cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
865
Views
0
Helpful
4
Replies

Permitting VPN users to RDC to UAT

support.edm
Level 1
Level 1

ASA 5510. Outside NIC connected to ISP with real internet IP addresses. Inside NIC connected to DMZ 172.17.193.0/24 with address 172.17.193.100.

ISA 2006 SP1. Outside NIC connected to 172.17.193.0/24 DMZ with address 172.17.193.1 Inside NIC connected to UAT 44.44.44.0/24 with address 44.44.44.109.

After a VPN user connects to the ASA (gets a 192.168.20.0/24 IP address), I want the VPN user to be able to RDC into a 2008 server in the 44.44.44.0/24 network.

I know I have to enable RDC inbound on the ISA...but I'm not sure what I have to do on the ASA.

ciscoasa# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

enable password xxx

passwd xxx

names

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address outside_ip 255.255.255.240

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.17.x.x.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot config disk0:/exit

ftp mode passive

clock timezone mst -7

clock summer-time mdt recurring

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inbound_on_outside extended permit icmp any any

access-list inbound_on_outside extended permit tcp any host outside_ip eq 5555

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool 192.168.20.101-192.168.20.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

static (inside,outside) tcp outside_ip 5555 172.17.193.96 5555 netmask 255.255.255.255

access-group inbound_on_outside in interface outside

route outside 0.0.0.0 0.0.0.0 isp_gw 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http 172.17.193.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set firstset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set firstset

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 172.17.193.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

1 Accepted Solution

Accepted Solutions

You will also need to route VPN pool to UAT device beside making those access list changes .

ON ASA

route inside 44.44.44.0 255.255.255.0 172.17.193.1

And route for VPN pool 192.168.20.0/24 pointing back to ASA on ISA device .

If you do not have default route on UAT device pointing back back to ISA device

then you will need define a route for VPN pool 192.168.20.0/24 pointing back to ASA on UAT device also.

HTH

Saju

Pls rate helpful posts

View solution in original post

4 Replies 4

support.edm
Level 1
Level 1

dhcpd address 172.17.193.201-172.17.193.254 inside

dhcpd dns 172.17.193.6 interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.128.5.210 source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

tunnel-group vpnusersgroup type remote-access

tunnel-group vpnusersgroup general-attributes

default-group-policy vpnuserspolicy

tunnel-group vpnusersgroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

Hello,

Just add one more line to Split tunnel acl and Nat exemption acl.

Your ACL should look like as following:

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0

Once implemented then try to connect vpn client and check .

HTH

Saju

Pls rate helpful posts

You will also need to route VPN pool to UAT device beside making those access list changes .

ON ASA

route inside 44.44.44.0 255.255.255.0 172.17.193.1

And route for VPN pool 192.168.20.0/24 pointing back to ASA on ISA device .

If you do not have default route on UAT device pointing back back to ISA device

then you will need define a route for VPN pool 192.168.20.0/24 pointing back to ASA on UAT device also.

HTH

Saju

Pls rate helpful posts

Thanks..exactly what I'm looking for!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: