You can also run debug crypto ipsec 7 and debug crypto isakmp 7 to get more information.

mattiaseriksson Sat, 08/04/2007 - 16:07
User Badges:
  • Bronze, 100 points or more

It looks like nat-t is used.


Try this: show vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtT

mattiaseriksson Sun, 08/05/2007 - 00:39
User Badges:
  • Bronze, 100 points or more

It looks ok.


Check the logfile during a test, to see what happens with the return packets. Do your servers know how to reach the 192.168.3.0 network?


TX and RX counters are incrementing, but that is when you ping the firewall itself?


Check for dropped packet from internal servers in the logfile. If they get sent out to the tunnel without NAT applied, it should be a client side problem.

ptlane123 Sun, 08/05/2007 - 02:57
User Badges:

What can I add on the ASA to allow the .2 subnet to access the .3 subnet?


Thanks

mattiaseriksson Sun, 08/05/2007 - 03:07
User Badges:
  • Bronze, 100 points or more

If your clients have the ASA as default gateway, it should be ok already.

ptlane123 Sun, 08/05/2007 - 12:52
User Badges:

The sales folks are connecting from all over. In the Microsoft client, there is no place to add a gateway.


Actions

This Discussion