Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN + RDP is not working at some locations?

Greetings All,

I have an interesting situation:

Our Cisco VPN (ASA 5510) with RDP or windows file sharing works great in the United States.  However, when traveling to our other office in the Netherlands VPN connects, but I cannot RDP into servers/workstation or for that matter access the windows shares of the main office.

Thinking perhaps the ASA 5510 had a hiccup - I asked a co-worker to see if he could vpn in and access the network.  He was able to vpn and rdp into a server and access shares. He is located in the United States. 

Main Office (USA) internal IP Scheme: 10.10.0.x

Branch Office (Netherlands) internal IP Scheme 10.0.0.x

 

I have uninstalled/reinstalled my Cisco VPN client, freshly installed it on a workstation at the branch office at the Netherlands, tried connecting from the Hotel Network,  tried a sales person's laptop when they were passing through - all with the same result - can establish a vpn connection but cannot access the local network. – Yes, have tried connecting with the "Access Local Network" box is checked and unchecked in the vpn client ;-)    

 

Interestingly, I just asked that same Sales Person to try again in Germany - she was able to connect to VPN and access rdp and shares.  I was also able to connect to VPN and access rdp & shares at another hotel in the Netherlands.

Any idea what could be causing this?  Any guess on a solution?  Once a VPN tunnel is established - there should be no way to hinder any data flowing through it?

Thanks in advance!,

Bob

 

Everyone's tags (3)
5 REPLIES

Hi you're right all traffic

Hi you're right all traffic through the VPN tunnel should be encrypted and therefore not filtered by someone in the path. 

The only thing I can think is that the tunnel itself establishes using ESP protocol, but the actual traffic through the tunnel uses UDP port 500 (ISAKMP), if we're talking IPsec. 

So, perhaps the hotel is only allowing certain ports out and not UDP 500? 

Try to see if you can PING or any other TCP traffic through the VPN tunnel just to check if UDP 500 is allowed. 

Also you can check if the traffic from the hotel is reaching the ASA through the tunnel with the command "show crypto ipsec sa peer <>" Just change <> for your public IP. 

Hope it helps. 

 

 

New Member

Hello Coto.fusionet, Thanks

Hello Coto.fusionet,

 

Thanks for the quick reply!

Below is the running config on the ASA at the branch office (5505 I think) - If you don't mind can you look through and tell me if anything looks amiss?

 

# sh run

: Saved

:

ASA Version 8.4(1)

!

hostname ##############

domain-name #####.local

enable password ################## encrypted

passwd ################### encrypted

names

!

interface Vlan10

 nameif inside

 security-level 100

 ip address 10.0.0.1 255.255.255.0

!

interface Vlan20

 nameif outside

 security-level 0

 ip address ###.###.###.### 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 20

!

interface Ethernet0/1

 switchport access vlan 10

!            

interface Ethernet0/2

 switchport access vlan 10

!

interface Ethernet0/3

 switchport access vlan 10

!

interface Ethernet0/4

 switchport access vlan 10

!

interface Ethernet0/5

 switchport access vlan 10

!

interface Ethernet0/6

 switchport access vlan 10

!

interface Ethernet0/7

 switchport access vlan 10

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name #####.local

object network obj_any

 subnet 0.0.0.0 0.0.0.0

object network NET-LAN

 subnet 10.0.0.0 255.255.255.0

object network HOST-SBS

 host 10.0.0.2

object network NET-LAN-VPN

 subnet 10.0.1.0 255.255.255.0

object network HOST-SBS-01

 host 10.0.0.2

object network HOST-SBS-02

 host 10.0.0.2

object network HOST-SBS-03

 host 10.0.0.2

object network HOST-10.0.0.199

 host 10.0.0.199

 description Change 46182 2014-02-12 PinkElephant\SHepp

object-group network GRP-PRIVATE-RANGES

 network-object ###.###.0.0 255.255.0.0

 network-object ###.###.0.0 255.240.0.0

 network-object 10.0.0.0 255.0.0.0

object-group service GRP-LAN-TO-ALL

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object tcp destination eq 987

 service-object tcp destination eq 983

 service-object tcp destination eq citrix-ica

 service-object tcp destination eq 2598

 service-object tcp destination eq pop3

 service-object tcp destination eq 8443

 service-object tcp destination eq 2025

 service-object tcp destination eq 995

 service-object tcp destination eq 2525

 service-object tcp destination eq 465

 service-object tcp destination eq ssh

 service-object tcp destination eq ftp

 service-object tcp destination eq ftp-data

 service-object esp

 service-object ah

 service-object gre

 service-object udp destination eq isakmp

 service-object udp destination eq 4500

 service-object udp destination eq 10000

object-group service GRP-SBS-TO-ALL

 service-object tcp destination eq smtp

 service-object tcp destination eq 987

 service-object tcp destination eq 983

 service-object tcp destination eq https

 service-object tcp destination eq www

 service-object udp destination eq domain

 service-object tcp destination eq domain

 service-object tcp destination eq pop3

object-group service GRP-ANY-TO-SBS

 service-object tcp destination eq smtp

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object tcp destination eq pop3

