Windows Remote Assistance thought VPN

Unanswered Question
Sep 6th, 2010


What I'm missing in my configuration if Windows Remote Assistance doesn't work throught VPN from VPN network to office network.

We have Cisco ASA 5520

VPN network is and office network is so VPN network is part of office network.

When client is in VPN connected Windows Remote Assistance work from VPN network to office network but not from office network to VPN network. Tested with clients firewall off so client firewall is not the issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 09/06/2010 - 05:20

Are you trying to VPN using remote access vpn client, and is the ip pool subnet assigned to client?

If the above assumption is correct, please change the ip pool to a unique subnet not part of your internal network.

You would then need to configure NAT exemption.

Here is a sample configuration for your reference:

Dunkku999 Mon, 09/06/2010 - 05:42

"Are you trying to VPN using remote access vpn client, and is the ip pool subnet assigned to client?"

Yes that is correct and everything work fine except that Remote Assistance so we don't like to change ip pool. Have to be easier way to allow Remote Assistance throught VPN? Both clients are in inside network after all.

Jennifer Halim Mon, 09/06/2010 - 05:56

Are you able to telnet to port 3389 from the VPN? If you are able to telnet on port 3389 then it might be MSS issue.

You can lower the MSS on the firewall with the "sysopt connection tcpmss 1300" command.

Jennifer Halim Wed, 09/08/2010 - 18:20

Are you able to access anything through VPN? Can you ping the remote desktop? Also, you might want to double check if the windows firewall is enabled as it might prevent inbound connection from different subnet.

Dunkku999 Thu, 09/09/2010 - 01:44


Yes all services work through VPN. For example email client, network resources, intranet and so on. I can't ping machine which is in VPN connected. Windows firewall is not enabled and I of course tested without any client firewall on.

How about ASA firewall rules? Just can't figure out if there is some rules which have to be create.

Dunkku999 Fri, 09/10/2010 - 05:30


Config attached. I had to modified it a little bit but I hope there is some useful information left.

There is only one group policy called companyvpn.

hdashnau Fri, 09/10/2010 - 05:51

It looks like you have an access-group applied on your inside interface called "ACCESS-INSIDE-IN" -- Is this traffic permitted there? If not please add it to the top of the list.

You should also collect some logs and captures to see what happening to this traffic:

Capture on inside interface:

access-list cap permit ip host host

access-list cap permit ip host host

cap cap access-list cap interface inside

Capture on packets ASA drops:

cap asp type asp-drop all

Log Settings:

logging buffered debugging

logging buffer-size 1000000

clear cap cap

clear cap asp

clear log buff

show log | include

show log | include

show cap asp | include

show cap asp | include

show cap cap

Examine the logs and captures yourself and see if the connection is being built (ie do you see the whole SYN, SYN/ACK, ACK handshake). If you see a SYN, but no SYN/ACK in the capture on the inside interface for example you need to determine why the SYN/ACK is not making it to the ASA.


hdashnau Fri, 09/10/2010 - 05:52

P.S. Please remember to rate the responses you get and mark the issue as resolved if the problem is fixed.

Dunkku999 Wed, 09/22/2010 - 06:09


Thanks for all help. Just started to be little bit to hard. I try to find some solution



This Discussion