Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3355
Views
0
Helpful
12
Replies

why no incoming traffic at all

yijunzhou
Level 1
Level 1

‎06-15-2011 02:22 PM - edited ‎03-11-2019 01:45 PM

Hello,

I am configuring ASA as firewall+vpn,  basically outside of appliance is T1 access(, there are 5 vlans in inside via a iptables, iptables's outside is on the same vlan as insdie of ASA (192.168.5.1 and 192.168.5.2).  vpn users are authenticated via  2 factors authentication ( SDI, IP is 192.168.5.5) and get ACLs via local database.  vpn pool is 192.168.6.1-192.168.6.15. vpn pool is NATed to external IP since companynmr is opened for specific IP and protocol only.

ACL INSIDE works as expected, all other ACLs not working at all (OUTSIDE, vpnuser1_ONLY, D81only, D53only,etc)

Below is the configuration.  Please help me find out the problem.

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa

name 194.0.0.0 net194
name 195.0.0.0 net195
name 200.0.0.0 net200
name 201.0.0.0 net201
name 212.0.0.0 net212
name 217.0.0.0 net217
name 41.0.0.0 net41
name 62.0.0.0 net62
name 77.0.0.0 net77
name 78.0.0.0 net78
name 79.0.0.0 net79
name 83.0.0.0 net83
name 84.0.0.0 net84
name 86.0.0.0 net86
name 87.0.0.0 net87
name 88.0.0.0 net88
name 89.0.0.0 net89
name 90.0.0.0 net90
name 91.0.0.0 net91
name 92.0.0.0 net92
name 93.0.0.0 net93
name 94.0.0.0 net94
name 95.0.0.0 net95

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.194 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.6.1-192.168.6.15 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any inside
icmp deny any outside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 4 xx.xx.xx.238 netmask 255.255.255.255
global (outside) 3 xx.xx.xx.215 netmask 255.255.255.255

global (outside) 2 xx.xx.xx.241 netmask 255.255.255.255

global (outside) 1xx.xx.xx.218 netmask 255.255.255.255

global (outside) 5 xx.xx.xx.240 netmask 255.255.255.255

nat (inside) 1 User1 255.255.255.255
nat (inside) 1 User3 255.255.255.255
nat (inside) 5 proxy240 255.255.255.255
nat (inside) 2 proxy241 255.255.255.255
nat (inside) 1 User2 255.255.255.255
nat (inside) 3 companynet52 255.255.255.0
nat (inside) 4 vpnpool 255.255.255.0 outside

timeout xlate 0:10:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SDI protocol sdi
aaa-server SDI (inside) host 192.168.5.5
aaa authentication ssh console LOCAL
aaa authentication match INSIDE_AUTH inside SDI
aaa local authentication attempts max-fail 3
http server enable
http server idle-timeout 5
http XP 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh XP 255.255.255.255 inside
ssh timeout 5
console timeout 10
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 8
vpn-idle-timeout 10
vpn-session-timeout 60
vpn-tunnel-protocol l2tp-ipsec
webvpn
  svc keep-installer none
  svc rekey time 8
  svc rekey method ssl
  svc ask none default svc
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-simultaneous-logins 1
vpn-idle-timeout 9
vpn-session-timeout 45
vpn-tunnel-protocol svc
split-tunnel-policy tunnelall
webvpn
  svc keep-installer none
  svc rekey time 25
  svc rekey method ssl
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  svc routing-filtering-ignore disable
username vpnuser1 password xxxxx encrypted
username vpnuser1 attributes
vpn-group-policy GroupPolicy1
vpn-idle-timeout 6
vpn-session-timeout 20
vpn-filter value vpnuser1_ONLY
vpn-tunnel-protocol svc
group-lock value COMAVPN
service-type remote-access
username enable_15 password xxxxxx encrypted privilege 15
tunnel-group DefaultRAGroup webvpn-attributes
group-alias companyvpn disable
tunnel-group COMAVPN type remote-access
tunnel-group COMAVPN general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group SDI
authentication-server-group (inside) SDI
authorization-server-group LOCAL
default-group-policy GroupPolicy1
tunnel-group COMAVPN webvpn-attributes
group-alias companyremote enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Labels:
0 Helpful
12 Replies 12

Maykol Rojas
Cisco Employee
Cisco Employee

‎06-15-2011 09:41 PM

Hello,

In version 8.2 and earlier, if the traffic is coming from the outside, you will need to allow traffic to the public IP instead of the private,

Look at this:

static (inside,outside) 209.10.194.239 companyftp netmask 255.255.255.255

access-list OUTSIDE extended permit tcp any host companyftp object-group ftpservice

The access list should go like this

access-list OUTSIDE extended permit tcp any host 209.10.194.239 object-group ftpservice

For hosts trying to access the server from the outside.

