03-02-2011 03:41 AM - edited 03-11-2019 12:59 PM
Hello support, i had configure belowed on ASA 5540, now i got error to connect from internet outside to inside server.
THis is my remote access vpn configuration
One(config)#
hash sha
group 2
isakmp enable outside
ip local pool SDC!GSIDC 192.168.10.1-192.168.10.15 netmask 255.255.255.0
username Dc2Idc password password
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
tunnel-group tesTGroup type ipsec-ra
tunnel-group tesTGroup general-attributes
tunnel-group tesTGroup ipsec-attributes
pre-shared-key 1234567812
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
access-list 101 extended permit ip host 192.168.4.222 192.168.10.0 255.255.255.0
Solved! Go to Solution.
03-02-2011 05:07 AM
OK, so i assume that you would like to NAT 192.168.4.222 to the ASA outside interface ip address (58.4.90.1) which is what is stated on your access-list
"outside_access_in". So if the above is a correct statement then the following static line is incorrect:
static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
Please remove that, and configure the following instead:
no static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
static (INSIDE,outside) tcp interface 3389 192.168.4.222 3389 netmask 255.255.255.255
Then "clear xlate" after the above changes.
You should be able to RDP to 58.4.90.1 from the internet and that would RDP to your inside server: 192.168.4.222
03-02-2011 03:58 AM
Sorry, not quite sure where it is actually failing.
Do you mean to say after you are connected to the VPN, you are not able to connect to an inside server?
Or, you are not able to connect to an inside server after you configure the VPN, however, you are not using the vpn?
Can you please advise what is the ip address of the inside server that you try to access?
Also lastly, the full config would help to understand what might cause the failure. Thanks.
03-02-2011 04:45 AM
03-02-2011 04:49 AM
You haven't included the full config yet, and most importantly the access-list "outside_access_in".
Also, what ip addres is 59.144.97.46? it is not in the same subnet as your ASA outside interface. Is this being routed towards your ASA outside interface? Do you own that IP? or is this IP assigned by your ISP? just wondering if it has been routed correctly towards the ASA outside interface?
03-02-2011 04:58 AM
Hello Jenifer,
We could not upload full configuration to this so i had uploded specific configuration. we are sorry for this.
But if you want any specific configuration than let me know.
below the outside acl
access-list outside_access_in extended permit tcp any host 58.4.90.1 eq 3389
03-02-2011 05:07 AM
OK, so i assume that you would like to NAT 192.168.4.222 to the ASA outside interface ip address (58.4.90.1) which is what is stated on your access-list
"outside_access_in". So if the above is a correct statement then the following static line is incorrect:
static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
Please remove that, and configure the following instead:
no static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
static (INSIDE,outside) tcp interface 3389 192.168.4.222 3389 netmask 255.255.255.255
Then "clear xlate" after the above changes.
You should be able to RDP to 58.4.90.1 from the internet and that would RDP to your inside server: 192.168.4.222
03-02-2011 05:13 AM
Hello Jennifer,
You are right, but for VPN connectivity how we give this server to outsode without using this port 3389.
Is there any change in configuration for remote access server via cisco client 5.0 ?
03-02-2011 05:18 AM
For remote access VPN, you can create NAT exemption and directly RDP to the server using its private ip address (192.168.4.222).
Here is the config for NAT exemption if you don't already have it:
access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.15.0 255.255.255.0
nat (INSIDE) 0 access-list nonat
03-02-2011 05:25 AM
hello Jennifer,
These was not work and no log generate.
03-02-2011 04:09 AM
Hello Jennifer,
Actully we are try to connecte from internet but its not getting connecting.
My server IP 192.168.4.222 which are inside
One(config)#
hash sha
group 2
isakmp enable outside
ip local pool SDC!GSIDC 192.168.10.1-192.168.10.15 netmask 255.255.255.0
username Dc2Idc password password
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
tunnel-group tesTGroup type ipsec-ra
tunnel-group tesTGroup general-attributes
tunnel-group tesTGroup ipsec-attributes
pre-shared-key 1234567812
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
access-list INSIDE_access_in extended permit tcp host 192.168.4.222 any
access-list INSIDE_access_in extended permit udp host 192.168.4.222 host 222.156.20.15 eq domain
03-02-2011 04:45 AM
What is the ip address of the outside interface and its subnet?
Also what is the access-list that is applied to the outside interface. Please share those access-list.
VPN configuration will not affect the access towards the server.
Was this access working before?
I am assuming that you are accessing the server with its public ip address (59.100.90.46), and also how are you accessing the server? http or ping or what exactly is this server for?
03-02-2011 04:50 AM
Sorry for delayed replay,
We are accessing server with remote desktop port server i.e 3389,
This is 1st time configureed.
and i had attached my actul configuration to my DC.
Kindly forgot my previous configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide