Tech Support Forum banner
Status
Not open for further replies.

CISCO ASA RDP question

3K views 23 replies 2 participants last post by  mrw5641 
#1 ·
Hi there. I am trying to RDP from my (VPN) guest network (192.168.1.1/24) to my inside network (172.16.1.1/24) but I am having trouble doing so.

From my guest network I am able to ping 172.16.1.1 but I can't ping 172.16.1.xx

Any suggestions?
 
#4 ·
Hi Mitch!

Thank you!

access-list cisco_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list DMZ_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list Systems_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list Systems_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip any object CUNY
access-list DMZ_access_in extended permit ip any object IBMFTP
access-list DMZ_access_in extended permit ip object inside_NEALTST any
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 object inside_OPENSUSE any log debugging
access-list DMZ_access_in extended permit ip object inside_BlockCHAIN any
access-list DMZ_access_in extended permit ip object inside_Ubuntu_Beta2 any
access-list DMZ_access_in extended permit ip object inside_UbuntuBETA_zVM any
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 object inside_Block_Marbles any
access-list DMZ_access_in extended permit ip object inside_Block_Marbles any
access-list DMZ_access_in extended permit ip object inside_VERISK_TEST any
access-list DMZ_access_in extended permit ip object inside_INFINITEBLUE any
access-list DMZ_access_in extended permit ip object inside-officeFTP any
access-list DMZ_access_in extended permit ip object inside_Marbles any
access-list DMZ_access_in extended permit ip object inside_TIBERO any
access-list DMZ_access_in extended permit ip object inside_WindowsServer2012 any
access-list DMZ_access_in extended permit tcp object inside_V7000 any object-group DM_INLINE_TCP_12
access-list DMZ_access_in extended permit ip object inside_Andy_Spooner_Guest any
access-list DMZ_access_in extended permit ip object inside_ALDO_RHEL any
access-list DMZ_access_in extended permit ip object inside_Ubuntu_Aldo any
access-list ip-qos extended permit ip 192.168.16.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.16.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list outside_cryptomap extended permit ip any 170.2.32.0 255.255.240.0
access-list nat_outbound-site-DTNA extended permit ip object-group VI-Access object-group VPN-Site-DTNA
access-list test1 extended deny ip any any
access-list ACL-LPOUT-INBOUND extended permit tcp any host 10.100.0.4 object-group DM_INLINE_TCP_24
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_TIMESHEET_TEST eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_LPAR4 object-group DM_INLINE_TCP_6
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_HMC object-group DM_INLINE_TCP_29
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_OSA_ICC object-group DM_INLINE_TCP_7
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_LPAR3 object-group DM_INLINE_TCP_15
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_z63TSTLPAR_NAT object-group DM_INLINE_TCP_10
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_z63DEMOlpar object-group DM_INLINE_TCP_8
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_INFINITEBLUE eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_INFINITYCSM eq www
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host 10.100.0.20
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group ThinAire_1 object-group DM_INLINE_TCP_9
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_parentGUARD eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Timesheets object-group DM_INLINE_TCP_3
access-list ACL-LPOUT-INBOUND extended permit tcp any object Inside_ISSIQuickR object-group DM_INLINE_TCP_22
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_VIHTTP eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_z63PROD01 object-group DM_INLINE_TCP_2
access-list ACL-LPOUT-INBOUND extended permit object-group TCPUDP any object inside_ChristinaSAMBA object-group DM_INLINE_TCPUDP_1
access-list ACL-LPOUT-INBOUND extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside-officeFTP object-group DM_INLINE_TCP_1
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_VICOMINVENTORY eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_CMS_TEST_DEMO object-group DM_INLINE_TCP_4
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_TEST_TIMESHEET object-group DM_INLINE_TCP_5
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_QUICKLOAD eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_11
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Verisk eq ssh
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Marbles object-group DM_INLINE_TCP_13
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_ALDO_RHEL eq ssh
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Aldo_Ubuntu eq ssh
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_VERISK_SYNCSORT eq ssh
access-list 100 extended permit ip object inside_gateway any
access-list guest_INBOUND extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
 
#13 ·
inside# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 47.19.64.65 to network 0.0.0.0

C 172.16.1.0 255.255.255.0 is directly connected, inside
C 10.10.10.0 255.255.255.0 is directly connected, test
C 10.100.0.0 255.255.255.0 is directly connected, DMZ
C 192.168.16.0 255.255.255.0 is directly connected, guests
S 192.168.1.42 255.255.255.255 [1/0] via 47.19.64.65, LPOUT
C 47.19.64.64 255.255.255.192 is directly connected, LPOUT
S* 0.0.0.0 0.0.0.0 [1/0] via 47.19.64.65, LPOUT
 
#14 ·
I think it's going to be one of those days today :)

Your config looks ok to be honest mate. Do any other services work through your Anyconnect or is this the only one?

When you try and RDP into the network, if you have a look at the log in the ASDM, can you see the drops there?

Is there another device behind the ASA at all?
 
#19 ·
Sure.

From the CLI (you can use the wizard in the ASDM as well):

capture capin interface inside match ip 172.16.1.x 255.255.255.255 192.168.1.x 255.255.255.255

capture capout interface outside match ip 192.168.1.x 255.255.255.255 172.16.1.x 255.255.255.255

You'll just need to fill in the blanks (x's) for source and destination machines.

Once complete, try to RDP from your VPN client then run:

show cap capin
show cap capout
 
#22 ·
Hi Mitch

Still nada

inside# capture capin interface inside match ip 172.16.1.50 255.255.255.255 19$
inside# capture capout interface LPOUT match ip 192.168.1.43 255.255.255.255 1$
inside# show cap capin

0 packet captured

0 packet shown
inside# show cap capout

0 packet captured

0 packet shown
inside#
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top