Permitting VPN users to RDC to UAT

Answered Question
Sep 18th, 2008

ASA 5510. Outside NIC connected to ISP with real internet IP addresses. Inside NIC connected to DMZ 172.17.193.0/24 with address 172.17.193.100.

ISA 2006 SP1. Outside NIC connected to 172.17.193.0/24 DMZ with address 172.17.193.1 Inside NIC connected to UAT 44.44.44.0/24 with address 44.44.44.109.

After a VPN user connects to the ASA (gets a 192.168.20.0/24 IP address), I want the VPN user to be able to RDC into a 2008 server in the 44.44.44.0/24 network.

I know I have to enable RDC inbound on the ISA...but I'm not sure what I have to do on the ASA.

ciscoasa# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password xxx

passwd xxx

names

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address outside_ip 255.255.255.240

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.17.x.x.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot config disk0:/exit

ftp mode passive

clock timezone mst -7

clock summer-time mdt recurring

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inbound_on_outside extended permit icmp any any

access-list inbound_on_outside extended permit tcp any host outside_ip eq 5555

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

static (inside,outside) tcp outside_ip 5555 172.17.193.96 5555 netmask 255.255.255.255

access-group inbound_on_outside in interface outside

route outside 0.0.0.0 0.0.0.0 isp_gw 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http 172.17.193.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set firstset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set firstset

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 172.17.193.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 2 months ago

You will also need to route VPN pool to UAT device beside making those access list changes .

ON ASA

route inside 44.44.44.0 255.255.255.0 172.17.193.1

And route for VPN pool 192.168.20.0/24 pointing back to ASA on ISA device .

If you do not have default route on UAT device pointing back back to ISA device

then you will need define a route for VPN pool 192.168.20.0/24 pointing back to ASA on UAT device also.

HTH

Saju

Pls rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
support.edm Thu, 09/18/2008 - 13:16

dhcpd address 172.17.193.201-172.17.193.254 inside

dhcpd dns 172.17.193.6 interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.128.5.210 source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

tunnel-group vpnusersgroup type remote-access

tunnel-group vpnusersgroup general-attributes

default-group-policy vpnuserspolicy

tunnel-group vpnusersgroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

singhsaju Thu, 09/18/2008 - 17:57

Hello,

Just add one more line to Split tunnel acl and Nat exemption acl.

Your ACL should look like as following:

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0

Once implemented then try to connect vpn client and check .

HTH

Saju

Pls rate helpful posts

Correct Answer
singhsaju Fri, 09/19/2008 - 04:56

You will also need to route VPN pool to UAT device beside making those access list changes .

ON ASA

route inside 44.44.44.0 255.255.255.0 172.17.193.1

And route for VPN pool 192.168.20.0/24 pointing back to ASA on ISA device .

If you do not have default route on UAT device pointing back back to ISA device

then you will need define a route for VPN pool 192.168.20.0/24 pointing back to ASA on UAT device also.

HTH

Saju

Pls rate helpful posts

Actions

This Discussion