Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > RDP inoperable through VPN (ASA5505/3640)

Reply
Thread Tools

RDP inoperable through VPN (ASA5505/3640)

 
 
bmccall bmccall is offline
Junior Member
Join Date: Mar 2008
Posts: 2
 
      03-03-2008
For starters, I am a n00b that is new to networking. These setups are strictly what I have taught myself and learned along the way. If you see any practice I should not be following or is un-reasonable feel free to voice your opinion.

I am having a problem with my current VPN setup. Below I will post the clean configurations of both tunnel endpoints. (endpoints are the ASA and a 3640)

Problem: VPN is functional. I can SSH to all boxes on the network and ping all hosts. I can not RDP to my 2k3 server. I currently allow access from school to the desktop on the network behind the ASA.

Troubleshooting: Viewing informational logs of the connection buildup/teardown process shows the connection being built for TCP/3389 to the host. Wireshark view of both ends shows SYN packets being disseminated from my machine to the server with the ASA generating the encrypted packet. No SYN packet is observed at the 2k3 server. I am able to PING the 2k3 server.

Any help/ideas with troubleshooting would be greatly appreciated.

ASA Config:

sh run
: Saved
:
ASA Version 7.2(2)
!
hostname asa
enable password XXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp
!
interface Vlan100
nameif inside
security-level 100
ip address 172.30.12.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 100
duplex full
!
interface Ethernet0/2
switchport access vlan 100
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 20
!
interface Ethernet0/6
switchport access vlan 20
!
interface Ethernet0/7
switchport access vlan 20
!
passwd XXXXXXXXXXXX encrypted
ftp mode passive
access-list ALLOW-NAT extended permit ip 172.30.12.0 255.255.255.0 any
access-list INT-ACL extended permit ip any any
access-list EXT-ACL extended permit esp host 24.xxx.xxx.xxx host 72.23.xxx.xxx
access-list EXT-ACL extended permit tcp host 24.xxx.xxx.xxx eq 500 host 72.23.xxx.xxx
access-list EXT-ACL remark Allow RDP from skewl
access-list EXT-ACL extended permit tcp host 72.23.xxx.xxx gt 1023 host 72.23.xxx.xxx eq 3389
access-list TUNNEL-ACL extended permit ip 172.30.12.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list TUNNEL-ACL extended permit ip 172.30.12.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list TUNNEL-ACL extended permit ip 172.30.12.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list TUNNEL-ACL extended permit ip 10.0.0.0 255.0.0.0 172.30.12.0 255.255.255.0
access-list TUNNEL-ACL extended permit ip 172.16.0.0 255.255.0.0 172.30.12.0 255.255.255.0
access-list TUNNEL-ACL extended permit ip 192.168.0.0 255.255.0.0 172.30.12.0 255.255.255.0
access-list NO-NAT extended permit ip 172.30.12.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list NO-NAT extended permit ip 172.30.12.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list NO-NAT extended permit ip 172.30.12.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging console notifications
logging trap informational
logging host inside 172.16.210.30
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 access-list ALLOW-NAT
static (inside,outside) tcp interface 3389 172.30.12.2 3389 netmask 255.255.255.255
access-group EXT-ACL in interface outside
access-group INT-ACL in interface inside
route outside 0.0.0.0 0.0.0.0 72.23.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username bmccall password XXXXXXXXXXX encrypted
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TUNNEL-TO-BELOW esp-aes esp-md5-hmac
crypto map TUNNEL-TO-BELOW 1 match address TUNNEL-ACL
crypto map TUNNEL-TO-BELOW 1 set peer 24.xxx.xxx.xxx
crypto map TUNNEL-TO-BELOW 1 set transform-set TUNNEL-TO-BELOW
crypto map TUNNEL-TO-BELOW interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 24.xxx.xxx.xxx type ipsec-l2l
tunnel-group 24.xxx.xxx.xxx general-attributes
tunnel-group 24.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 72.xxx.xxx.xxx 255.255.255.255 outside
ssh 172.30.12.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd dns 172.16.210.30
dhcpd lease 129600
!
dhcpd address 172.30.12.2-172.30.12.12 inside
dhcpd dns 172.16.210.30 interface inside
dhcpd domain fortitude4.com interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.43.244.18
prompt hostname context
Cryptochecksum:XXXXXXXXXXX

I will post a follow up of the 3640 config and ASA debugging as I have exceeded the char limit...


