09-06-2010 04:13 AM
Hello
What I'm missing in my configuration if Windows Remote Assistance doesn't work throught VPN from VPN network to office network.
We have Cisco ASA 5520
VPN network is 10.198.9.0/24 and office network is 10.198.0.0/20 so VPN network is part of office network.
When client is in VPN connected Windows Remote Assistance work from VPN network to office network but not from office network to VPN network. Tested with clients firewall off so client firewall is not the issue.
09-06-2010 05:20 AM
Are you trying to VPN using remote access vpn client, and 10.198.9.0/24 is the ip pool subnet assigned to client?
If the above assumption is correct, please change the ip pool to a unique subnet not part of your internal network.
You would then need to configure NAT exemption.
Here is a sample configuration for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
09-06-2010 05:42 AM
"Are you trying to VPN using remote access vpn client, and 10.198.9.0/24 is the ip pool subnet assigned to client?"
Yes that is correct and everything work fine except that Remote Assistance so we don't like to change ip pool. Have to be easier way to allow Remote Assistance throught VPN? Both clients are in inside network after all.
09-06-2010 05:56 AM
Are you able to telnet to port 3389 from the VPN? If you are able to telnet on port 3389 then it might be MSS issue.
You can lower the MSS on the firewall with the "sysopt connection tcpmss 1300" command.
09-06-2010 11:42 PM
Hello
No, Telnet is not going through either over VPN.
09-08-2010 06:20 PM
Are you able to access anything through VPN? Can you ping the remote desktop? Also, you might want to double check if the windows firewall is enabled as it might prevent inbound connection from different subnet.
09-09-2010 01:44 AM
Hello
Yes all services work through VPN. For example email client, network resources, intranet and so on. I can't ping machine which is in VPN connected. Windows firewall is not enabled and I of course tested without any client firewall on.
How about ASA firewall rules? Just can't figure out if there is some rules which have to be create.
09-09-2010 05:16 AM
Can you pls share the ASA config, and also which group policy you are using.
09-10-2010 05:30 AM
Hello
Config attached. I had to modified it a little bit but I hope there is some useful information left.
There is only one group policy called companyvpn.
09-10-2010 05:51 AM
It looks like you have an access-group applied on your inside interface called "ACCESS-INSIDE-IN" -- Is this traffic permitted there? If not please add it to the top of the list.
You should also collect some logs and captures to see what happening to this traffic:
Capture on inside interface:
access-list cap permit ip host
access-list cap permit ip host
cap cap access-list cap interface inside
Capture on packets ASA drops:
cap asp type asp-drop all
Log Settings:
logging buffered debugging
logging buffer-size 1000000
clear cap cap
clear cap asp
clear log buff
show log | include
show log | include
show cap asp | include
show cap asp | include
show cap cap
Examine the logs and captures yourself and see if the connection is being built (ie do you see the whole SYN, SYN/ACK, ACK handshake). If you see a SYN, but no SYN/ACK in the capture on the inside interface for example you need to determine why the SYN/ACK is not making it to the ASA.
-heather
09-10-2010 05:52 AM
P.S. Please remember to rate the responses you get and mark the issue as resolved if the problem is fixed.
09-22-2010 06:09 AM
Hello
Thanks for all help. Just started to be little bit to hard. I try to find some solution
Toni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide