01-14-2011 12:32 AM - edited 03-11-2019 12:35 PM
First of all, sorry for my English. My problem is:
I have an ASA5510 Firewall with one router in the outside interface doing NAT (It is also a VPN Server) and another one in inside interface. When I tried to open a remote desktop from Internet using VPN to an internal PC, this PC does not respond, but I launch a Ping command from the internal PC to the outside firewall interface and then I relaunch the remote desktop connection, it works.
Thanks in advance. Regards.
Solved! Go to Solution.
 
					
				
		
01-14-2011 03:32 AM
The diagram was not uploaded - CiscoExpert.jpg (75.9 K) QUEUED
As per the configuration, you have the following configured:
nat (Inside) 0 0.0.0.0 0.0.0.0
which is a dynamic NAT exemption.
To be able to initiate the connection from the outside towards the inside, please kindly change the above nat statement to the following:
access-list nonat permit ip any any
nat (Inside) 0 access-list nonat
no nat (Inside) 0 0.0.0.0 0.0.0.0
"clear xlate" after the above changes, and try to initiate the RDP connection again from the VPN.
 
					
				
		
01-14-2011 01:28 AM
Can you please share the output of the following show commands:
show run interface
show run nat
show run static
show run global
as well as the ip address of the remote desktop server. Thanks.
01-14-2011 03:05 AM
Thank you, Jennifer, for your quickly answer. This is the output of commands:
SA5510# sh run inter
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 192.168.101.2 255.255.255.252
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.102.1 255.255.255.252
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address Management-Interface 255.255.255.0
 management-only
ASA5510-CEPC# sh run nat
nat (Inside) 0 0.0.0.0 0.0.0.0
ASA5510-CEPC#
ASA5510-CEPC# sh run static
ASA5510-CEPC#
ASA5510-CEPC# sh run global
ASA5510-CEPC#
Please, find attach a file with a scheme of the solution. Thanks a lot for your help.
 
					
				
		
01-14-2011 03:32 AM
The diagram was not uploaded - CiscoExpert.jpg (75.9 K) QUEUED
As per the configuration, you have the following configured:
nat (Inside) 0 0.0.0.0 0.0.0.0
which is a dynamic NAT exemption.
To be able to initiate the connection from the outside towards the inside, please kindly change the above nat statement to the following:
access-list nonat permit ip any any
nat (Inside) 0 access-list nonat
no nat (Inside) 0 0.0.0.0 0.0.0.0
"clear xlate" after the above changes, and try to initiate the RDP connection again from the VPN.
01-14-2011 03:55 AM
Thank very much, Jennifer. A personal problem requires my attention out of the office. I will do on Monday, I hope, and I will inform you about the result.This is the graphic. Talk to you.

01-14-2011 02:38 PM
Hello,
How did you configure NAT on the router? Have you configured a policy-NAT in the router that allows the internal hosts to go un-natted to the VPN clients? Can you share your NAT configurations on the router here?
Regards,
NT
01-17-2011 04:49 AM
Hi, Nagaraja; as you requested, this is the NAT configuration. I have included the Easy VPN configuration. As you can see I have deleted the rest of configuration:
cisco2821#sh run
Building configuration...
deleted
!
version 12.4
parser config cache interface
parser config interface
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname cisco2821
!
boot-start-marker
boot-end-marker
!
logging buffered 512000 warnings
!
aaa new-model
!
!
aaa authentication login Remotos local
aaa authorization exec default local 
aaa authorization network Remotos local 
!
!
deleted
!
deleted
!
!
deleted
username soft_vpn_client password 7 1235040541085C0E7A39772F3F3479030607
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
deleted
!
crypto isakmp client configuration group Serikat
 key xxxxxxxxxxxxxxxxxxxxxxxxxx
 pool Serikat
 acl 121
 save-password
 max-users 1
 max-logins 1
!
!
crypto ipsec transform-set REMOTOS esp-3des esp-sha-hmac 
!
crypto dynamic-map ACCESOS_REMOTOS 1
 set transform-set REMOTOS 
 reverse-route
!
!
crypto map REMOTOS client authentication list Remotos
crypto map REMOTOS isakmp authorization list Remotos
crypto map REMOTOS client configuration address respond
crypto map REMOTOS 1 ipsec-isakmp dynamic ACCESOS_REMOTOS 
!
archive
 log config
  hidekeys
!
!
!
!
!
!
interface GigabitEthernet0/0
 description Conexion con Firewall-Outside
 ip address 192.168.101.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $ES_LAN$
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 description CONEXION CON INTERNET
 ip address x.x.x.x 255.255.255.192
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 no atm ilmi-keepalive
 dsl operating-mode auto 
 crypto map REMOTOS
 pvc telefonica 8/32 
  protocol ip x.x.x.x
  encapsulation aal5snap
 !
!
interface GigabitEthernet0/1/0
  no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0.1
!
deleted
ip local pool Serikat 10.14.81.233
deleted
!
!
deleted
ip nat inside source route-map NAT interface ATM0/0/0 overload
!
deleted
deleted
access-list 103 deny   ip 10.14.81.0 0.0.0.255 host 10.14.81.233
deleted
access-list 103 permit ip 10.14.81.0 0.0.0.255 any
deleted
access-list 121 permit ip host 10.14.81.172 host 10.14.81.233
delted
!         
route-map NAT permit 1
 match ip address 103
!         
!         
!         
!         
deleted
cisco2821#
01-17-2011 07:38 AM
Jennifer, Nagaraja, thanks a lot for your help. After write the commands proposes by Jennifer, the connections from vpn client to internal IP works. I am really very happy.
Thanks, thanks a lot
You are invited to have coffe if you come to Spain sometime: my email is fmartos@cepc.es
 
					
				
		
01-17-2011 02:52 PM
Great to hear it's working, Francisco. Thanks for the invite..
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide