Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Weird thing going on with ASA and RDP through filtered VPN

Hello,

I'm hoping to get some support over here as i'm clearly out of options.

I have 3 ASA 2 5505 and one 5510

all of them are connected over the internet by VPN

one 5505 is on my premisis and I use the VPN to service the other 2 locations that belong to the same customer. Clearly I want to filer the VPN going to the other locations aswell as traffic comming from them.

the strange thing is if I put an IP any any on the filter acl I can use RDP, at the moment I enforce the filter where I enable TCP/3389 I get an error that the server cannot be found.

in the logging i see the packet hitting the ACL:

<167>:Jul 05 21:13:19 CEDT: %ASA-session-7-106102: access-list VPN_Filter permitted tcp for user '<unknown>' User-Lan/192.168.1.87(58603) -> XS4ALL/172.31.2.12(3389) hit-cnt 1 first hit [0xbe2548e2, 0x0]

<166>:Jul 05 21:13:19 CEDT: %ASA-session-6-302013: Built outbound TCP connection 43436 for XS4ALL:172.31.2.12/3389 (172.31.2.12/3389) to User-Lan:192.168.1.87/58603 (192.168.1.87/58603)

VPN Filter:

access-list VPN_Filter extended permit ip any any log debugging inactive

access-list VPN_Filter extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat

access-list VPN_Filter extended permit udp object-group DM_INLINE_NETWORK_4 object Lan-Pat eq tftp

access-list VPN_Filter extended permit icmp object-group DM_INLINE_NETWORK_1 object Lan-Pat log debugging

access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_3 object Lan-Pat eq www

access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_5 object Lan-Pat eq https

access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_6 object Lan-Pat object-group DM_INLINE_TCP_1

access-list VPN_Filter extended deny ip any any log debugging

any help will be greatly appriciated!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: Weird thing going on with ASA and RDP through filtered VPN

if you do an RDP-session from your PC to the customer, then port TCP/3389 is used on the customer-side and not on your side. So your ACL has to be the following:

access-list VPN_Filter extended permit tcp 172.31.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0

Remember: In a VPN-Filter the syntax is source=remote, destination=local. The port 3389 is on the remote end.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
6 REPLIES
VIP Purple

Re: Weird thing going on with ASA and RDP through filtered VPN

The vpn-filter is using a different syntax then a regular ACL. It is:

permit/deny PROTOCOL REMOTE-IP eq REMOTE-PORT LOCAL-IP eq LOCAL-PORT

So if you want to allow RDP from your side to the customer, your VPN-Filter has to be the following:

access-list VPN_Filter extended permit tcp host CUSTOMER-IP eq 3389 host YOUR-IP

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Weird thing going on with ASA and RDP through filtered VPN

Hello Karsten,

Thank you for your post.

this line:

access-list VPN_Filter extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat

handles the RDP as DM_INLINE_NETWORK_8 is the client side and the lan_pat is my local side.

do you have any other thoughts what could cause the problem?

Thanks

VIP Purple

Re: Weird thing going on with ASA and RDP through filtered VPN

please clarify where the RDP-Server is and where the RDP client. And post the relevant lines from "show access-list VPN_Filter" and not from "sh run ...".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Weird thing going on with ASA and RDP through filtered VPN

Hello Karsten,

These are the requested lines

192.168.1.x/24 is my local lan.

I want to make a RDP session from my PC (192.168.1.x) to a server on the customer lan for example 172.31.2..x

access-list VPN_Filter line 2 extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat 0x7a06853d

  access-list VPN_Filter line 2 extended permit tcp 192.168.5.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0x6dbbab46

  access-list VPN_Filter line 2 extended permit tcp 172.31.2.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0x4fede2a3

  access-list VPN_Filter line 2 extended permit tcp 10.255.2.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0xf63149ed

  access-list VPN_Filter line 2 extended permit tcp 192.168.0.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0xf6c544e9

VIP Purple

Re: Weird thing going on with ASA and RDP through filtered VPN

if you do an RDP-session from your PC to the customer, then port TCP/3389 is used on the customer-side and not on your side. So your ACL has to be the following:

access-list VPN_Filter extended permit tcp 172.31.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0

Remember: In a VPN-Filter the syntax is source=remote, destination=local. The port 3389 is on the remote end.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Weird thing going on with ASA and RDP through filtered VPN

Thanks mate,

that did the trick!

286
Views
0
Helpful
6
Replies
CreatePlease login to create content