RDP inoperable through VPN (ASA5505/3640)

Discussion in 'Cisco' started by bmccall, Mar 3, 2008.

  1. bmccall

    bmccall

    Joined:
    Mar 3, 2008
    Messages:
    2
    For starters, I am a n00b that is new to networking. These setups are strictly what I have taught myself and learned along the way. If you see any practice I should not be following or is un-reasonable feel free to voice your opinion.

    I am having a problem with my current VPN setup. Below I will post the clean configurations of both tunnel endpoints. (endpoints are the ASA and a 3640)

    Problem: VPN is functional. I can SSH to all boxes on the network and ping all hosts. I can not RDP to my 2k3 server. I currently allow access from school to the desktop on the network behind the ASA.

    Troubleshooting: Viewing informational logs of the connection buildup/teardown process shows the connection being built for TCP/3389 to the host. Wireshark view of both ends shows SYN packets being disseminated from my machine to the server with the ASA generating the encrypted packet. No SYN packet is observed at the 2k3 server. I am able to PING the 2k3 server.

    Any help/ideas with troubleshooting would be greatly appreciated.

    ASA Config:

    sh run
    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname asa
    enable password XXXXXXXXXXXX encrypted
    names
    !
    interface Vlan1
    nameif outside
    security-level 0
    ip address dhcp
    !
    interface Vlan100
    nameif inside
    security-level 100
    ip address 172.30.12.1 255.255.255.0
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    switchport access vlan 100
    duplex full
    !
    interface Ethernet0/2
    switchport access vlan 100
    !
    interface Ethernet0/3
    switchport access vlan 100
    !
    interface Ethernet0/4
    switchport access vlan 100
    !
    interface Ethernet0/5
    switchport access vlan 20
    !
    interface Ethernet0/6
    switchport access vlan 20
    !
    interface Ethernet0/7
    switchport access vlan 20
    !
    passwd XXXXXXXXXXXX encrypted
    ftp mode passive
    access-list ALLOW-NAT extended permit ip 172.30.12.0 255.255.255.0 any
    access-list INT-ACL extended permit ip any any
    access-list EXT-ACL extended permit esp host 24.xxx.xxx.xxx host 72.23.xxx.xxx
    access-list EXT-ACL extended permit tcp host 24.xxx.xxx.xxx eq 500 host 72.23.xxx.xxx
    access-list EXT-ACL remark Allow RDP from skewl
    access-list EXT-ACL extended permit tcp host 72.23.xxx.xxx gt 1023 host 72.23.xxx.xxx eq 3389
    access-list TUNNEL-ACL extended permit ip 172.30.12.0 255.255.255.0 10.0.0.0 255.0.0.0
    access-list TUNNEL-ACL extended permit ip 172.30.12.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list TUNNEL-ACL extended permit ip 172.30.12.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list TUNNEL-ACL extended permit ip 10.0.0.0 255.0.0.0 172.30.12.0 255.255.255.0
    access-list TUNNEL-ACL extended permit ip 172.16.0.0 255.255.0.0 172.30.12.0 255.255.255.0
    access-list TUNNEL-ACL extended permit ip 192.168.0.0 255.255.0.0 172.30.12.0 255.255.255.0
    access-list NO-NAT extended permit ip 172.30.12.0 255.255.255.0 172.16.0.0 255.255.0.0
    access-list NO-NAT extended permit ip 172.30.12.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list NO-NAT extended permit ip 172.30.12.0 255.255.255.0 10.0.0.0 255.0.0.0
    pager lines 24
    logging enable
    logging console notifications
    logging trap informational
    logging host inside 172.16.210.30
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NO-NAT
    nat (inside) 1 access-list ALLOW-NAT
    static (inside,outside) tcp interface 3389 172.30.12.2 3389 netmask 255.255.255.255
    access-group EXT-ACL in interface outside
    access-group INT-ACL in interface inside
    route outside 0.0.0.0 0.0.0.0 72.23.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    username bmccall password XXXXXXXXXXX encrypted
    aaa authentication ssh console LOCAL
    aaa local authentication attempts max-fail 3
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TUNNEL-TO-BELOW esp-aes esp-md5-hmac
    crypto map TUNNEL-TO-BELOW 1 match address TUNNEL-ACL
    crypto map TUNNEL-TO-BELOW 1 set peer 24.xxx.xxx.xxx
    crypto map TUNNEL-TO-BELOW 1 set transform-set TUNNEL-TO-BELOW
    crypto map TUNNEL-TO-BELOW interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    tunnel-group 24.xxx.xxx.xxx type ipsec-l2l
    tunnel-group 24.xxx.xxx.xxx general-attributes
    tunnel-group 24.xxx.xxx.xxx ipsec-attributes
    pre-shared-key *
    telnet timeout 5
    ssh 72.xxx.xxx.xxx 255.255.255.255 outside
    ssh 172.30.12.0 255.255.255.0 inside
    ssh timeout 30
    console timeout 0
    management-access inside
    dhcpd dns 172.16.210.30
    dhcpd lease 129600
    !
    dhcpd address 172.30.12.2-172.30.12.12 inside
    dhcpd dns 172.16.210.30 interface inside
    dhcpd domain fortitude4.com interface inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    ntp server 192.43.244.18
    prompt hostname context
    Cryptochecksum:XXXXXXXXXXX

    I will post a follow up of the 3640 config and ASA debugging as I have exceeded the char limit...


