VPN + RDP is not working at some locations?

Cisco_B0b · ‎04-02-2014

Greetings All,

I have an interesting situation:

Our Cisco VPN (ASA 5510) with RDP or windows file sharing works great in the United States. However, when traveling to our other office in the Netherlands VPN connects, but I cannot RDP into servers/workstation or for that matter access the windows shares of the main office.

Thinking perhaps the ASA 5510 had a hiccup - I asked a co-worker to see if he could vpn in and access the network. He was able to vpn and rdp into a server and access shares. He is located in the United States.

Main Office (USA) internal IP Scheme: 10.10.0.x

Branch Office (Netherlands) internal IP Scheme 10.0.0.x

I have uninstalled/reinstalled my Cisco VPN client, freshly installed it on a workstation at the branch office at the Netherlands, tried connecting from the Hotel Network, tried a sales person's laptop when they were passing through - all with the same result - can establish a vpn connection but cannot access the local network. – Yes, have tried connecting with the "Access Local Network" box is checked and unchecked in the vpn client ;-)

Interestingly, I just asked that same Sales Person to try again in Germany - she was able to connect to VPN and access rdp and shares. I was also able to connect to VPN and access rdp & shares at another hotel in the Netherlands.

Any idea what could be causing this? Any guess on a solution? Once a VPN tunnel is established - there should be no way to hinder any data flowing through it?

Thanks in advance!,

Bob

Federico Coto Fajardo · ‎04-02-2014

Hi you're right all traffic through the VPN tunnel should be encrypted and therefore not filtered by someone in the path.

The only thing I can think is that the tunnel itself establishes using ESP protocol, but the actual traffic through the tunnel uses UDP port 500 (ISAKMP), if we're talking IPsec.

So, perhaps the hotel is only allowing certain ports out and not UDP 500?

Try to see if you can PING or any other TCP traffic through the VPN tunnel just to check if UDP 500 is allowed.

Also you can check if the traffic from the hotel is reaching the ASA through the tunnel with the command "show crypto ipsec sa peer <>" Just change <> for your public IP.

Hope it helps.

Cisco_B0b · ‎04-02-2014

Hello Coto.fusionet,

Thanks for the quick reply!

Below is the running config on the ASA at the branch office (5505 I think) - If you don't mind can you look through and tell me if anything looks amiss?

# sh run

: Saved

:

ASA Version 8.4(1)

!

hostname ##############

domain-name #####.local

enable password ################## encrypted

passwd ################### encrypted

names

!

interface Vlan10

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

ip address ###.###.###.### 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

switchport access vlan 10

!

interface Ethernet0/4

switchport access vlan 10

!

interface Ethernet0/5

switchport access vlan 10

!

interface Ethernet0/6

switchport access vlan 10

!

interface Ethernet0/7

switchport access vlan 10

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name #####.local

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NET-LAN

subnet 10.0.0.0 255.255.255.0

object network HOST-SBS

host 10.0.0.2

object network NET-LAN-VPN

subnet 10.0.1.0 255.255.255.0

object network HOST-SBS-01

host 10.0.0.2

object network HOST-SBS-02

host 10.0.0.2

object network HOST-SBS-03

host 10.0.0.2

object network HOST-10.0.0.199

host 10.0.0.199

description Change 46182 2014-02-12 PinkElephant\SHepp

object-group network GRP-PRIVATE-RANGES

network-object ###.###.0.0 255.255.0.0

network-object ###.###.0.0 255.240.0.0

network-object 10.0.0.0 255.0.0.0

object-group service GRP-LAN-TO-ALL

service-object tcp destination eq https

service-object tcp destination eq www

service-object tcp destination eq 987

service-object tcp destination eq 983

service-object tcp destination eq citrix-ica

service-object tcp destination eq 2598

service-object tcp destination eq pop3

service-object tcp destination eq 8443

service-object tcp destination eq 2025

service-object tcp destination eq 995

service-object tcp destination eq 2525

service-object tcp destination eq 465

service-object tcp destination eq ssh

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object esp

service-object ah

service-object gre

service-object udp destination eq isakmp

service-object udp destination eq 4500

service-object udp destination eq 10000

object-group service GRP-SBS-TO-ALL

service-object tcp destination eq smtp

service-object tcp destination eq 987

service-object tcp destination eq 983

service-object tcp destination eq https

service-object tcp destination eq www

service-object udp destination eq domain

service-object tcp destination eq domain

service-object tcp destination eq pop3

object-group service GRP-ANY-TO-SBS

service-object tcp destination eq smtp

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq pop3

access-list INSIDE-IN remark ### Deny LAN to Private subnets ###

access-list INSIDE-IN extended permit ip object NET-LAN object-group GRP-PRIVATE-RANGES

access-list INSIDE-IN remark ### PERMIT SBS to ANY ###

access-list INSIDE-IN extended permit object-group GRP-SBS-TO-ALL object HOST-SBS any

access-list INSIDE-IN remark ### PERMIT LAN to ANY ###

access-list INSIDE-IN extended permit object-group GRP-LAN-TO-ALL object NET-LAN any

access-list INSIDE-IN remark Deny any any

access-list INSIDE-IN extended deny ip any any

access-list OUTSIDE-IN remark PERMIT any TO SBS

access-list OUTSIDE-IN extended permit object-group GRP-ANY-TO-SBS any object HOST-SBS

access-list OUTSIDE-IN remark ### Permit tcp 7000 to host 10.0.0.199

access-list OUTSIDE-IN extended permit tcp any object HOST-10.0.0.199 eq 7000

access-list OUTSIDE-IN remark Deny any any

access-list OUTSIDE-IN extended deny ip any any

access-list TUNNEL-ACL remark Specify what trafic goes through VPN tunnel

access-list TUNNEL-ACL extended permit ip object NET-LAN object NET-LAN-VPN

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-IP-POOL 10.0.1.1-10.0.1.254

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NET-LAN NET-LAN destination static NET-LAN-VPN NET-LAN-VPN

!

object network NET-LAN

nat (inside,outside) dynamic interface

object network HOST-SBS

nat (inside,outside) static interface service tcp smtp smtp

object network HOST-SBS-01

nat (inside,outside) static interface service tcp www www

object network HOST-SBS-02

nat (inside,outside) static interface service tcp https https

object network HOST-SBS-03

nat (inside,outside) static interface service tcp pop3 pop3

object network HOST-10.0.0.199

nat (inside,outside) static interface service tcp 7000 7000

access-group INSIDE-IN in interface inside

access-group OUTSIDE-IN in interface outside

route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS-LAN protocol radius

aaa-server RADIUS-LAN (inside) host 10.0.0.2

timeout 5

key *****

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable 8443

http ###.###.###.### 255.255.255.192 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set strong esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set extra-strong esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 99 set ikev1 transform-set extra-strong strong ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic dynmap

crypto map OUTSIDE_MAP interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh ###.###.###.### 255.255.255.192 outside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VPN1000 internal

group-policy VPN1000 attributes

wins-server value 10.0.0.2

dns-server value 10.0.0.2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TUNNEL-ACL

default-domain value #####.local

username cadmin password ############### encrypted privilege 15

tunnel-group VPN1000 type remote-access

tunnel-group VPN1000 general-attributes

address-pool VPN-IP-POOL

authentication-server-group RADIUS-LAN LOCAL

default-group-policy VPN1000

tunnel-group VPN1000 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

inspect ftp

inspect pptp

inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:#####################

: end

Federico Coto Fajardo · ‎04-02-2014

Hi, I looked at the config. and based on the fact that you only have problems from one location remotely, I don't see problems with the ASA's configuration.

What we can check on the ASA side, is what happens when you attempt to pass traffic from the hotel. You can do the following:

sh cry ipsec sa peer IP (changing IP for your public IP) --> this will show if traffic is flowing bidirectionally from the hotel to the ASA via the tunnel.

This will lead us to where the problem is most likely.

Cisco_B0b · ‎04-03-2014

Hello Coto.fusionet,

The config is from the ASA where we are having problems to connect - the Branch Office's ASA.

I am no longer at the branch office - but can vpn + rdp to their machines and perform connection tests

Thanks again

Federico Coto Fajardo · ‎04-03-2014

Hi, is this tunnel established between both ASAs right?

In other words, a Site-to-Site tunnel between both locations, or are you using a VPN client software from behind the remote office's ASA?

If it is a Site-to-Site tunnel, then on the remote office ASA you can check the tunnel is established with the command: sh cry ips sa, and also if it's both sending and receiving packets.

If it's a client software behind the remote office ASA, only UDP 500 and ESP are required to be open, but we need to check the same commands mentioned before on the main office ASA.

Hope it makes sense.