cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1760
Views
0
Helpful
4
Replies

RDP & vpn ipsec

Couillec
Level 1
Level 1

ASA 5520 v 7.0.8 - ASDM V 5.0.9 Client ipsec V 5.0.06.0160 Win 7

Telnet from 192.168.10.100 3389 is ok from the client connected with vpn. RDP connection failed and asa said :

Throught-the-device packet to/from management-only network ise denieds tcp src management 192.168.10.3/3389 dst wan 192.168.10.100/53408

Rdp on the lan 192.168.10.0 is working but not thought vpn.

192.168.10.0 is not the management network. Management interface is 192.168.1.1 ans not connected to this network.

Bug ou misconfiguration ?

Thand for your help.

Claude.

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Can you pls share your ASA config?

Here is the configuration file :

: Saved
: Written by enable_15 at 16:35:17.413 CEST Sun Nov 28 2010
!
ASA Version 7.0(8)
!
hostname host.tld
domain-name ****
enable password ******************* encrypted
passwd *************** encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description Connexion internet - Rouge
nameif wan
security-level 0
ip address w.x.y.z 255.255.255.224
!
interface GigabitEthernet0/1
description Vers Cryptosmart In - Rouge
nameif Lan10-100
security-level 0
ip address 10.100.0.254 255.255.255.0
!
interface GigabitEthernet0/2
description From Cryptosmart out - Vert
nameif Lan10-10
security-level 0
ip address 10.10.0.254 255.255.255.0
!
interface GigabitEthernet0/3
nameif Lan192
security-level 0
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/3.1
description Flux admin Ercom
vlan 30
nameif Lan10-30
security-level 0
ip address 10.30.0.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
object-group service SCMDM tcp
description Flux SCMDM
port-object range 8530 8531
port-object eq https
port-object eq 8443
object-group service mSuite tcp
port-object eq 1700
object-group service Ercom tcp
description Flux Ercom
port-object eq 12080
port-object eq 12081
object-group service admErcom tcp
description Flux Admin Ercom
port-object eq 5005
access-list Lan10-10_nat0_inbound extended permit ip host 10.10.0.51 host 172.30.11.20
access-list Lan10-10_nat0_inbound extended permit ip host 10.10.0.51 host 172.30.11.21
access-list Lan10-10_nat0_inbound extended permit ip host 10.10.0.51 host 172.30.11.22
access-list wan_cryptomap_20 extended permit ip host 10.10.0.51 host 172.30.11.20
access-list wan_cryptomap_20 extended permit ip host 10.10.0.51 host 172.30.11.21
access-list wan_cryptomap_20 extended permit ip host 10.10.0.51 host 172.30.11.22
access-list Lan10-10_nat0_outbound extended permit ip host 10.10.0.51 host 172.30.11.20
access-list Lan10-10_nat0_outbound extended permit ip host 10.10.0.51 host 172.30.11.21
access-list Lan10-10_nat0_outbound extended permit ip host 10.10.0.51 host 172.30.11.22
access-list Lan10-10_nat0_outbound extended permit ip interface Lan10-10 192.168.11.0 255.255.255.0
access-list wan_cryptomap_40 extended permit ip host 10.10.0.51 host 172.30.11.20
access-list wan_cryptomap_40 extended permit ip host 10.10.0.51 host 172.30.11.21
access-list wan_cryptomap_40 extended permit ip host 10.10.0.51 host 172.30.11.22
access-list wan_nat0_outbound extended permit ip host 0.0.0.0 interface Lan10-100 inactive
access-list wan_nat0_outbound extended permit ip host 0.0.0.0 host 10.100.0.4 inactive
access-list wan_nat0_outbound extended permit ip any 10.10.0.0 255.255.255.0
access-list wan_access_in extended permit tcp any any log interval 3
access-list wan_access_in extended permit tcp host 0.0.0.0 host a.b.c.d object-group Ercom log interval 3 inactive
access-list Lan192_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu wan 1500
mtu Lan10-100 1500
mtu Lan10-10 1500
mtu Lan192 1500
mtu Lan10-30 1500
mtu management 1500