access-list INSIDE-IN remark ### Deny LAN to Private subnets ###

access-list INSIDE-IN extended permit ip object NET-LAN object-group GRP-PRIVATE-RANGES

access-list INSIDE-IN remark ### PERMIT SBS to ANY ###

access-list INSIDE-IN extended permit object-group GRP-SBS-TO-ALL object HOST-SBS any

access-list INSIDE-IN remark ### PERMIT LAN to ANY ###

access-list INSIDE-IN extended permit object-group GRP-LAN-TO-ALL object NET-LAN any

access-list INSIDE-IN remark Deny any any

access-list INSIDE-IN extended deny ip any any

access-list OUTSIDE-IN remark PERMIT any TO SBS

access-list OUTSIDE-IN extended permit object-group GRP-ANY-TO-SBS any object HOST-SBS

access-list OUTSIDE-IN remark ### Permit tcp 7000 to host 10.0.0.199

access-list OUTSIDE-IN extended permit tcp any object HOST-10.0.0.199 eq 7000

access-list OUTSIDE-IN remark Deny any any

access-list OUTSIDE-IN extended deny ip any any

access-list TUNNEL-ACL remark Specify what trafic goes through VPN tunnel

access-list TUNNEL-ACL extended permit ip object NET-LAN object NET-LAN-VPN

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-IP-POOL 10.0.1.1-10.0.1.254

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NET-LAN NET-LAN destination static NET-LAN-VPN NET-LAN-VPN

!

object network NET-LAN

 nat (inside,outside) dynamic interface

object network HOST-SBS

 nat (inside,outside) static interface service tcp smtp smtp

object network HOST-SBS-01

 nat (inside,outside) static interface service tcp www www

object network HOST-SBS-02

 nat (inside,outside) static interface service tcp https https

object network HOST-SBS-03

 nat (inside,outside) static interface service tcp pop3 pop3

object network HOST-10.0.0.199

 nat (inside,outside) static interface service tcp 7000 7000

access-group INSIDE-IN in interface inside

access-group OUTSIDE-IN in interface outside

route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS-LAN protocol radius

aaa-server RADIUS-LAN (inside) host 10.0.0.2

 timeout 5

 key *****

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable 8443

http ###.###.###.### 255.255.255.192 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set strong esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set extra-strong esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 99 set ikev1 transform-set extra-strong strong ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic dynmap

crypto map OUTSIDE_MAP interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh ###.###.###.### 255.255.255.192 outside

ssh timeout 30

ssh version 2

console timeout 0

 

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VPN1000 internal

group-policy VPN1000 attributes

 wins-server value 10.0.0.2

 dns-server value 10.0.0.2

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value TUNNEL-ACL

 default-domain value #####.local

username cadmin password ############### encrypted privilege 15

tunnel-group VPN1000 type remote-access

tunnel-group VPN1000 general-attributes

 address-pool VPN-IP-POOL

 authentication-server-group RADIUS-LAN LOCAL

 default-group-policy VPN1000

tunnel-group VPN1000 ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

  inspect icmp error

  inspect ftp

  inspect pptp

  inspect ipsec-pass-thru

!            

service-policy global_policy global

prompt hostname context

call-home

 profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:#####################

: end

 

 

Hi, I looked at the config.

Hi, I looked at the config. and based on the fact that you only have problems from one location remotely, I don't see problems with the ASA's configuration. 

What we can check on the ASA side, is what happens when you attempt to pass traffic from the hotel. You can do the following: 

sh cry ipsec sa peer IP (changing IP for your public IP) --> this will show if traffic is flowing bidirectionally from the hotel to the ASA via the tunnel. 

This will lead us to where the problem is most likely. 

New Member

Hello Coto.fusionet, The

Hello Coto.fusionet,

 

The config is from the ASA where we are having problems to connect - the Branch Office's ASA.

 

I am no longer at the branch office - but can vpn + rdp to their machines and perform connection tests 

 

Thanks again

Hi, is this tunnel

Hi, is this tunnel established between both ASAs right? 

In other words, a Site-to-Site tunnel between both locations, or are you using a VPN client software from behind the remote office's ASA? 

If it is a Site-to-Site tunnel, then on the remote office ASA you can check the tunnel is established with the command: sh cry ips sa, and also if it's both sending and receiving packets. 

If it's a client software behind the remote office ASA, only UDP 500 and ESP are required to be open, but we need to check the same commands mentioned before on the main office ASA. 

Hope it makes sense. 

 

 

675
Views
0
Helpful
5
Replies