How to enable Windows Remote Desktop (3389) on Remote Access VPN

Unanswered Question
Jul 25th, 2009
User Badges:


We already have ssh to Linux boxes enabled via Remote Access VPN configured on ASA device (configuration below). How can we enable Windows Remote Desktop on Windows Machines.

Secondly, even though I can ssh into the servers via Remote Access VPN, if I do 'telnet x.x.x.x 22' after getting connected via VPN, it gets blocked. Why is it so ?



interface GigabitEthernet0/0

nameif outside

security-level 100

ip address


interface GigabitEthernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address


passwd xxxxxxxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 22 extended permit ip any any

access-list 33 extended permit ip any any

access-list inside_nat0_outbound extended permit ip any

access-list cisco1_splitTunnelAcl standard permit any

mtu outside 1300

mtu inside 1500

ip local pool pool1 mask

ip verify reverse-path interface outside

ip verify reverse-path interface inside

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group 22 in interface outside

access-group 33 in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

sysopt connection tcpmss 1300

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

management-access outside


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global

group-policy cisco internal

group-policy cisco attributes

vpn-simultaneous-logins 50

vpn-tunnel-protocol IPSec

split-tunnel-network-list value cisco1_splitTunnelAcl

group-policy cisco1 internal

group-policy cisco1 attributes

dns-server value

vpn-simultaneous-logins 50

vpn-tunnel-protocol IPSec

split-tunnel-network-list value cisco1_splitTunnelAcl

username cisco password xxxxxxxx encrypted privilege 0

username cisco attributes

vpn-group-policy cisco

username admin password xxxxxxxx encrypted privilege 15

tunnel-group cisco type ipsec-ra

tunnel-group cisco general-attributes

address-pool pool1

default-group-policy cisco

tunnel-group cisco ipsec-attributes

pre-shared-key *

tunnel-group cisco1 type ipsec-ra

tunnel-group cisco1 general-attributes

address-pool pool1

default-group-policy cisco1

tunnel-group cisco1 ipsec-attributes

pre-shared-key *

prompt hostname context

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fedecotof Sun, 07/26/2009 - 16:23
User Badges:


First of all, all IP traffic is going through the tunnel because you have a Split tunnel policy but it says to send

any traffic through the tunnel. (this means that when you connect with your VPN client, the machine will lose its local

access to the Internet and will send everything through the tunnel.

When you issue the command:

''show run sysopt''

There's going to be by default the ''sysopt connection permit-vpn'' command enabled. This means that all VPN traffic

is allowed to pass through without being checked by the OUTSIDE ACL.

In other words, as long as you're able to PING the Windows machines, you should be able to access them via Remote Desktop.

Remote Desktop uses TCP port 3339, just make sure the Windows Machine have the feature enable. (For example try to

Remote Desktop to that machine from the LOCAL network.

There's nothing on the ASA's config blocking IPsec traffic, so all IP traffic should go thorugh.

Let me know if you have any problems.



tech_trac Mon, 07/27/2009 - 00:05
User Badges:

Thanks Federico.

I shall get back to you in a week's time.


tech_trac Wed, 08/26/2009 - 23:27
User Badges:

When I log in via Remote Access VPN (with VPN Client), my PC is assigned an IP with a default gateway pointing to CAT65K.

Now when I try to ping the gateway, it fails. CAT65K log does not show any denied packets from my PC. But it shows a log on the ASA which is configured for Remote Access VPN with normal Built and Teardown messages.

What could be the problem.


fedecotofaja Thu, 08/27/2009 - 06:47
User Badges:

You need to determine what exactly do you want to accomplish with the VPN connection. I mean, do you want to send all IP traffic from the clients through the tunnel or would you like a split-tunnel policy to specify which traffic is going encrypted through the tunnel?

If you're sending all IP traffic, then when the VPN client connects, is going to get a default gateway from the ASA... because all traffic should be sent through the tunnel, but you're also having your normal default gateway on your local network connection.

In order to help you, let's determine if you need or not a split-tunneling policy and from there we handle the routing accordingly. What do you think?



fedecotofaja Thu, 08/27/2009 - 07:47
User Badges:

Yes, I see you have defined a split tunneling policy. But that policy says to send all traffic through the tunnel (so is the same as not having a split tunneling policy).

The question is: Do you want to send all IP traffic from the clients through the tunnel or just to specific networks?

tech_trac Thu, 08/27/2009 - 08:03
User Badges:

I have defined specific networks as below

access-list splitTunnelAcl standard permit

access-list splitTunnelAcl standard permit

group-policy cisco internal

group-policy cisco attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitTunnelAcl

And this policy is attached to the tunnel-group cisco


This Discussion