Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1546
Views
0
Helpful
2
Replies

How to configure CISCO ASA 5510 for internal remote desktop ?

ian_banderaz
Level 1
Level 1

‎09-13-2010 08:58 PM - edited ‎03-06-2019 12:57 PM

Helo,I have a client that want to install new ASA (5510) in their network.

and then I did some experiment to implement it. the topology is like this :

Drawing1.jpg

--------configuration---------

2800 router :


interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.11.3 255.255.255.0
duplex auto
speed auto
!

ip route 192.168.12.0 255.255.255.0 172.16.1.2

1841 router :

interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
!
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1

ASA 5510 :

: Saved
: Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
!
ASA Version 8.2(1)
!
hostname ciscoasa
enable password **** encrypted
passwd ***** encrypted
names
name 192.168.12.0 Branch
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
!
tcp-map mssmap
  synack-data allow
  invalid-ack allow
  seq-past-window allow
  urgent-flag allow
!
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm location Branch 255.255.255.0 inside
no asdm history enable
arp timeout 14400
static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside Branch 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ***** password ***** encrypted
!
class-map mymap
match access-list inside_access_in
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
policy-map myPolicy
class mymap
  set connection advanced-options mssmap
!
service-policy global_policy global
service-policy myPolicy interface inside
prompt hostname context
Cryptochecksum:a605d94f29924e5267644dd0f4476145
: end

I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.

then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.

"1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"

"1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"

I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.

please help, any suggest would be great .

thanks .

sincerley yours

-IAN WIJAYA-

2 people had this problem
Labels:
0 Helpful
2 Replies 2

ian_banderaz
Level 1
Level 1

‎09-14-2010 05:43 PM

up -_-'

0 Helpful

seanelias
Level 1
Level 1

‎05-21-2014 03:17 AM

ear Ian_benderaz,

 

Thank god i am not alone on this ,

 

Me too having the exact same problem , i can ping to the host ,but no remote desktop .

 

Somebody please help me on this , how enable remote desktop on asa 5505 

 

Thanks 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card