cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
888
Views
5
Helpful
6
Replies

ASA5505 VPN ping works RDP doesn't?

roger perkin
Level 2
Level 2

I have setup a remote access VPN to an ASA5505

I have a directly connected server behind the ASA and I can ping the server without a problem.

The VPN client reports packets being encrypted and decrypted

However when I try to RDP to the server the encyrpted packets keep incrementing but the decrypted packets do not.

I am also not seeing any RDP traffic hit the server (verified by ethereal)

I have done a packet tracer and it suceeds but ends with an IP spoof which I believe is correct as it is vpn traffic and not actually being encrypted.

This is the debug from the RDP session, I am confused by a Denied ICMP on line 2 as I am able to ping the server?

%ASA-6-302013: Built inbound TCP connection 88193 for external:172.16.24.4/50984 (172.16.24.4/50984) to internal:192.168.100.146/3389 (192.168.100.146/3389) (roger_ssl)

%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.4 on interface external to 192.168.100.146: no matching session

%ASA-7-609001: Built local-host internal:192.168.100.37

%ASA-6-302015: Built inbound UDP connection 88194 for external:172.16.24.4/50620 (172.16.24.4/50620) to internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.4 on interface external to 192.168.100.37: no matching session

%ASA-6-302015: Built inbound UDP connection 88195 for external:172.16.24.4/64598 (172.16.24.4/64598) to internal:192.168.100.37/53 (192.168.100.37/53) (roger_ssl)

%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.4 on interface external to 192.168.100.37: no matching session

%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.4 on interface external to 192.168.100.37: no matching session

%ASA-6-302014: Teardown TCP connection 88193 for external:172.16.24.4/50984 to internal:192.168.100.146/3389 duration 0:00:00 bytes 0 Flow closed by inspection (roger_ssl)

I have this NAT configured

nat (internal,external) source static 192.168.100.0 192.168.100.0 destination static VPN_172 VPN_172

The only logical bit to this is flow closed by inspection? Does this mean the server has not responded?

And the decrypt packets not increasing when trying to RDP

Does this mean anyting to anyone as I have reached the end of my ASA knowledge on this one!

Thanks

Roger

1 Accepted Solution

Accepted Solutions
6 Replies 6

Roger,

Try this out:

no nat (internal,external) source static 192.168.100.0 192.168.100.0 destination static VPN_172 VPN_172

nat (internal,external) 1 source static 192.168.100.0 192.168.100.0 destination static VPN_172 VPN_172 no-proxy-arp route-lookup

!

capture drop type asp all

The try to RDP and:

show capture drop | inc server_ip

HTH.

Portu.

Jennifer Halim
Cisco Employee
Cisco Employee

Answer is as per your other thread:

https://supportforums.cisco.com/thread/2207372

Very nice Jennifer.

Roger please do not open duplicate posts

Jennifer!

Thank you for your previous post I had not had an email alert about that post so didn't see it.

IT WORKS!!!

I now have this - not sure if it's correct by my RDP is now connecting.

I need to really understand what is going on here so will be doing some reading up on inspection rules.

So basically is it saying just inspect ICMP and not other protocols?

Javier - apologies for the second post I wasn't aware of Jennifers post and thought I woudl try int he VPN section

I don't tend to look at the forums but rely on the email alert when someone replies.

Thanks you to both - it's working my client will be very happy

Roger

When you configure "match any", it means matching every single protocols and ports, and since you are inspecting icmp, every protocols/ports get inspected against icmp inspection.

When you configure "class inspection_default", it means when you see only "icmp" protocols, then match it against the "icmp inspection". and as you add other inspection protocols/ports, it will only match it against the default ports, eg: when you inspect HTTP, it will only inspect TCP/80, when you inspect SMTP, it will only inspect TCP/25.

Thanks so much -

Roger