Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN connected but not able take RDP through the tunnel

Hi,

A remote access vpn is configured in ASA in one of my client network. The VPN is establishes when try to connect but could not access the servers inside the network. The issue only shows when we try to connect from my office network. If I connect from my home, no issues. There is one Cisco ASA is configured and placed in my office network. When I checked the log in the ASA I found the below log;

regular nat translation failed 50

Please advise me should I configure something in my office firewall to pass the VPN traffic.

 

Regards,

Ejaz

 

 

11 REPLIES

Ejaz,can you try enabling NAT

Ejaz,

can you try enabling NAT-T in your firewall?

 

Regards

Karthik

New Member

Hi karthikeyan,Thank you for

Hi karthikeyan,

Thank you for the reply.

Where should I enable the NAT-T, in firewall that configured with remote access VPN or in my office firewall?

 

Regards,

Ejaz

Hi Ejaz,You can enable that

Hi Ejaz,

You can enable that in your office firewall.... since your firewall is doing NAT/PAT for you.... you should enable there..... also try to enable inspect ipsec-pass-thru.

 

Regards

Karthik

New Member

Hi karthik,I have tried both

Hi karthik,

I have tried both NAT-T and Pass thru but still the issue persist.

Regards,

Ejaz

Hi,Have you allowed UDP ports

Hi,

Have you allowed UDP ports 500 , 4500 & ESP protocol in your firewall? probably in a bi-directional way.....

What kind of NAT/PAT you have used for VPN traffic in your office firewall?

Regards

Karthik

New Member

Hi karthik,

Hi karthik,

 

I have enabled the inspect ipsec-pass-thru by following commands;

hostname(config)#access-list test-udp-acl extended permit udp any any eq 500
hostname(config)#class-map test-udp-class
hostname(config-cmap)#match access-list test-udp-acl
hostname(config)#policy-map test-udp-policy
hostname(config-pmap)#class test-udp-class
hostname(config-pmap-c)#inspect ipsec-pass-thru
hostname(config)#service-policy test-udp-policy interface outside

I have not allowed UDP ports 500 , 4500 & ESP protocol in my office firewall.

Please note that the VPN is configured in my Client's firewall not in my office firewall. I am trying to access the VPN from my office to the client location. :)

Regards,

Ejaz

Hi, You could have added

Hi,

 

You could have added inspect in global service policy itself.... i knew that ejaz.... what i was trying to say is..... generally if you have dynamic pat @ pass through firewall.... it can take care of tcp/udp traffic, but for esp it will not do translation....

 

but you are saying you have not allowed 500/4500 UDP ports & UDP @ office firewall.... in general the vpn client will use these ports for establishing the communication.... if you have used TCP based ipsec, then you may need to allow tcp 10000(if it is cisco)....

 

can you allow those ports in office firewall and check....

source -- office LAN & Source ports --- any

destination -- vpn server & destination ports --- udp 500/4500 & esp (50)

 

so you have inspect and NAT-T enabled @ office firewall & you have have enabled NAT-T @ VPN firewall right?

Regards

Karthik

New Member

Hi Karthik,I have allowed UDP

Hi Karthik,

I have allowed UDP ports 500 , 4500 & ESP protocol in my office firewall but it didn't work..

 

Regards,

Ejaz

New Member

So you are using a client VPN

So you are using a client VPN, its connects fine (i.e. you can ping etc) but you cant RDP? My bet would be MTU/Packet fragementation, I had a simiar problem, this is how I fixed it;

Cannot Remote Desktop over VPN connection

 

Pete

New Member

Hi Pete,Yes Iam using client

Hi Pete,

Yes Iam using client VPN. Not only RDP actually nothing passes through VPN tunnel.

Regards,

Ejaz

 

New Member

OK, as Karthik has pointed

OK, as Karthik has pointed out the problem is 'probably' NAT related.

Cisco VPN Client Connects but no traffic will Pass

If thats not the case, then make sure the subnet that the remote VPN clients are using, is not getting 'routed' somewhere other than back out of the firewall.

Pete

 

1253
Views
0
Helpful
11
Replies
CreatePlease to create content