RDP fails to connect with anyconnect

Answered Question
May 26th, 2010
Hi all,

I have a problem with the configuration of an ASA 5505

When my users log in with anyconnect they only can make a connection to the server, but when they want to connect to their own pc, it will not connect.
When they are logged in they can ping their own pc even with the DNS name.
When i let them log in trough the clientportal. They can make RDP to their own pc.
Nat is set for the ip of the server and also for the owners pc.

The sever is a win 2008 SBS and the clients are Win XP

Does anyone has an idea?

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

Please advise the following:

Can you ping 192.168.1.14? and can you try to telnet on port 3389 to  192.168.1.14 from a DOS prompt?

Also, if the RDP server  192.168.1.14 allowing connection from different IP subnet? Does it have a  PC firewall that might be blocking the access? You might want to try to  disable the Windows firewall on 192.168.1.14.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 05/26/2010 - 02:26

Not quite sure what you mean by NAT is configured. Normally for AnyConnect connection, you would configure NAT exemption for traffic between internal subnet and ip pool subnet.

Please share the ASA configuration, and what is the ip address of the internal RDP ip address that they are trying to connect to.

You can also try to lower the MSS size on the ASA: sysopt connection tcpmss 1300

switcomnetworks Wed, 05/26/2010 - 03:14

: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505-SVW
domain-name svw.local
enable password xxxxxxx
passwd xxxxxxxxx

names
name 92.66.40.12 Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.5
domain-name svw.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
description rdp
port-object eq 3389
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host Server eq www
access-list 100 extended permit tcp any host Server eq smtp
access-list 100 extended permit tcp any any object-group rdp
access-list 100 extended permit gre any host 192.168.1.5
access-list 100 extended permit tcp any host Server eq pptp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 object-group rdp
access-list inside_access_in extended permit tcp any host 192.168.1.14 object-group rdp inactive
access-list inside_nat0_outbound extended permit ip host 192.168.1.5 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.14 192.168.25.0 255.255.255.0
access-list svw standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 192.168.1.10 netmask 255.0.0.0
global (outside) 1 92.66.40.15 netmask 255.255.255.255
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 92.66.40.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 192.168.1.5
server-port 389
ldap-base-dn dc=svw, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=Martin Cramer
server-type auto-detect
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn steigerverhuur-wormerveer.nl
subject-name CN=steigerverhuur-wormerveer.nl
keypair sslvpnsvw
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate ae75d74b
    3082021f 30820188 a0030201 020204ae 75d74b30 0d06092a 864886f7 0d010104
    05003054 31253023 06035504 03131c73 74656967 65727665 72687575 722d776f
    726d6572 76656572 2e6e6c31 2b302906 092a8648 86f70d01 0902161c 73746569
    67657276 65726875 75722d77 6f726d65 72766565 722e6e6c 301e170d 31303034
    32373233 33393236 5a170d32 30303432 34323333 3932365a 30543125 30230603
    55040313 1c737465 69676572 76657268 7575722d 776f726d 65727665 65722e6e
    6c312b30 2906092a 864886f7 0d010902 161c7374 65696765 72766572 68757572
    2d776f72 6d657276 6565722e 6e6c3081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 818100aa 10b42fac 45728df1 85c33138 8c834f97 fe76da30
    1a9ba0e6 2af294ca 447e9de9 ed91c67b 25eca491 bdb17d0f b1f7b4c8 fad8a1d7
    52375348 c5034d56 a62f3883 87b5108d dc5f9cf3 0b2639dd 5422384e 33c5ca91
    f4d596bb a9debe2b a7851584 446af630 62125e50 85c50956 d643a5c4 5a33348a
    0b440673 eafde3f6 1fd1d302 03010001 300d0609 2a864886 f70d0101 04050003
    81810004 0eb01430 16f94381 f0411889 4e247faf b831500d e88f136a 34bf3e96
    bac3865f 0c2ec57a daf48d0a 483d661d 1254b1bd e7c53d6c e4c8dad6 44251882
    78e14d34 41e7c478 a2374808 ae6d8b8b 89b698c2 45a59474 85cff83c 2911f81c
    e3440674 b0bcff16 bd96e807 4be7fb4a 8dc1ae48 d0ed09b3 eb6304ca 3848ed19 8b4682
  quit
telnet 192.168.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
port 500
enable outside
dtls port 500
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLVPNclientlesspolicy internal
group-policy SSLVPNclientlesspolicy attributes
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value svw
webvpn
  url-list value SVW
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.1.5
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value svw
default-domain value SVW.local
address-pools value SSLClientPool
webvpn
  url-list value SVW
group-policy DfltGrpPolicy attributes
webvpn
  url-list value SVW
group-policy WebVPNpolicy internal
group-policy WebVPNpolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
webvpn
  url-list value SVW
username ludovanoord password xxxxxxx

username ludovanoord attributes
service-type remote-access
webvpn
  url-list value SVW
username Martin password xxxxxxx encrypted privilege 0
username Martin attributes
vpn-group-policy SSLClientPolicy
username hennygrootjen password xxxxxxxx encrypted privilege 0
username hennygrootjen attributes
service-type admin
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
default-group-policy WebVPNpolicy
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
!
prompt hostname context
Cryptochecksum:77f3e034a425bc95b1febabc33bc9d99
: end
asdm image disk0:/asdm-621.bin
asdm location Server 255.255.255.255 inside
asdm location 192.168.25.0 255.255.255.0 inside
no asdm history enable

192.168.1.5 is the server 2008 SBS

192.168.1.14 is the workstation i try to RDP to

Jennifer Halim Wed, 05/26/2010 - 03:21

Configuration looks correct except the following 2 lines that you might want to remove:

global (inside) 1 192.168.1.10 netmask 255.0.0.0
global (outside) 1  92.66.40.15 netmask 255.255.255.255

Then you might want to "clear xlate" after removing the above.

What ip address are you trying to RDP to? You would need to RDP to the private ip address instead of the public ip address.

Jennifer Halim Wed, 05/26/2010 - 03:50

Have you removed the lines advised earlier? Also have you added "sysopt connection tcpmss 1300"

Can you ping 192.168.1.14? and can you try to telnet on port 3389 to 192.168.1.14 from a DOS prompt?

Also, if the RDP server 192.168.1.14 allowing connection from different IP subnet? Does it have a PC firewall that might be blocking the access? You might want to try to disable the Windows firewall on 192.168.1.14.

switcomnetworks Wed, 05/26/2010 - 03:58

New config - no effect.

: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505-SVW
domain-name svw.local
enable password xxxxx encrypted
passwd xxxxxx encrypted
names
name 92.66.40.12 Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.5
domain-name svw.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
description rdp
port-object eq 3389
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host Server eq www
access-list 100 extended permit tcp any host Server eq smtp
access-list 100 extended permit tcp any any object-group rdp
access-list 100 extended permit gre any host 192.168.1.5
access-list 100 extended permit tcp any host Server eq pptp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 object-group rdp
access-list inside_access_in extended permit tcp any host 192.168.1.14 object-group rdp inactive
access-list inside_nat0_outbound extended permit ip host 192.168.1.5 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.14 192.168.25.0 255.255.255.0
access-list svw standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 92.66.40.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 192.168.1.5
server-port 389
ldap-base-dn dc=svw, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=Martin Cramer
server-type auto-detect
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn steigerverhuur-wormerveer.nl
subject-name CN=steigerverhuur-wormerveer.nl
keypair sslvpnsvw
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate ae75d74b
    3082021f 30820188 a0030201 020204ae 75d74b30 0d06092a 864886f7 0d010104
    05003054 31253023 06035504 03131c73 74656967 65727665 72687575 722d776f
    726d6572 76656572 2e6e6c31 2b302906 092a8648 86f70d01 0902161c 73746569
    67657276 65726875 75722d77 6f726d65 72766565 722e6e6c 301e170d 31303034
    32373233 33393236 5a170d32 30303432 34323333 3932365a 30543125 30230603
    55040313 1c737465 69676572 76657268 7575722d 776f726d 65727665 65722e6e
    6c312b30 2906092a 864886f7 0d010902 161c7374 65696765 72766572 68757572
    2d776f72 6d657276 6565722e 6e6c3081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 818100aa 10b42fac 45728df1 85c33138 8c834f97 fe76da30
    1a9ba0e6 2af294ca 447e9de9 ed91c67b 25eca491 bdb17d0f b1f7b4c8 fad8a1d7
    52375348 c5034d56 a62f3883 87b5108d dc5f9cf3 0b2639dd 5422384e 33c5ca91
    f4d596bb a9debe2b a7851584 446af630 62125e50 85c50956 d643a5c4 5a33348a
    0b440673 eafde3f6 1fd1d302 03010001 300d0609 2a864886 f70d0101 04050003
    81810004 0eb01430 16f94381 f0411889 4e247faf b831500d e88f136a 34bf3e96
    bac3865f 0c2ec57a daf48d0a 483d661d 1254b1bd e7c53d6c e4c8dad6 44251882
    78e14d34 41e7c478 a2374808 ae6d8b8b 89b698c2 45a59474 85cff83c 2911f81c
    e3440674 b0bcff16 bd96e807 4be7fb4a 8dc1ae48 d0ed09b3 eb6304ca 3848ed19 8b4682
  quit
telnet 192.168.1.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
port 500
enable outside
dtls port 500
svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLVPNclientlesspolicy internal
group-policy SSLVPNclientlesspolicy attributes
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value svw
webvpn
  url-list value SVW
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.1.5
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value svw
default-domain value SVW.local
address-pools value SSLClientPool
webvpn
  url-list value SVW
group-policy DfltGrpPolicy attributes
webvpn
  url-list value SVW
group-policy WebVPNpolicy internal
group-policy WebVPNpolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
webvpn
  url-list value SVW
username ludovanoord password xxxxxx encrypted
username ludovanoord attributes
service-type remote-access
webvpn
  url-list value SVW
username Martin password xxxxxx encrypted privilege 0
username Martin attributes
vpn-group-policy SSLClientPolicy
username hennygrootjen password xxxxx.4 encrypted privilege 0
username hennygrootjen attributes
service-type admin
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
default-group-policy WebVPNpolicy
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
!
!
prompt hostname context
Cryptochecksum:1d530be5359a14d2e6b723403a4d803e
: end
asdm image disk0:/asdm-621.bin
asdm location Server 255.255.255.255 inside
asdm location 192.168.25.0 255.255.255.0 inside
no asdm history enable

Correct Answer
Jennifer Halim Wed, 05/26/2010 - 04:00

Please advise the following:

Can you ping 192.168.1.14? and can you try to telnet on port 3389 to  192.168.1.14 from a DOS prompt?

Also, if the RDP server  192.168.1.14 allowing connection from different IP subnet? Does it have a  PC firewall that might be blocking the access? You might want to try to  disable the Windows firewall on 192.168.1.14.

switcomnetworks Wed, 05/26/2010 - 06:04

halijenn

Thank you very much for your assistence.

Problem was the firewall.

We opend all the ports we needed but it was not enough.

When i disabled the firewall in the domain, the problem was solved.

Actions

This Discussion