Hope this helps.

Mike

Mike
0 Helpful

yijunzhou
Level 1
Level 1
In response to Maykol Rojas

‎06-16-2011 06:49 AM

Yes. you are expert!!!. Mike.

One more problem about vpn configuration:

After vpn user - say vpnuser1 logged in vpn, I do see user's attributes (vpnuser1_ONLY )override group policy( GroupPolicy1), however, vpnuser1 was unable to access anything in inside and one single remote host.

Thank you for help.

Yijun

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to yijunzhou

‎06-16-2011 05:36 PM

Hello,

What you call vpnuser1_ONLY is just a vpn filter, is not a group policy. That being said only what is here:

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host dev28 object-group tcp_for_28 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host QuickBooks object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 object-group mailslist object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host XP object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host N92 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host companynmr eq ssh log

Would be the things that the VPN client can connect to, no other traffic would be permitted.

Cheers!

Mike

Mike
0 Helpful

yijunzhou
Level 1
Level 1
In response to Maykol Rojas

‎06-16-2011 06:49 PM

Hello Mike,

Sorry for the confusion.  I should this is 2nd issue other than no incoming traffic.....

what happen is after vpnuser1 logged in vpn, he cannot access any internal host as expected.

Thank you for help.

Regards,

Yijun

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to yijunzhou

‎06-16-2011 07:12 PM

Hello Yujin,

Dont worry, I am glad to help. Not quite a VPN expert, but based on the configuration, I think you can only access what is explicitly allowed on the following access list

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host dev28 object-group tcp_for_28 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host QuickBooks object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 object-group mailslist object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host XP object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host N92 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host companynmr eq ssh log

If you are not even able to access what you explicitly permitted on this ACL, please go ahead and start the logs on the ASA firewall, connect a VPN client, try to send traffic and paste the logs over here, I will be more than glad to help.

Mike

Mike
0 Helpful

yijunzhou
Level 1
Level 1
In response to Maykol Rojas

‎06-17-2011 08:31 AM

Hello Mike,

I really appreciate your kind help.  I am pretty new to Cisco ASA, we use checkpoint before.  The following is the log I caught after vpnuser1 logged in from public IP 66.167.16.82:

ciscoasa# show conn all

5 in use, 71 most used

UDP outside 66.167.16.82:63523 NP Identity Ifc 209.10.194.194:443, idle 0:00:03, bytes 15847, flags -

TCP outside 66.167.16.82:49247 NP Identity Ifc 209.10.194.194:443, idle 0:00:02, bytes 1487, flags UOB

ciscoasa# show vpn-sessiondb

Active Session Summary

Sessions:

                           Active : Cumulative : Peak Concurrent : Inactive

  SSL VPN               :       1 :          3 :               1

    Clientless only     :       0 :          0 :               0

    With client         :       1 :          3 :               1 :        0

  Email Proxy           :       0 :          0 :               0

  IPsec LAN-to-LAN      :       0 :          0 :               0

  IPsec Remote Access   :       0 :          0 :               0

  Totals                :       1 :          3

License Information:

  IPsec   :     25    Configured :     25    Active :      0    Load :   0%

  SSL VPN :      2    Configured :      2    Active :      1    Load :  50%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          0 :          0 :               0

  SSL VPN             :          1 :          3 :               1

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :          1 :          3

Tunnels:

                    Active : Cumulative : Peak Concurrent

  Clientless  :          1 :          3 :               1

  SSL-Tunnel  :          1 :          7 :               1

  DTLS-Tunnel :          1 :          8 :               1

  Totals      :          3 :         18

Active NAC Sessions:

  No NAC sessions to display

Active VLAN Mapping Sessions:

  No VLAN Mapping sessions to display

ciscoasa# show vpn-sessiondb svc

Session Type: SVC

Username     : vpnuser1                  Index        : 4

Assigned IP  : 192.168.6.1            Public IP    : 66.167.16.82

Protocol     : Clientless SSL-Tunnel

License      : SSL VPN

Encryption   : RC4                    Hashing      : SHA1

Bytes Tx     : 2485998                Bytes Rx     : 80017

Group Policy : GroupPolicy1           Tunnel Group : L5MVPN

Login Time   : 09:15:13 EDT Fri Jun 17 2011

Duration     : 0h:17m:59s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

The following are logs caught:

2  Jun 17 2011  09:27:26  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2  Jun 17 2011  09:27:13  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

6  Jun 17 2011  09:27:13  302016  192.168.14.2  62567  209.10.194.194  443  Teardown UDP connection 10276 for outside:192.168.4.2/62567 to identity:209.10.194.194/443 duration 0:02:01 bytes 99

2  Jun 17 2011  09:27:12  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2  Jun 17 2011  09:26:39  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

6  Jun 17 2011  09:26:39  722022                                        Group User IP <66.167.16.82> UDP SVC connection established without compression

5  Jun 17 2011  09:26:39  722033                                        Group User IP <66.167.16.82> First UDP SVC connection established for SVC session.