    Any input from anyone is more than valuable!!! I thank everyone for their views in advance!!!
    bmccall, Mar 3, 2008
    #1
    1. Advertising

  2. bmccall

    bmccall

    Joined:
    Mar 3, 2008
    Messages:
    2
    Followed as promised....

    3640 Config: (followed by ASA debugging)

    Building configuration...

    Current configuration : 27028 bytes
    !
    ! Last configuration change at 17:14:57 UTC Mon Mar 3 2008 by bmccall
    ! NVRAM config last updated at 17:16:28 UTC Mon Mar 3 2008 by bmccall
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname nsx
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret XXXXXXXXXXXXXXXXXXX
    aaa new-model
    aaa authentication login default local
    aaa session-id common
    ip cef
    ip domain name fortitude4.com
    username bmccall privilege 15 password 7 XXXXXXXXXXXXXXXXXXX
    ip ssh time-out 90
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 10000
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXXXXXXXXXXXXXX address 24.154.178.82 no-xauth
    crypto isakmp key XXXXXXXXXXXXXXXXXXX address 72.23.128.192
    crypto isakmp peer address 24.xxx.xxx.xxx
    description TUNNEL-TO-J2K
    crypto isakmp peer address 72.23.xxx.xxx
    description TUNNEL-TO-UPSTAIRS
    crypto ipsec transform-set iax-transform-set esp-3des esp-md5-hmac
    crypto ipsec transform-set upstairs-set esp-aes esp-md5-hmac
    crypto map iax-map 10 ipsec-isakmp
    set peer 24.xxx.xxx.xxx
    set transform-set iax-transform-set
    match address TUNNEL-ACL
    crypto map iax-map 20 ipsec-isakmp
    set peer 72.23.xxx.xx
    set transform-set upstairs-set
    match address UPSTAIRS-TUNNEL-ACL
    interface Multilink1
    ip address 192.168.165.40 255.255.255.0
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    ppp multilink
    ppp multilink group 1
    interface Ethernet0/0
    description *- public DHCP assigned -*
    ip address dhcp
    ip access-group EXT-ACL in
    ip nat outside
    ip nat enable
    ip virtual-reassembly
    half-duplex
    no cdp enable
    crypto map iax-map
    interface FastEthernet1/0
    description *- trunk to 2950 -*
    no ip address
    duplex auto
    speed auto
    interface FastEthernet1/0.10
    encapsulation dot1Q 10
    ip address 192.168.0.1 255.255.255.0
    interface FastEthernet1/0.50
    encapsulation dot1Q 50
    ip address 10.10.12.1 255.255.255.0
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    interface FastEthernet1/0.254
    encapsulation dot1Q 1 native
    ip address 172.16.210.254 255.255.255.0
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    interface TokenRing1/0
    no ip address
    shutdown
    ring-speed 16
    interface Serial2/0
    description *- bonded T1 to 2611 _*
    bandwidth 10000000
    no ip address
    encapsulation ppp
    ppp multilink
    ppp multilink group 1
    interface Serial2/1
    description *- bonced T1 to 2611 -*
    bandwidth 10000000
    no ip address
    encapsulation ppp
    ppp multilink
    ppp multilink group 1
    interface Ethernet3/0
    description *-int to test network-*
    ip address 172.16.101.254 255.255.255.0
    ip access-group TEST-NET-ACL in
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    full-duplex
    interface Serial3/0
    no ip address
    shutdown
    interface BRI3/0
    no ip address
    encapsulation hdlc
    shutdown
    router bgp 55355
    bgp log-neighbor-changes
    neighbor 192.168.165.10 remote-as 55355
    address-family ipv4
    neighbor 192.168.165.10 activate
    no auto-summary
    no synchronization
    network 0.0.0.0
    network 10.10.12.0 mask 255.255.255.0
    network 24.0.0.0
    network 24.xxx.xxx.0 mask 255.255.255.0
    network 172.16.210.0 mask 255.255.255.0
    network 192.168.0.0
    exit-address-family
    no ip http server
    no ip http secure-server
    ip forward-protocol nd
    ip nat inside source list NAT-ACL interface Ethernet0/0 overload
    ip nat inside source static tcp 10.0.30.2 25 24.xxx.xxx.xxx 25 extendable
    ip nat inside source static tcp 10.0.30.2 80 24.xxx.xxx.xxx 80 extendable
    ip nat inside source static tcp 172.16.210.201 3389 24.xxx.xxx.xxx 3389 extendable
    ip nat inside source static tcp 172.16.101.50 3389 24.xxx.xxx.xxx 3390 extendable
    ip nat inside source static tcp 172.16.210.201 39194 24.xxx.xxx.xxx 39194 extendable
    ip access-list extended EXT-ACL
    permit esp host 24.xxx.xxx.xxx host 24.xxx.xxx.xxx
    permit esp host 72.23.xxx.xxx host 24.xxx.xxx.xxx
    permit tcp host 72.23.xxx.xxx host 24.xxx.xxx.xxx eq 3390
    permit tcp host 71.61.xxx.xxx host 24.xxx.xxx.xxx eq 3390
    permit tcp any host 24.xxx.xxx.xxx eq www
    permit tcp any host 24.xxx.xx.xxx established
    permit udp any host 24.xxx.xxx.xx
    deny ip any any
    ip access-list extended NAT-ACL
    deny ip 192.168.41.0 0.0.0.255 10.20.9.0 0.0.0.255
    deny ip any 172.30.12.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 any
    permit ip 10.0.0.0 0.255.255.255 any
    permit ip 172.16.0.0 0.0.255.255 any
    ip access-list extended TEST-NET-ACL
    deny tcp any eq 22 host 172.16.101.254 log
    permit ip any any
    ip access-list extended TUNNEL-ACL
    permit ip 10.20.9.0 0.0.0.255 192.168.41.0 0.0.0.255
    permit ip 192.168.41.0 0.0.0.255 10.20.9.0 0.0.0.255
    ip access-list extended UPSTAIRS-TUNNEL-ACL
    permit ip 172.16.0.0 0.0.255.255 172.30.12.0 0.0.0.255
    permit ip 10.0.0.0 0.255.255.255 172.30.12.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 172.30.12.0 0.0.0.255
    permit ip 172.30.12.0 0.0.0.255 172.16.0.0 0.0.255.255
    permit ip 172.30.12.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 172.30.12.0 0.0.0.255 192.168.0.0 0.0.255.255
    logging trap debugging
    logging 172.16.210.30
    control-plane
    line con 0
    password 7 XXXXXXXXXXXXXXXXXXX
    line aux 0
    line vty 0 4
    transport input ssh
    ntp clock-period 17179758
    ntp source Ethernet0/0
    ntp peer 192.43.244.18
    end

    This is the ESP transaction.. (ASA logging 7)

    %ASA-6-302013: Built outbound TCP connection 23361 for outside:172.16.101.50/3389 (172.16.101.50/3389) to inside:172.30.12.2/4021 (172.30.12.2/4021)
    %ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7455)
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=3dd88677) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=ff3858df) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing hash payload
    %ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing notify payload
    %ASA-7-715075: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x300a7455)
    %ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7456)
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=c79c9e7f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=5e68ead8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing hash payload
    %ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing notify payload
    %ASA-7-715075: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x300a7456)
    %ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7457)
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=35dcaf1c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=23ade74) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing hash payload
    %ASA-7-715047: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, processing notify payload
    %ASA-7-715075: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x300a7457)
    %ASA-7-715036: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, Sending keep-alive of type DPD R-U-THERE (seq number 0x300a7458)
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing blank hash payload
    %ASA-7-715046: Group = 24.xxx.xxx.xxx, IP = 24.xxx.xxx.xxx, constructing qm hash payload
    %ASA-7-713236: IP = 24.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=dc2f6cf8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-6-302014: Teardown TCP connection 23361 for outside:172.16.101.50/3389 to inside:172.30.12.2/4021 duration 0:00:30 bytes 0 SYN Timeout
    bmccall, Mar 3, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. no-name
    Replies:
    2
    Views:
    804
    free.teranews.com
    Sep 18, 2004
  2. Sean.McGrew@gmail.com

    IR Sensor inoperable

    Sean.McGrew@gmail.com, May 15, 2006, in forum: DVD Video
    Replies:
    0
    Views:
    413
    Sean.McGrew@gmail.com
    May 15, 2006
  3. Sean.McGrew@gmail.com

    IR Sensor inoperable

    Sean.McGrew@gmail.com, May 15, 2006, in forum: DVD Video
    Replies:
    0
    Views:
    391
    Sean.McGrew@gmail.com
    May 15, 2006
  4. Sean.McGrew@gmail.com

    IR Sensor inoperable

    Sean.McGrew@gmail.com, May 15, 2006, in forum: DVD Video
    Replies:
    0
    Views:
    359
    Sean.McGrew@gmail.com
    May 15, 2006
  5. Kate

    RDP through VPN printing problems

    Kate, Feb 22, 2008, in forum: Windows 64bit
    Replies:
    1
    Views:
    459
    Charlie Russel - MVP
    Feb 23, 2008
Loading...

Share This Page