09-28-2015 08:39 PM - edited 03-05-2019 02:24 AM
I have an ASA (configuration attached) with an inside network (192.168.255.0/24) that I can access over VPN. I have configured the ASA NAT and Access Rules to allow internet access to inside hosts.
The inside hosts have static IP. Whenever I change a Windows host to use the ASA inside intreface as the network gateway (for internet access), I can no longer RDP onto that host, regardless of whether I am on the inside or VPN network.
However, I can hit the web server (port 80) on one of hosts successfully. RDP "listens on TCP port 3389[1] and UDP port 3389" according to Wikipedia. Im not sure what NAT or Access Rule would be preventing RDP but allowing HTTP?
09-28-2015 09:28 PM
Is the normal gateway for the windows host a router? if so put a route on the router pointing to the ASA for Internet access
09-28-2015 10:08 PM
Hi Richard,
Until installing the ASA for VPN remote access, the network was a simple, isolated, 24-bit static network and had no reason for a router.
Surely the ASA can handle basic routing without a router in between? I only talking about an RDP connection between two hosts on the same subnet?
09-29-2015 12:21 AM
Hi Clive,
see this link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration85/guide/asa_cfg_cli_85/interface_complete_routed.html#wp1325183
to allow hosts to communicate with each other on the same interface you need following command
"same-security-traffic permit intra-interface "
09-29-2015 05:40 PM
Clive,
let's forget about the VPN for a moment, when coming from internal RDP-ing into your Windows host. what IP address/subnet are you coming from? I am with Richard on this one, sound like a subnet isn't routed properly.
09-29-2015 09:04 PM
Hi Dennis, Richard,
I have now issued the command:
same-security-traffic permit intra-interface
as suggested by Richard.
Ok so all 'inside' hosts (around 30) are on a small, isolated network with the same subnet, 192.168.255.0/24. All hosts are networked on a basic unmanaged switch, so there has been no gateway. Once a Windows host has had its gateway changed from [blank] to the inside of the ASA (192.168.255.254), RDP connections fail as well as other communications, but web servers are still reachable.
09-29-2015 09:40 PM
Clive,
Are you saying RDP fails if you RDP from one device to another on the 192.168.255.0 network, or is it from outside?
Do all devices on the 192.168.255.0 have static IP addresses or are they DHCP? if DHCP do you use the ASA as the DHCP server?
if you do a "show arp" on the ASA do you see your 192.168.255.x devices?
09-29-2015 10:41 PM
RDP fails whether connecting from the outside or inside (ie on the same 192.168.255.0 network).
All devices are static, although the ASA has been configured as a DHCP server, the DHCP address range is limited to 192.168.255.230-240, which is outside of the range of the devices concerned.
ARP shows the 192.168.255.x devices:
09-29-2015 10:05 PM
OK, so you RDP to the windows box that is in 192.168.255.0/24 from a machine that is in 192.168.255.0/24 as well?
09-29-2015 10:07 PM
Correct
09-30-2015 04:10 PM
OK in that case, the problem is not your firewall, or put more correctly, it should not be in the path.
If for instance, you connect to your windows machine 192.168.255.10 from 192.168.255.100 then, whatever the default gateway is on your windows machine, does not matter, because it will only need to rely on its arp table to be able to send traffic back to 192.168.255.100.
whatever is going on, I am guessing the problem is on your windows box
09-30-2015 06:05 PM
Hi Dennis,
Thats what I thought too, but I have proven this behaviour on two separate Windows hosts now and dont understand why a gateway would impact comms between devices on the same subnet.
I was suspicious that the traffic was in fact being routed through the gateway and that the ASA was NATting the traffic according to my NAT rules.
I will hopefully be on site tomorrow for a closer look.
09-30-2015 07:43 PM
does the machine you are trying to connect to the windows machine to have two IP addresses? for instance it being wired into the network and using wireless at the same time.
It would be interesting to isolate the server from the network and see if you can reproduce the problem.
HTH
09-30-2015 10:45 PM
There are two factors to test:
Post-8.3 ASA identity NAT rules are capable of affecting intra-subnet traffic if someone forgets to add no-proxy-arp option
10-05-2015 10:01 PM
Hi Peter,
both configurations 1 and 2 work fine, no connectivity issues. If the ASA is disconnected but the gateway is set to 192.169.255.254 (the ASA), RDP and other services function ok. As soon as the ASA is connected, the problems start.
From the ASA inside interface (192.168.255.254) to the server:
I cant figure out what is wrong with my ASA config to cause this behaviour?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide