topic Re: Remote RDP not accessible through IPSec site-to-site in Network Security

Remote RDP not accessible through IPSec site-to-site

Rockyy — Fri, 21 Feb 2020 14:35:30 GMT

Hi,

I've two sites (A and B) connected through IPSec tunnel. I'm not be able to access Remote Desktop connection from Site A to Site B, below is packet-tracer and config.

packet-tracer input inside tcp 172.16.10.2 3389 192.168.10.2 3$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xae180d48, priority=1, domain=permit, deny=false

hits=10119301, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 192.168.10.2/3389 to 192.168.10.2/3389

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection decrement-ttl

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xae079688, priority=7, domain=conn-set, deny=false

hits=150156, user_data=0xae0772c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup

Additional Information:

Static translate 172.16.10.2/3389 to 172.16.10.2/3389

Forward Flow based lookup yields rule:

in id=0xaee39cf8, priority=6, domain=nat, deny=false

hits=9522, user_data=0xad8f2b50, cs_id=0x0, flags=0x0, protocol=0

src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0

dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa9677e78, priority=1, domain=nat-per-session, deny=true

hits=110170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xae186b50, priority=0, domain=inspect-ip-options, deny=true

hits=150202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xae95a080, priority=70, domain=encrypt, deny=false

hits=11153, user_data=0x0, cs_id=0xae95c780, reverse, flags=0x0, protocol=0

src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0

dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Please advise!

Re: Remote RDP not accessible through IPSec site-to-site

Flavio Miranda — Sat, 28 Oct 2017 19:22:34 GMT

Hi mate,

"Drop-reason: (acl-drop) Flow is denied by configured rule"

Are you allowing this flow on the VPN ?

Can you share show running-config?

-If I helped you somehow, please, rate it as useful.-

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 19:40:05 GMT

Please find below my running-config

show running-config

hostname FW-COLUMBUS-01
enable password 0gp.3MCN16asScVr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 0gp.3MCN16asScVr encrypted
names
ip local pool ANYCONNECT-POOL 10.10.10.1-10.10.10.30 mask 255.255.255.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.2.1 255.255.255.0
!
interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/2
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
object network ANYONNECT-LAN
object network OBJ-FACEBOOK.COM
fqdn fb.com
object service rdp
service tcp destination eq 3389
object-group network internet
network-object 172.16.10.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
object-group network ANYCONNECT-LOCAL
network-object 172.16.10.0 255.255.255.0
object-group network ANYCONNECT-REMOTE
network-object 10.10.10.0 255.255.255.0
object-group network IPSEC-L2L-LAN
network-object 172.16.0.0 255.255.0.0
object-group network IPSEC-L2L-REMOTE
network-object 192.168.0.0 255.255.0.0
access-list icmp extended permit icmp any any
access-list ANYCONNECT-ACL standard permit 172.16.10.0 255.255.255.0
access-list IPSEC-ACL extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list IPSEC-ACL extended permit tcp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list IPSEC-ACL extended permit icmp 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list outside_access_in remark ICMP type 11 for Windows Traceroute
access-list outside_access_in remark ICMP type 3 for Cisco and Linux
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list VPN extended permit tcp any any eq 3389
pager lines 24
logging enable
logging monitor emergencies
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-112.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup
nat (inside,outside) source static ANYCONNECT-LOCAL ANYCONNECT-LOCAL destination static ANYCONNECT-REMOTE ANYCONNECT-REMOTE no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
access-group VPN in interface outside
access-group VPN out interface inside
route inside 172.16.2.0 255.255.255.0 172.16.2.254 1
route inside 172.16.6.0 255.255.255.0 172.16.1.250 1
route inside 172.16.10.0 255.255.255.0 172.16.1.250 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map IPSEC_VPN_MAP 1 match address IPSEC-ACL
crypto map IPSEC_VPN_MAP 1 set pfs
crypto map IPSEC_VPN_MAP 1 set peer XX.XXX.XXX.XX
crypto map IPSEC_VPN_MAP 1 set ikev1 transform-set ESP-AES-SHA
crypto map IPSEC_VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 846000
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 172.16.10.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
dhcpd option 3 ip 172.16.1.254
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy SITE_TO_SITE internal
group-policy SITE_TO_SITE attributes
vpn-idle-timeout none
group-policy ANYCONNECT-GP internal
group-policy ANYCONNECT-GP attributes
banner value *******************************
banner value AUTHORIZED ACCESS ONLY
banner value *****************************
dns-server value 4.2.2.2
vpn-tunnel-protocol ssl-client
password-storage enable
re-xauth enable
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ANYCONNECT-ACL
user-authentication-idle-timeout 60
username admin password dpiWlbmgsMY7TNa0 encrypted privilege 15
username sherry password ZQTXqHQSsqPf/6iy encrypted privilege 0
username sherry attributes
group-lock value ANYCONNECT-TG
service-type remote-access
tunnel-group ANYCONNECT-TG type remote-access
tunnel-group ANYCONNECT-TG general-attributes
address-pool ANYCONNECT-POOL
default-group-policy ANYCONNECT-GP
tunnel-group ANYCONNECT-TG webvpn-attributes
group-alias "HOME USERS" enable
tunnel-group XX.XXX.XXX.XX type ipsec-l2l
tunnel-group XX.XXX.XXX.XX general-attributes
default-group-policy SITE_TO_SITE
tunnel-group XX.XXX.XXX.XX ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Re: Remote RDP not accessible through IPSec site-to-site

