I have port 3389 blocked on my edge device to the WAN. I have a ASA on the inside that is only used for AnyConnect. Is it possible to be on AnyConnect and RDP to a computer inside my network? Please be detailed on your answer so I can understand why this will not work or how to get it to work.
I am not using split tunneling so all IPs are going over the AnyConnect VPN.
Solved! Go to Solution.
I have remote access set up and I can access all other services HTTP,SSH.........just not RDP
Its IP that I am trying to RDP into is XXX.XXX.80.54. Its a public IP but like I said I block 3389.
My home office we have a site to site VPN and I can RDP to XXX.XXX.80.54 no issue, but not one the AnyConnect.
This is from the log on my ASA
6 Mar 30 2020 11:31:37 302014 172.21.1.6 51038 XXX.XXX.80.54 3389 Teardown TCP connection 2902403 for Outside:172.21.1.6/51038(LOCAL\jcart) to Outside:XXX.XXX.80.54/3389 duration 0:00:00 bytes 0 Flow is a loopback (XXX)
As it's a public IP address and you are tunnelling all AnyConnect VPN traffic through the ASA and back out you need to all traffic to be routed back out the same interface in came in on with this command:-
same-security-traffic permit intra-interface
And a nat rule:-
object network NETWORK_OBJ_172.21.1.0_28
nat (outside,outside) dynamic interface