able to connect to anyconnect and access ssh,ftp,telnet,http and https but not rdp

Muhammad Thanveer · ‎11-19-2012

Hi,

I am able to connect to any connect and able to access ssh telnet ftp http and https but not able to connect rdp

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Jouni Forss · ‎11-21-2012

Hi,

Can you provide where you are connecting with RDP from and to what destination IP address?

Are you connecting with RDP to the same host where you are able to connect with SHH, Telnet, FTP, HTTP and HTTPS

- Jouni

Muhammad Thanveer · ‎11-21-2012

Hi JouniForss,

Thanks for the reply,

1) Source will be from the pool 192.168.60.0/24 and thd destination will be 192.168.50.0/24

2) Yes I am tryinh to take rdp to one of my servers for which http and rdp services are enabled.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Jouni Forss · ‎11-21-2012

Hi,

So you are connection to the ASA first with Cisco AnyConnect VPN and the VPN pool is 192.168.60.2-192.168.60.9

As you want to connect to the network 192.168.50.0/24 with their original IP addresses and not do NAT you need a NAT0 configuration.

It seems you have the following NAT0 configuration for your "inside" interface

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 172.30.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0

It seems to me atleast that you NAT0 rule doesnt include the traffic between 192.168.50.0/24 and 192.168.60.0/24

Have you by any chance added the last "inside_nat0_outbound" ACL line (marked with red) while trying to get this to work?

access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0

To me it seems you would need to reverse the networks in that statement to

access-list inside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 192.168.60.0 255.255.255.0

This is because the NAT rule and the ACL is done for the "inside" interface, therefore you need to use the "inside" interface networks as the source address for the NAT0 rule. This will still apply to traffic from the VPN pool to the LAN network of 192.168.50.0/24 also.

This is atleast what it seems to me. Though if I'm correct this would mean you could not at the moment connect to any host on the 192.168.50.0/24 LAN network from your VPN Pool of 192.168.60.0/24?

- Jouni

Muhammad Thanveer · ‎11-21-2012

I have tried doin so but no luck dear.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Jouni Forss · ‎11-21-2012

Hi,

If possible, you should try to get log information of the connection attempt from the ASA.

Log about the connection when its formed and when its torn down from the ASA. Unless its ofcouse blocked by the ASA.

- Jouni

Muhammad Thanveer · ‎11-21-2012

Might be IP Pool i have asigned is overlapping with the Pool on my coreswitch, let me also check this.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."