ip local pool VpnAdmin2 192.168.10.100-192.168.10.110 mask 255.255.255.0
no failover
monitor-interface wan
monitor-interface Lan10-100
monitor-interface Lan10-10
monitor-interface Lan192
no monitor-interface Lan10-30
monitor-interface management
icmp permit any wan
icmp permit any Lan10-100
icmp permit any Lan10-10
icmp permit any Lan192
icmp permit any Lan10-30
asdm image disk0:/asdm-509.bin
asdm location 172.30.11.20 255.255.255.255 wan
asdm location 172.30.11.21 255.255.255.255 wan
asdm location 172.30.11.22 255.255.255.255 wan
asdm location 10.100.0.4 255.255.255.255 Lan10-100
no asdm history enable
arp timeout 14400
nat-control
global (wan) 87 interface
nat (Lan10-10) 0 access-list Lan10-10_nat0_outbound
nat (Lan10-10) 0 access-list Lan10-10_nat0_inbound outside
static (Lan10-100,wan) tcp interface 12080 10.100.0.4 12080 netmask 255.255.255.255
static (Lan10-100,wan) tcp interface 12081 10.100.0.4 12081 netmask 255.255.255.255
access-group wan_access_in in interface wan
access-group Lan192_access_in in interface Lan192
route wan 0.0.0.0 0.0.0.0 w.x.y.z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Clients internal
group-policy Clients attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wan_nat0_outbound
webvpn
username user1 password **************** encrypted privilege 15
username user1 attributes
vpn-group-policy Clients
webvpn
username user2 password **************** encrypted privilege 0
username user2 attributes
vpn-group-policy Clients
webvpn
username user3 password **************** encrypted privilege 0
username user3 attributes
vpn-group-policy Clients
webvpn
username user4 password **************** encrypted privilege 0
username user4 attributes
vpn-group-policy Clients
webvpn
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map wan_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map wan_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map wan_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map wan_map 20 match address wan_cryptomap_20
crypto map wan_map 20 set peer a.b.c.d
crypto map wan_map 20 set transform-set ESP-AES-128-SHA
crypto map wan_map 20 set security-association lifetime seconds 28800
crypto map wan_map 20 set security-association lifetime kilobytes 4608000
crypto map wan_map 40 match address wan_cryptomap_40
crypto map wan_map 40 set peer a.b.c.d
crypto map wan_map 40 set transform-set ESP-AES-128-SHA
crypto map wan_map 40 set security-association lifetime seconds 28800
crypto map wan_map 40 set security-association lifetime kilobytes 4608000
crypto map wan_map 65535 ipsec-isakmp dynamic wan_dyn_map
crypto map wan_map interface wan
isakmp enable wan
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key *****************************
tunnel-group Clients type ipsec-ra
tunnel-group Clients general-attributes
address-pool (Lan10-10) VpnAdmin2
address-pool VpnAdmin2
default-group-policy Clients
tunnel-group Clients ipsec-attributes
pre-shared-key *****************
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tftp-server management 192.168.1.17 /cfg
Cryptochecksum:7030c31325f4118e39aa023179af1c88
: end

Nobody ?

Thanks

Hi Claude,

Looking at the original log:

Throught-the-device packet to/from management-only network ise  denieds tcp src management 192.168.10.3/3389 dst wan  192.168.10.100/53408

it looks like the packet is coming in on the management interface instead of the lan192 interface we have configured. It's the reason why it's not working.

I would usggest applying captures on the ASA on the management interface and the lan192 interface from and to the VPN client. Please follow the below page for that and paste the captures from both the interfaces here:

https://supportforums.cisco.com/docs/DOC-1222

Thanks and Regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: