cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4326
Views
0
Helpful
11
Replies

Windows Remote Assistance thought VPN

Dunkku999
Level 1
Level 1

Hello

What I'm missing in my configuration if Windows Remote Assistance doesn't work throught VPN from VPN network to office network.

We have Cisco ASA 5520

VPN network is 10.198.9.0/24 and office network is 10.198.0.0/20 so VPN network is part of office network.

When client is in VPN connected Windows Remote Assistance work from VPN network to office network but not from office network to VPN network. Tested with clients firewall off so client firewall is not the issue.

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

Are you trying to VPN using remote access vpn client, and 10.198.9.0/24 is the ip pool subnet assigned to client?

If the above assumption is correct, please change the ip pool to a unique subnet not part of your internal network.

You would then need to configure NAT exemption.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

"Are you trying to VPN using remote access vpn client, and 10.198.9.0/24 is the ip pool subnet assigned to client?"

Yes that is correct and everything work fine except that Remote Assistance so we don't like to change ip pool. Have to be easier way to allow Remote Assistance throught VPN? Both clients are in inside network after all.

Are you able to telnet to port 3389 from the VPN? If you are able to telnet on port 3389 then it might be MSS issue.

You can lower the MSS on the firewall with the "sysopt connection tcpmss 1300" command.

Hello

No, Telnet is not going through either over VPN.

Are you able to access anything through VPN? Can you ping the remote desktop? Also, you might want to double check if the windows firewall is enabled as it might prevent inbound connection from different subnet.

Hello

Yes all services work through VPN. For example email client, network resources, intranet and so on. I can't ping machine which is in VPN connected. Windows firewall is not enabled and I of course tested without any client firewall on.

How about ASA firewall rules? Just can't figure out if there is some rules which have to be create.

Can you pls share the ASA config, and also which group policy you are using.

Hello

Config attached. I had to modified it a little bit but I hope there is some useful information left.

There is only one group policy called companyvpn.

hdashnau
Cisco Employee
Cisco Employee

It looks like you have an access-group applied on your inside interface called "ACCESS-INSIDE-IN" -- Is this traffic permitted there? If not please add it to the top of the list.

You should also collect some logs and captures to see what happening to this traffic:

Capture on inside interface:

access-list cap permit ip host host

access-list cap permit ip host host

cap cap access-list cap interface inside

Capture on packets ASA drops:

cap asp type asp-drop all

Log Settings:

logging buffered debugging

logging buffer-size 1000000

clear cap cap

clear cap asp

clear log buff

show log | include

show log | include

show cap asp | include

show cap asp | include

show cap cap

Examine the logs and captures yourself and see if the connection is being built (ie do you see the whole SYN, SYN/ACK, ACK handshake). If you see a SYN, but no SYN/ACK in the capture on the inside interface for example you need to determine why the SYN/ACK is not making it to the ASA.

-heather

P.S. Please remember to rate the responses you get and mark the issue as resolved if the problem is fixed.

Hello

Thanks for all help. Just started to be little bit to hard. I try to find some solution

Toni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: