Solved: Re: Allowing RDP over VPN through my firewall

RussellTarpleyTL · ‎12-31-2018

Let me preface by saying that I am a beginner and do not have a lot of experience with firewalls.

I have a Cisco ASA 5506-x running ASA Ver 9.8 and ASDM 7.8 Firewall mode is set to routed.

My goal is to be able to rdp into any machine on the inside network from machines outside the network connected via AnyConnect VPN. I have tried allowing port 3389 but have been unsuccessful in being able to establish a remote desktop connection. My internal network is 10.10.0.x

Additionally, I have not be able to allow ping successfully over VPN as well.

Any help is appreciated.

Russell

Sheraz.Salim · ‎12-31-2018

You can change the ip addresses according to you requirments.

Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
ASA(config)# object network OBJ-ANYCONNECT-SUBNET
ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

Enable webvpn, set the package to the one you uploaded, then turn on AnyConnect.

ASA(config)# webvpn
ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 
ASA(config-webvpn)# anyconnect enable

I’m going to create a local username and password,I am also going to create an ACL that we will use for split tunneling in a minute.

ASA(config)# username Admin password Cisco123
ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

Create a group policy, change the values to match your DNS server(s), and domain name.

ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
ASA(config-group-policy)# default-domain value mydomain.com

Create a matching tunnel-group that ties everything together.

ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

7. Then stop any traffic that is going to (or coming from) the remote clients from being NATTED

ASA(config)# nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

Save the changes.

write me

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-02-2019

thanks i have re-config them the configuration which are reverent to anyconnect. please test them.

ip local pool ACONNECT-POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0

!

object network ANYCONNECT
subnet 10.10.10.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT no-proxy-arp route-lookup

!

tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ACONNECT-POOL

!

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-03-2019

hi

did you try this command

nat (any,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT no-proxy-arp route-lookup

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎12-31-2018

You can change the ip addresses according to you requirments.

Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
ASA(config)# object network OBJ-ANYCONNECT-SUBNET
ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

Enable webvpn, set the package to the one you uploaded, then turn on AnyConnect.

ASA(config)# webvpn
ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1 
ASA(config-webvpn)# anyconnect enable

I’m going to create a local username and password,I am also going to create an ACL that we will use for split tunneling in a minute.

ASA(config)# username Admin password Cisco123
ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

Create a group policy, change the values to match your DNS server(s), and domain name.

ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
ASA(config-group-policy)# split-tunnel-policy tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
ASA(config-group-policy)# default-domain value mydomain.com

Create a matching tunnel-group that ties everything together.

ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

7. Then stop any traffic that is going to (or coming from) the remote clients from being NATTED

ASA(config)# nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

Save the changes.

write me

please do not forget to rate.

RussellTarpleyTL · ‎12-31-2018

Didn't have any problems until I got to step 7. I get an error when attempting to execute the command
nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-S ^UBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

ERROR: % Invalid input detected at '^' marker.

Sheraz.Salim · ‎12-31-2018

Hi you put the command wrong

nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-S ^UBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

ERROR: % Invalid input detected at '^' marker.

see below the correct and i high ligthed what you putting above

ASA(config)# nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

please do not forget to rate.

RussellTarpleyTL · ‎12-31-2018

I entered the command as follows:
nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

The console output is indicating that it doesn't like the first OBJ-ANYCONNECT-S(^)UBNET. I double checked and it is created and spelled correctly. It's like I am supplying an invalid parameter.

Sheraz.Salim · ‎01-01-2019

please instead of pasting the command please type it in.

you make sure you have a correct object name this could be reason it not taking the command.

to check if you have the correct object name. run this command

show run object network in-line | i OBJ-ANYCONNECT-SUBNET

if still problem. share your anyconnect configuration.

please do not forget to rate.

RussellTarpleyTL · ‎01-02-2019

Still a problem.

RussellTarpleyTL · ‎01-02-2019

I tried manually entering the command and I continue to receive an error message. using the show command, OBJ-ANYCONNECT-SUBNET does exist. I've attached a redacted config for further review.

Sheraz.Salim · ‎01-02-2019

thanks i have re-config them the configuration which are reverent to anyconnect. please test them.

ip local pool ACONNECT-POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0

!

object network ANYCONNECT
subnet 10.10.10.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT no-proxy-arp route-lookup

!

tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ACONNECT-POOL

!

please do not forget to rate.

RussellTarpleyTL · ‎01-02-2019

having trouble with the nat command still this time the console says invalid in n^o-proxy-arp. Any suggestions?

Sheraz.Salim · ‎01-02-2019

what you see after this give a ?

nat (inside,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT ?

please do not forget to rate.

RussellTarpleyTL · ‎01-02-2019

Unrecognized command.

Sheraz.Salim · ‎01-02-2019

i just tested them on my box 5506-x version 9.8.

let me have one time more look at the config.

please do not forget to rate.

Sheraz.Salim · ‎01-02-2019

can you please confirm you see these config in your box. the highlighted one

ip local pool ACONNECT-POOL 10.10.10.1-10.10.10.254 mask 255.255.255.0

!

object network ANYCONNECT
subnet 10.10.10.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT no-proxy-arp route-lookup

!

tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ACONNECT-POOL

please do not forget to rate.

Sheraz.Salim · ‎01-02-2019

can you put these command

no nat (inside,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT no-proxy-arp route-lookup

!

nat (any,outside) 1 source static any any destination static ANYCONNECT ANYCONNECT no-proxy-arp route-lookup

please do not forget to rate.