Solved: Anyconnect VPN successful, but can't Remote Desktop

Kim Hoang · ‎05-10-2013

Hi All,

I have a problem where I'm unable to remote desktop into any of the LAN PCs when I'm connected through the VPN. I can ping all nodes inside the network and I can open an inside addressed web page from my local PC, as well. So, it seems like it's only RDP (3389) that is affected. Remote access to those PCs are enabled, as I'm able to get to them via a different method (SBS Remote Web Access).

I'm somewhat new to ASAs, so any help is greatly appreciated. TIA

ASA 5505

ASA Version 8.2(5)
!
hostname asa
enable password IqUJj3NwPkd23LO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 11.11.11.11 255.255.255.0
!
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list TSTGRP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 12.0.1.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 12.0.1.0 255.255.255.224
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
ip local pool IPSec-12 12.0.1.1-12.0.1.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 11.11.11.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
    308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
    0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
    092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
    3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
    7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
    2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
    02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
    deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
    61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
    86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
    0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
    67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
    c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
    6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
    a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
    62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
    434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
    f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
    14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
    2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
    6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
    f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
    681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 10.0.1.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config inside
!
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 11.11.11.12 11.11.12.12 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
vpn-tunnel-protocol svc
group-policy DfltGrpPolicy attributes
dns-server value 11.11.11.12 11.11.12.12
vpn-tunnel-protocol IPSec webvpn
username test password 1w1.F5oqiDOWdcll encrypted privilege 0
username test attributes
vpn-group-policy SSLClientPolicy
username test1 password lQ8frBN8p.5fQvth encrypted privilege 15
username test2 password w4USQXpU8Wj/RFt8 encrypted privilege 0
username test2 attributes
vpn-group-policy SSLClientPolicy
username test3 password SC8q/LweL74qU0Zu encrypted privilege 0
username test3 attributes
vpn-group-policy SSLClientPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool IPSec-12
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://11.11.11.11/PAS_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f67d8c8b24bc533cf546b545aa33327

Varinder Singh · ‎05-10-2013

Looks like traffic is going in for RDP but there is no reply packet

7: 22:24:58.824954 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

8: 22:24:59.824740 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

This could be due to Neatgear (192.168.1.1) dropping packets. You can have solution on ASA by patting the traffic on inside interface on ASA. Here is what you have to do :

access-list vpn_nat_inside permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (outside) 10 access-list vpn_nat_inside outside

global (inside) 10 interface

This will only pat the vpn pool traffic coming in and will not have have affect on any other thing.

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

View solution in original post

Varinder Singh · ‎05-10-2013

Is your ASA inside ip address 192.168.1.98 is the default gateway for 192.168.1.0/24 subnet?

you config looks fine for allowing traffic from vpn pool to inside network.

Incase ASA is not the default gateway, there would be assymmentric routing in inside.

Either add a route on terminal server machine for 12.0.1.0 255.255.255.224 to point towards ASA inside IP address.

Else take a capture on inside. Here is the command

capture capin interface inside mat ip 12.0.1.0 255.255.255.224 host

sh capture capin

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Kim Hoang · ‎05-10-2013

Varinder,

thanks for the suggestions.

The 192.168.1.0 /24 network's default gateway is 192.168.1.1, which is a NetGear router for the LAN's primary Internet connection (cable modem). The ASA's connection to the outside is through a T1 circuit our office uses for VoIP services. I already had a static route setup on the NetGear router (10.0.1.0 255.255.255.224 192.168.1.98), so the inside PCs know how to talk with the 10.0.1.0 - pool addresses.

capture capin interface inside match ip 10.0.1.0 255.255.255.224 host 192.168.1.20, shows the following:

0 packet captured

0 packet shown

... it's bizarre. With VPN established, I can ping to 192.168.1.x and also load an internal web page without a problem.

Varinder Singh · ‎05-10-2013

Run the ping command as well try to access the RDP to host 192.168.1.20 and check the capture

sh capture capin

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Kim Hoang · ‎05-10-2013

Here's the capture ...

62 packets captured

1: 19:49:15.500355 802.1Q vlan#1 P0 10.0.1.1.46518 > 192.168.1.100.33435: udp 24

2: 19:49:26.526217 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.100: icmp: echo request

3: 19:49:26.527514 802.1Q vlan#1 P0 192.168.1.100 > 10.0.1.1: icmp: echo reply

4: 19:49:27.452201 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.100: icmp: echo request

5: 19:49:27.452506 802.1Q vlan#1 P0 192.168.1.100 > 10.0.1.1: icmp: echo reply

6: 22:24:57.830477 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

7: 22:24:58.824954 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

8: 22:24:59.824740 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

9: 22:25:00.230044 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

10: 22:25:00.231204 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

11: 22:25:00.830248 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

12: 22:25:01.232013 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

13: 22:25:01.232287 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

14: 22:25:01.826846 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

15: 22:25:02.231860 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

16: 22:25:02.232119 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

17: 22:25:02.826602 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

18: 22:25:03.231555 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

19: 22:25:03.231860 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

20: 22:25:04.231524 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

21: 22:25:04.231845 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

22: 22:25:04.828616 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

23: 22:25:05.230945 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

24: 22:25:05.231357 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

25: 22:25:06.230929 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

26: 22:25:06.231158 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

27: 22:25:07.230761 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

28: 22:25:07.231006 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

29: 22:25:08.230472 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

30: 22:25:08.230746 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

31: 22:25:09.227740 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

32: 22:25:09.228015 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

33: 22:25:10.231051 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

34: 22:25:10.231433 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

35: 22:25:11.229800 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

36: 22:25:11.230136 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

37: 22:25:12.229526 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

38: 22:25:12.229770 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

39: 22:25:13.231204 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

40: 22:25:13.231448 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

41: 22:25:14.228900 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

42: 22:25:14.229220 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

43: 22:25:15.228641 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

44: 22:25:15.228915 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

45: 22:25:16.230990 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

46: 22:25:16.231265 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

47: 22:25:17.230823 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

48: 22:25:17.231067 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

49: 22:25:18.230563 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

50: 22:25:18.230838 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

51: 22:25:19.237765 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

52: 22:25:19.237994 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

53: 22:25:20.232516 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

54: 22:25:20.232791 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

55: 22:25:21.234698 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

56: 22:25:21.235003 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

57: 22:25:22.234545 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

58: 22:25:22.234790 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

59: 22:25:23.234698 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

60: 22:25:23.235064 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

61: 22:25:24.234195 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request

62: 22:25:24.234439 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply

62 packets shown

Varinder Singh · ‎05-10-2013

Looks like traffic is going in for RDP but there is no reply packet

7: 22:24:58.824954 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

8: 22:24:59.824740 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535

This could be due to Neatgear (192.168.1.1) dropping packets. You can have solution on ASA by patting the traffic on inside interface on ASA. Here is what you have to do :

access-list vpn_nat_inside permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (outside) 10 access-list vpn_nat_inside outside

global (inside) 10 interface

This will only pat the vpn pool traffic coming in and will not have have affect on any other thing.

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Kim Hoang · ‎05-10-2013

Varinder-

you are a genius ... problem's fixed!!

Looks like I'm going to have to read more about PATing ... I don't have the slightest idea of what those commands mean.

Thanks!!