Any input from anyone is more than valuable!!! I thank everyone for their views in advance!!!
 
Reply With Quote
 
 
 
 
bmccall bmccall is offline
Junior Member
Join Date: Mar 2008
Posts: 2
 
      03-03-2008
3640 Config: (followed by ASA debugging)

Building configuration...

Current configuration : 27028 bytes
!
! Last configuration change at 17:14:57 UTC Mon Mar 3 2008 by bmccall
! NVRAM config last updated at 17:16:28 UTC Mon Mar 3 2008 by bmccall
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nsx
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXXXXXXXXXXXXX
aaa new-model
aaa authentication login default local
aaa session-id common
ip cef
ip domain name fortitude4.com
username bmccall privilege 15 password 7 XXXXXXXXXXXXXXXXXXX
ip ssh time-out 90
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 10000
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXXXXX address 24.154.178.82 no-xauth
crypto isakmp key XXXXXXXXXXXXXXXXXXX address 72.23.128.192
crypto isakmp peer address 24.xxx.xxx.xxx
description TUNNEL-TO-J2K
crypto isakmp peer address 72.23.xxx.xxx
description TUNNEL-TO-UPSTAIRS
crypto ipsec transform-set iax-transform-set esp-3des esp-md5-hmac
crypto ipsec transform-set upstairs-set esp-aes esp-md5-hmac
crypto map iax-map 10 ipsec-isakmp
set peer 24.xxx.xxx.xxx
set transform-set iax-transform-set
match address TUNNEL-ACL
crypto map iax-map 20 ipsec-isakmp
set peer 72.23.xxx.xx
set transform-set upstairs-set
match address UPSTAIRS-TUNNEL-ACL
interface Multilink1
ip address 192.168.165.40 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
ppp multilink
ppp multilink group 1
interface Ethernet0/0
description *- public DHCP assigned -*
ip address dhcp
ip access-group EXT-ACL in
ip nat outside
ip nat enable
ip virtual-reassembly
half-duplex
no cdp enable
crypto map iax-map
interface FastEthernet1/0
description *- trunk to 2950 -*
no ip address
duplex auto
speed auto
interface FastEthernet1/0.10
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
interface FastEthernet1/0.50
encapsulation dot1Q 50
ip address 10.10.12.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
interface FastEthernet1/0.254
encapsulation dot1Q 1 native
ip address 172.16.210.254 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
interface TokenRing1/0
no ip address
shutdown
ring-speed 16
interface Serial2/0
description *- bonded T1 to 2611 _*
bandwidth 10000000
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
interface Serial2/1
description *- bonced T1 to 2611 -*
bandwidth 10000000
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
interface Ethernet3/0
description *-int to test network-*
ip address 172.16.101.254 255.255.255.0
ip access-group TEST-NET-ACL in
ip nat inside
ip nat enable
ip virtual-reassembly
full-duplex
interface Serial3/0
no ip address
shutdown
interface BRI3/0
no ip address
encapsulation hdlc
shutdown
router bgp 55355
bgp log-neighbor-changes
neighbor 192.168.165.10 remote-as 55355
address-family ipv4
neighbor 192.168.165.10 activate
no auto-summary
no synchronization
network 0.0.0.0
network 10.10.12.0 mask 255.255.255.0
network 24.0.0.0
network 24.xxx.xxx.0 mask 255.255.255.0
network 172.16.210.0 mask 255.255.255.0
network 192.168.0.0
exit-address-family
no ip http server
no ip http secure-server
ip forward-protocol nd
ip nat inside source list NAT-ACL interface Ethernet0/0 overload
ip nat inside source static tcp 10.0.30.2 25 24.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 10.0.30.2 80 24.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 172.16.210.201 3389 24.xxx.xxx.xxx 3389 extendable
ip nat inside source static tcp 172.16.101.50 3389 24.xxx.xxx.xxx 3390 extendable
ip nat inside source static tcp 172.16.210.201 39194 24.xxx.xxx.xxx 39194 extendable
ip access-list extended EXT-ACL
permit esp host 24.xxx.xxx.xxx host 24.xxx.xxx.xxx
permit esp host 72.23.xxx.xxx host 24.xxx.xxx.xxx
permit tcp host 72.23.xxx.xxx host 24.xxx.xxx.xxx eq 3390
permit tcp host 71.61.xxx.xxx host 24.xxx.xxx.xxx eq 3390
permit tcp any host 24.xxx.xxx.xxx eq www
permit tcp any host 24.xxx.xx.xxx established
permit udp any host 24.xxx.xxx.xx
deny ip any any
ip access-list extended NAT-ACL
deny ip 192.168.41.0 0.0.0.255 10.20.9.0 0.0.0.255
deny ip any 172.30.12.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended TEST-NET-ACL
deny tcp any eq 22 host 172.16.101.254 log
permit ip any any
ip access-list extended TUNNEL-ACL
permit ip 10.20.9.0 0.0.0.255 192.168.41.0 0.0.0.255
permit ip 192.168.41.0 0.0.0.255 10.20.9.0 0.0.0.255
ip access-list extended UPSTAIRS-TUNNEL-ACL
permit ip 172.16.0.0 0.0.255.255 172.30.12.0 0.0.0.255
permit ip 10.0.0.0 0.255.255.255 172.30.12.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 172.30.12.0 0.0.0.255
permit ip 172.30.12.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 172.30.12.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 172.30.12.0 0.0.0.255 192.168.0.0 0.0.255.255
logging trap debugging
logging 172.16.210.30
control-plane
line con 0
password 7 XXXXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
transport input ssh
ntp clock-period 17179758
ntp source Ethernet0/0
ntp peer 192.43.244.18
end

This is the ESP transaction.. (ASA logging 7)

%ASA-6-302013: Built outbound TCP connection 23361 for outside:172.16.101.50/3389 (172.16.101.50/3389) to inside:172.30.12.2/4021 (172.30.12.2/4021)
%ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7455)
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=3dd88677) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=ff3858df) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing hash payload
%ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing notify payload
%ASA-7-715075: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x300a7455)
%ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7456)
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=c79c9e7f) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=5e68ead with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing hash payload
%ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing notify payload
%ASA-7-715075: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x300a7456)
%ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7457)
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=35dcaf1c) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=23ade74) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing hash payload
%ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing notify payload
%ASA-7-715075: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x300a7457)
%ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a745
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
%ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
%ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=dc2f6cf with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
%ASA-6-302014: Teardown TCP connection 23361 for outside:172.16.101.50/3389 to inside:172.30.12.2/4021 duration 0:00:30 bytes 0 SYN Timeout
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RDP through VPN printing problems Kate Windows 64bit 1 02-23-2008 06:24 AM
IR Sensor inoperable Sean.McGrew@gmail.com DVD Video 0 05-15-2006 03:10 PM
IR Sensor inoperable Sean.McGrew@gmail.com DVD Video 0 05-15-2006 03:10 PM
IR Sensor inoperable Sean.McGrew@gmail.com DVD Video 0 05-15-2006 03:09 PM
Teranews - free server inoperable - and general questions on Teranews reliability ?? no-name Computer Support 2 09-18-2004 02:01 AM



Advertisments