6  Jun 17 2011  09:26:39  725002  66.167.16.82  63523                   Device completed SSL handshake with client outside:66.167.16.82/63523

6  Jun 17 2011  09:26:39  725003  66.167.16.82  63523                   SSL client outside:66.167.16.82/63523 request to resume previous session.

6  Jun 17 2011  09:26:38  725001  192.168.14.2  63523                   Starting SSL handshake with client outside:192.168.4.2/63523 for DTLSv1 session.

6  Jun 17 2011  09:26:38  302015  192.168.14.2  63523  209.10.194.194  443  Built inbound UDP connection 10282 for outside:192.168.4.2/63523 (192.168.4.2/63523) to identity:209.10.194.194/443 (209.10.194.194/443)

6  Jun 17 2011  09:26:38  725001  66.167.16.82  63523                   Starting SSL handshake with client outside:66.167.16.82/63523 for DTLSv1 session.

6  Jun 17 2011  09:26:38  302015  66.167.16.82  63523  209.10.194.194  443  Built inbound UDP connection 10281 for outside:66.167.16.82/63523 (66.167.16.82/63523) to identity:209.10.194.194/443 (209.10.194.194/443)

6  Jun 17 2011  09:26:38  722023                                        Group User IP <66.167.16.82> UDP SVC connection terminated without compression

6  Jun 17 2011  09:26:38  725007  66.167.16.82  62181                   SSL session with client outside:66.167.16.82/62181 terminated.

6  Jun 17 2011  09:26:38  302016  66.167.16.82  62181  209.10.194.194  443  Teardown UDP connection 10278 for outside:66.167.16.82/62181 to identity:209.10.194.194/443 duration 0:00:41 bytes 10480

2  Jun 17 2011  09:26:35  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2  Jun 17 2011  09:26:22  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

6  Jun 17 2011  09:26:22  110002  192.168.6.1  62874                    Failed to locate egress interface for UDP from outside:192.168.6.1/62874 to 239.255.255.250/1900

2  Jun 17 2011  09:26:21  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

2  Jun 17 2011  09:26:20  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside,,

6  Jun 17 2011  09:26:19  302014  66.167.16.82  49246  209.10.194.194  443  Teardown TCP connection 10277 for outside:66.167.16.82/49246 to identity:209.10.194.194/443 duration 0:00:29 bytes 1303 TCP Reset-O,,

2  Jun 17 2011  09:26:19  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside,,

5  Jun 17 2011  09:26:19  722028                                        Group User IP <66.167.16.82> Stale SVC connection closed.,,

6  Jun 17 2011  09:26:19  725007  66.167.16.82  49246                   SSL session with client outside:66.167.16.82/49246 terminated.,,

6  Jun 17 2011  09:26:19  734001                                        DAP: User vpnuser1, Addr 66.167.16.82, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

4  Jun 17 2011  09:26:19  722051                                        Group User IP <66.167.16.82> Address <192.168.6.1> assigned to session,,

6  Jun 17 2011  09:26:19  722022                                        Group User IP <66.167.16.82> TCP SVC connection established without compression,,

5  Jun 17 2011  09:26:19  722032                                        Group User IP <66.167.16.82> New TCP SVC connection replacing old connection.,,

6  Jun 17 2011  09:26:19  725002  66.167.16.82  49247                   Device completed SSL handshake with client outside:66.167.16.82/49247,,

6  Jun 17 2011  09:26:19  725001  66.167.16.82  49247                   Starting SSL handshake with client outside:66.167.16.82/49247 for TLSv1 session.,,

6  Jun 17 2011  09:26:19  302013  66.167.16.82  49247  209.10.194.194  443  Built inbound TCP connection 10280 for outside:66.167.16.82/49247 (66.167.16.82/49247) to identity:209.10.194.194/443 (209.10.194.194/443),,

2  Jun 17 2011  09:26:18  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside,,

2  Jun 17 2011  09:26:10  106006  192.168.6.1  137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on interface outside

Regards,

Yijun

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to yijunzhou

‎06-17-2011 10:53 AM

Hello Yijun

Thanks for the logs, the only traffic that I can see from the host 192.168.6.1 is NetBios traffic, that is pretty much it, I dont see any tcp connections or you trying to access any internal resources, can you gather the logs when you try a tcp connection to a resource on the inside?