Flavio Miranda — Sat, 28 Oct 2017 20:13:21 GMT

Correct me if I'm wrong. I'm trying to see this using smartphone.

You are try to access a server on 192. Something right?

Does route has route to it?

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 20:22:16 GMT

Yup, 192.168.0.0 is remote network and I'm trying to access RDP through my LAN

My LAN 172.16.0.0
Remote LAN 192.168.0.0

My route

# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 71.73.149.1 to network 0.0.0.0

C 71.72.248.0 255.255.248.0 is directly connected, outside
S 172.16.10.0 255.255.255.0 [1/0] via 172.16.1.250, inside
S 172.16.6.0 255.255.255.0 [1/0] via 172.16.1.250, inside
C 172.16.1.0 255.255.255.0 is directly connected, inside
S 172.16.2.0 255.255.255.0 [1/0] via 172.16.2.254, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 71.73.149.1, outside

Re: Remote RDP not accessible through IPSec site-to-site

Flavio Miranda — Sat, 28 Oct 2017 20:41:47 GMT

This can not work. You are trying to access an IP address 192.x through the internet? Not possible.

You need to have a NAT on your side and in remote side. 192.x is not routed through the internet.

It could works if 192.x were directed connected to the firewall.

-If I helped you somehow, please, rate it as useful.-

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 20:42:55 GMT

C:\Users\Administrator>tracert 192.168.10.6

Tracing route to 192.168.10.6 over a maximum of 30 hops

1 5 ms 3 ms 4 ms 172.16.10.253
2 1 ms * 1 ms 172.16.1.254
3 143 ms 138 ms 133 ms 192.168.10.6
4 136 ms 138 ms 140 ms 192.168.10.6

Trace complete.

C:\Users\Administrator>

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 20:45:55 GMT

I have IPSec tunnel between both sites in that case too it's not gonna work?

Internet -->> ASA -->> SWITCH -->> USERS SITE-B

IPSec site-to-site

Internet -->> ASA --> SWITCH -->> USERS SITE-A

Re: Remote RDP not accessible through IPSec site-to-site

Flavio Miranda — Sat, 28 Oct 2017 20:55:03 GMT

Alright, then is possible.Sorry.

Verify is RDP is enabled on the remote server and also if the server has route the reply correctly.

