cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

505
Views
0
Helpful
11
Replies
mitang.prajapati
Beginner

Remote access VPN getting error

Hello support, i had configure belowed on ASA 5540, now i got error to connect from internet outside to inside server.

THis is my remote access vpn configuration

One(config)#
  hash sha
  group 2
  isakmp enable outside
  ip local pool SDC!GSIDC 192.168.10.1-192.168.10.15 netmask 255.255.255.0
  username Dc2Idc password password
  crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  tunnel-group tesTGroup type ipsec-ra
  tunnel-group tesTGroup general-attributes
  tunnel-group tesTGroup ipsec-attributes
  pre-shared-key 1234567812

  crypto dynamic-map dyn1 1 set transform-set FirstSet
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

access-list 101 extended permit ip host 192.168.4.222 192.168.10.0 255.255.255.0

1 ACCEPTED SOLUTION

Accepted Solutions

OK, so i assume that you would like to NAT 192.168.4.222 to the ASA outside interface ip address (58.4.90.1) which is what is stated on your access-list

"outside_access_in". So if the above is a correct statement then the following static line is incorrect:

static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255

Please remove that, and configure the following instead:

no static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255

static (INSIDE,outside) tcp interface 3389 192.168.4.222 3389 netmask 255.255.255.255

Then "clear xlate" after the above changes.

You should be able to RDP to 58.4.90.1 from the internet and that would RDP to your inside server: 192.168.4.222

View solution in original post

11 REPLIES 11
Jennifer Halim
Cisco Employee

Sorry, not quite sure where it is actually failing.

Do you mean to say after you are connected to the VPN, you are not able to connect to an inside server?

Or, you are not able to connect to an inside server after you configure the VPN, however, you are not using the vpn?

Can you please advise what is the ip address of the inside server that you try to access?

Also lastly, the full config would help to understand what might cause the failure. Thanks.

Hello jennifer,

PFA

You haven't included the full config yet, and most importantly the access-list "outside_access_in".

Also, what ip addres is 59.144.97.46? it is not in the same subnet as your ASA outside interface. Is this being routed towards your ASA outside interface? Do you own that IP? or is this IP assigned by your ISP? just wondering if it has been routed correctly towards the ASA outside interface?

Hello Jenifer,

We could not upload full configuration to this so i had uploded specific configuration. we are sorry for this.

But if you want any specific configuration than let me know.

below the outside acl

access-list outside_access_in extended permit tcp any host 58.4.90.1 eq 3389

OK, so i assume that you would like to NAT 192.168.4.222 to the ASA outside interface ip address (58.4.90.1) which is what is stated on your access-list

"outside_access_in". So if the above is a correct statement then the following static line is incorrect:

static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255

Please remove that, and configure the following instead:

no static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255

static (INSIDE,outside) tcp interface 3389 192.168.4.222 3389 netmask 255.255.255.255

Then "clear xlate" after the above changes.

You should be able to RDP to 58.4.90.1 from the internet and that would RDP to your inside server: 192.168.4.222

Hello Jennifer,

You are right, but for VPN connectivity how we give this server to outsode without using this port 3389.

Is there any change in configuration for remote access server via cisco client 5.0 ?

For remote access VPN, you can create NAT exemption and directly RDP to the server using its private ip address (192.168.4.222).

Here is the config for NAT exemption if you don't already have it:

access-list nonat permit ip 192.168.4.0 255.255.255.0 192.168.15.0 255.255.255.0

nat (INSIDE) 0 access-list nonat

hello Jennifer,

These was not work and no log generate.

mitang.prajapati
Beginner

Hello Jennifer,

Actully we are try to connecte from internet but its not getting connecting.

My server IP 192.168.4.222 which are inside

One(config)#
  hash sha
  group 2
  isakmp enable outside
  ip local pool SDC!GSIDC 192.168.10.1-192.168.10.15 netmask 255.255.255.0
  username Dc2Idc password password
  crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
  tunnel-group tesTGroup type ipsec-ra
  tunnel-group tesTGroup general-attributes
  tunnel-group tesTGroup ipsec-attributes
  pre-shared-key 1234567812

  crypto dynamic-map dyn1 1 set transform-set FirstSet
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

static (INSIDE,outside) 59.100.90.46 192.168.4.222 netmask 255.255.255.255
access-list INSIDE_access_in extended permit tcp host 192.168.4.222 any
access-list INSIDE_access_in extended permit udp host 192.168.4.222 host 222.156.20.15 eq domain

What is the ip address of the outside interface and its subnet?

Also what is the access-list that is applied to the outside interface. Please share those access-list.

VPN configuration will not affect the access towards the server.

Was this access working before?

I am assuming that you are accessing the server with its public ip address (59.100.90.46), and also how are you accessing the server? http or ping or what exactly is this server for?

Sorry for delayed replay,

We are accessing server with remote desktop port server i.e 3389,

This is 1st time configureed.

and i had attached my actul configuration to my DC.

Kindly forgot my previous configuration.

Create
Recognize Your Peers
Content for Community-Ad