Mike

Mike
0 Helpful

yijunzhou
Level 1
Level 1
In response to Maykol Rojas

‎06-17-2011 11:01 AM

Hi Mike,

Sorry I am pretty new to cisco ASA, I though it was the all logs.  Would you please guide me through how to enable detail log and how to grub it?

Thanks,

Yijun

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to yijunzhou

‎06-17-2011 11:09 AM

Hey,

Yes they are, these, the ones you took

2  Jun 17 2011  09:27:26  106006  192.168.6.1  137  192.168.6.255   137  Deny inbound UDP from 192.168.6.1/137 to 192.168.6.255/137 on  interface outside

2  Jun 17 2011  09:27:13  106006  192.168.6.1   137  192.168.6.255  137  Deny inbound UDP from 192.168.6.1/137 to  192.168.6.255/137 on interface outside

However, I cannot see any TCP traffic, would you please connect again, and try to access a server on the inside via, I dont know RDP or something you have allow?

Mike

Mike
0 Helpful

yijunzhou
Level 1
Level 1
In response to Maykol Rojas

‎06-17-2011 02:10 PM

Hi  Mike,

authentication and authorization are both successful.

6   Jun 17 2011   14:53:01   113004               AAA user authorization Successful : server =  LOCAL : user = vpnuser1

6   Jun 17 2011   14:53:01   113004               AAA user authentication Successful : server =  192.168.5.5 : user = vpnuser1

Then lots of denial:

6   Jun 17 2011   14:54:11   302014   66.167.16.82   49993   209.10.194.194   443   Teardown TCP connection 12470 for outside:66.167.16.82/49993 to identity:209.10.194.194/443 duration 0:00:50 bytes 1911061 TCP Reset-O

2   Jun 17 2011   14:54:10   106006   192.168.6.2   137   192.168.6.255   137   Deny inbound UDP from 192.168.6.2/137 to 192.168.6.255/137 on interface outside

Is that's because of routing or NAT issue ( I NATed vpn IP address pool to one public IP to access other remote host - companynmr which opened for restricted public IP only)

nat (inside) 4 vpnpool 255.255.255.0 outside

global (outside) 4 209.10.194.238 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 209.10.194.193 1

route inside companynet51 255.255.255.0 192.168.5.2 1

route inside companynet52 255.255.255.0 192.168.5.2 1

route inside companynet53 255.255.255.0 192.168.5.2 1

route inside companynet81 255.255.255.0 192.168.5.2 1

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host dev28 object-group tcp_for_28 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host QuickBooks object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 object-group mailslist object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host XP object-group tcp3389 log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host N92 eq ssh log

access-list vpnuser1_ONLY extended permit tcp vpnpool 255.255.255.0 host companynmr eq ssh log

Thanks,

Yijun

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to yijunzhou

‎06-18-2011 11:44 AM

Hi,

I need you to do a couple of things, first make sure that the host 192.168.5.3 is turned on and that it has RDP enable, then connect a VPN client and finally try to connect via RDP to the host 192.168.5.3. I need you to collect the logs from that connection, you can do it like you have been doing so far or by doing the following:

Login to ASDM

Go to monitoring---->Logging---->View

On the filter, put the IP address of the RDP host (192.168.5.3)

Then start the connection and see the logs

Other would be this one

Logging Buffered 7

Logging on

Then try to connect via RDP

Then issue the command show log | inc192.168.5.3

Let me know how it goes.

Mike

Mike
0 Helpful

yijunzhou
Level 1
Level 1
In response to Maykol Rojas

‎06-23-2011 02:32 PM

hi, mike,

my vpn configuration works. However, there is another problem: i was not able to let internal host goes to interne and coming back to access another host on different internal vlan.

object-group service mailservice tcp

port-object eq https

port-object eq smtp

nat (inside) 6 192.168.4.0 255.255.255.0

global (outside) 6 xx.xx.xx.201 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.206 192.168.3.136 netmask 255.255.255.255

access-list INSIDE extended permit ip 192.168.4.0 255.255.255.0 any

access-list OUTSIDE extended permit tcp any host xx.xx.xx.206 object-group mailservice log


same-security-traffic permit intra-interface

The machine 192.168.4.15 was able access anywhere internet but not https://xx.xx.xx.206.

Can you help me identify the problem?

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card