11-19-2012 09:21 PM - edited 03-11-2019 05:25 PM
Hi,
I am able to connect to any connect and able to access ssh telnet ftp http and https but not able to connect rdp
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
11-21-2012 01:07 AM
Hi,
Can you provide where you are connecting with RDP from and to what destination IP address?
Are you connecting with RDP to the same host where you are able to connect with SHH, Telnet, FTP, HTTP and HTTPS
- Jouni
11-21-2012 01:18 AM
Hi JouniForss,
Thanks for the reply,
1) Source will be from the pool 192.168.60.0/24 and thd destination will be 192.168.50.0/24
2) Yes I am tryinh to take rdp to one of my servers for which http and rdp services are enabled.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
11-21-2012 01:39 AM
Hi,
So you are connection to the ASA first with Cisco AnyConnect VPN and the VPN pool is 192.168.60.2-192.168.60.9
As you want to connect to the network 192.168.50.0/24 with their original IP addresses and not do NAT you need a NAT0 configuration.
It seems you have the following NAT0 configuration for your "inside" interface
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
It seems to me atleast that you NAT0 rule doesnt include the traffic between 192.168.50.0/24 and 192.168.60.0/24
Have you by any chance added the last "inside_nat0_outbound" ACL line (marked with red) while trying to get this to work?
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
To me it seems you would need to reverse the networks in that statement to
access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0
This is because the NAT rule and the ACL is done for the "inside" interface, therefore you need to use the "inside" interface networks as the source address for the NAT0 rule. This will still apply to traffic from the VPN pool to the LAN network of 192.168.50.0/24 also.
This is atleast what it seems to me. Though if I'm correct this would mean you could not at the moment connect to any host on the 192.168.50.0/24 LAN network from your VPN Pool of 192.168.60.0/24?
- Jouni
11-21-2012 03:07 AM
I have tried doin so but no luck dear.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
11-21-2012 03:13 AM
Hi,
If possible, you should try to get log information of the connection attempt from the ASA.
Log about the connection when its formed and when its torn down from the ASA. Unless its ofcouse blocked by the ASA.
- Jouni
11-21-2012 03:59 AM
Might be IP Pool i have asigned is overlapping with the Pool on my coreswitch, let me also check this.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide