Solved: Cannot RDP to server in DMZ from VPN

perptech1 · ‎06-22-2011

On my ASA5510, i cannot rdp to host 172.16.110.210 in the DMZ from VPN (10.98.98.0), but can access it from internal. I thought my NAT statement would be all i need (static (inside,SP_DMZ) 10.98.98.0 10.98.98.0 netmask 255.255.255.0), but still doesn't work. Any thoughts on what i am missing.

Loren Kolnes · ‎06-22-2011

Hi Jason,

Is the ASA the deffault gateway for the RDP host?

Are you using split tunneling and if so is the 172.16.110.0 included in the access-list?

Can you set up the capture on the ASA:

access-list cap1 permit tcp 10.98.98.0 255.255.255.0 host 172.16.110.210 eq 3389

access-list cap1 permit tcp host 172.16.110.210 eq 3389 10.98.98.0 255.255.255.0

cap capin interface inside access-list cap1

Connect and try to RDP to the 172.16.110.210 host and then run the show capture command and send me the output.

show cap capin

Thanks,

Loren

View solution in original post

Kelvin Willacey · ‎06-24-2011

I think you probably just need a nonat on your dmz interface. Do you see any nat errors in the log when you try to connect to the dmz server?

View solution in original post

Loren Kolnes · ‎06-22-2011

Hi Jason,

Is the VPN terminating on the ASA?

Thanks,

Loren

perptech1 · ‎06-22-2011

Yes, it is

Loren Kolnes · ‎06-22-2011

Hi Jason,

That static statement is telling the ASA that the 10.98.98.0/24 network exists off of the inside interface and should be removed.

You should use nat exemption to bypass nat for traffic going to and from the remote VPN subnet.

Some similar to the following, note if you have an existing nat exemption acl you can append to it:

access-list nonat permit ip 172.16.110.0 255.255.255.0 10.98.98.0 255.255.255.0

nat (inside) 0 access-list nonat

I assumed that the inside subnet is /24 so please modify as needed.

Thanks,

Loren

perptech1 · ‎06-22-2011

Loren,

That statement was in the ASA, so I removed the static statment, but again no luck. Never had issues doing this in the past.

Thanks,

Jason

Loren Kolnes · ‎06-22-2011

Hi Jason,

Can you send the output of the following command:

show run nat

Please remove any sensitive information in the output before posting to the foirum.

Thanks,

Loren

perptech1 · ‎06-22-2011

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.6.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.6.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.6.3.0 255.255.255.0

access-list nonat extended permit ip 172.18.2.0 255.255.255.0 10.6.1.0 255.255.255.0

access-list nonat extended permit ip 172.18.3.0 255.255.255.0 10.6.1.0 255.255.255.0

access-list nonat extended permit ip 172.18.2.0 255.255.255.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 172.18.3.0 255.255.255.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 172.30.30.0 255.255.255.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list nonat extended permit ip 172.18.200.0 255.255.255.0 10.99.99.0 255.255.255.0

access-list nonat extended permit ip 172.18.200.0 255.255.255.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 172.18.210.0 255.255.255.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 172.18.210.0 255.255.255.0 10.99.99.0 255.255.255.0

access-list nonat extended permit ip 172.18.212.0 255.255.255.0 10.99.99.0 255.255.255.0

access-list nonat extended permit ip 172.18.212.0 255.255.255.0 10.98.98.0 255.255.255.0

access-list nonat extended permit ip 172.30.30.0 255.255.255.0 10.98.97.0 255.255.255.0

access-list nonat extended permit ip 172.16.110.0 255.255.255.0 10.98.98.0 255.255.255.0

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

Loren Kolnes · ‎06-22-2011

Hi Jason,

You may have to maunally clear any existing xlates, can you have a look through your xlate table to see if there are any for the 10.98.98.x address:

Does the following command provide any output?

show xlate detail | inc 10.98.98.

Thanks,

Loren

perptech1 · ‎06-22-2011

Loren,

Nothing shows from that command.

Thanks

Loren Kolnes · ‎06-22-2011

Hi Jason,

Is this a remote access VPN client or L2L?

Are there any logs when trying to access 172.16.110.210?

Thanks,

Loren

perptech1 · ‎06-22-2011

Loren,

This is a remote access vpn. Nothing showed up in logs, so I am going to try a capture. I will keep you posted.

Thanks

Loren Kolnes · ‎06-22-2011

Hi Jason,

Is the ASA the deffault gateway for the RDP host?

Are you using split tunneling and if so is the 172.16.110.0 included in the access-list?

Can you set up the capture on the ASA:

access-list cap1 permit tcp 10.98.98.0 255.255.255.0 host 172.16.110.210 eq 3389

access-list cap1 permit tcp host 172.16.110.210 eq 3389 10.98.98.0 255.255.255.0

cap capin interface inside access-list cap1

Connect and try to RDP to the 172.16.110.210 host and then run the show capture command and send me the output.

show cap capin

Thanks,

Loren

perptech1 · ‎06-22-2011

Loren,

The ASA is the default gateway for the RDP host. The capture shows nothing at all. I can send the full configuration if you would like to see it?

Thanks,

Jason

Loren Kolnes · ‎06-22-2011

Hi Jason,

Yes a full configuration would be very helpful. Please make sure that any sensitive information is removed before posting though.

Can you also check the secured routes in the client, right click on the client icon in the task bar and select statistics, then choose the route details tab, in there make sure that there are either all zeros or a network statement that includes 172.16.110

Thanks,

Loren

perptech1 · ‎06-22-2011

Loren,

Here you go.