-If I helped you somehow, please, rate it as useful.-

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 21:52:10 GMT

It's ok, thanks for your help

Re: Remote RDP not accessible through IPSec site-to-site

Rahul Govindan — Sat, 28 Oct 2017 22:23:56 GMT

The packet tracer shows that the VPN tunnel is not even established. The drop is at Phase 8:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xae95a080, priority=70, domain=encrypt, deny=false

hits=11153, user_data=0x0, cs_id=0xae95c780, reverse, flags=0x0, protocol=0

src ip/id=172.16.0.0, mask=255.255.0.0, port=0, tag=0

dst ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=outside

When user_data=0x0, that means that there is no tunnel established yet, its just the crypto acl entry. When this value is non-zero, that means that the interesting traffic matches an existing established tunnel. You might want to run the following debugs and then run the packet-tracer to see what happens during tunnel establishment:

debug crypto isakmp 127

debug crypto ipsec 127

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 22:40:52 GMT

Oct 28 21:14:47 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, IKE Initiator: New Phase 2, Intf outside, IKE Peer 82.92.112.25 local Proxy Address 172.16.0.0, remote Proxy Address 192.168.0.0, Crypto map (IPSEC_VPN_MAP)

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, Oakley begin quick mode

Oct 28 21:14:47 [IKEv1 DECODE]Group = 82.92.112.25, IP = 82.92.112.25, IKE Initiator starting QM: msg id = 59fb68d6

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, IKE got SPI from key engine: SPI = 0x306fc706

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, oakley constucting quick mode

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing blank hash payload

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing IPSec SA payload

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing IPSec nonce payload

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing pfs ke payload

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing proxy ID

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, Transmitting Proxy Id:

Local subnet: 172.16.0.0 mask 255.255.0.0 Protocol 0 Port 0

Remote subnet: 192.168.0.0 Mask 255.255.0.0 Protocol 0 Port 0

Oct 28 21:14:47 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, constructing qm hash payload

Oct 28 21:14:47 [IKEv1 DECODE]Group = 82.92.112.25, IP = 82.92.112.25, IKE Initiator sending 1st QM pkt: msg id = 59fb68d6

Oct 28 21:14:47 [IKEv1]IP = 82.92.112.25, IKE_DECODE SENDING Message (msgid=59fb68d6) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 308

Oct 28 21:14:48 [IKEv1]IP = 82.92.112.25, IKE_DECODE RECEIVED Message (msgid=bdbfb2a1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356

Oct 28 21:14:48 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing hash payload

Oct 28 21:14:48 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing notify payload

Oct 28 21:14:48 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, Received non-routine Notify message: Invalid ID info (18)

Oct 28 21:14:56 [IKEv1]IP = 82.92.112.25, IKE_DECODE RECEIVED Message (msgid=8fa5212a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356

Oct 28 21:14:56 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing hash payload

Oct 28 21:14:56 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing notify payload

Oct 28 21:14:56 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, Received non-routine Notify message: Invalid ID info (18)

Oct 28 21:15:04 [IKEv1]IP = 82.92.112.25, IKE_DECODE RECEIVED Message (msgid=8237301a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356

Oct 28 21:15:04 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing hash payload

Oct 28 21:15:04 [IKEv1 DEBUG]Group = 82.92.112.25, IP = 82.92.112.25, processing notify payload

Oct 28 21:15:04 [IKEv1]Group = 82.92.112.25, IP = 82.92.112.25, Received non-routine Notify message: Invalid ID info (18)

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 22:41:48 GMT

Also I am able to ping both sites vice versa

Re: Remote RDP not accessible through IPSec site-to-site

Flavio Miranda — Sat, 28 Oct 2017 22:49:09 GMT

Back to your previously logs from packet tracer, the problem is ACL. However, looks ok. At least, the ACL is applied.

I'm looking at it using smartphone which make it harder. Double check please if the ACL is correctly applied in terms of interface and direction.

If possible, permit everything then restrict after.

-If I helped you somehow, please, rate it as useful.-

Re: Remote RDP not accessible through IPSec site-to-site

Rockyy — Sat, 28 Oct 2017 23:04:33 GMT

Thanks mate, the problem was with the ACL.