Hi everyone,

I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.

The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.

Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.

I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.

I've also tried pinging it and telneting to port 3390 with no success.

Here is the config.

ASA Version 8.4(4)1

!

!

interface Ethernet0/0

switchport access vlan 3

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Vlan3

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network CTSG-LAN-OUT

range 10.1.1.10 10.1.1.49

object network CTSG-LAN-IN

subnet 192.168.2.0 255.255.255.0

object service RDP3389

service tcp destination eq 3389

description To DC

object network SERVER-IN

host 192.168.2.10

object network SERVER-OUT

host 10.1.1.50

object network CAMERA-IN-TCP

host 192.168.2.25

object network CAMERA-OUT

host 10.1.1.51

object service CAMERA-TCP

service tcp destination eq 37777

object network SERVER-Virt-IN

host 192.168.2.11

object network SERVER-Virt-OUT

host 10.1.1.52

object service RDP3390

service tcp destination eq 3390

description To VS for Master

object network CAMERA-IN-UDP

host 192.168.2.25

object service CAMERA-UDP

service udp destination eq 37778

object network CTSG-LAN-OUT-VPN

subnet 10.1.1.128 255.255.255.128

object network SERVER-Virt-IN-VPN

host 192.168.2.11

object network SERVER-IN-VPN

host 192.168.2.10

object network CAMERA-IN-VPN

host 192.168.2.25

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks

access-list inside1_access_in extended permit ip any any

access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10

access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11

access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25

access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25

pager lines 24

logging enable

logging buffer-size 10240

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN

nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN

nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN

!

object network CTSG-LAN-IN

nat (inside,outside) dynamic interface

object network SERVER-IN

nat (inside,outside) static SERVER-OUT service tcp 3389 3389

object network CAMERA-IN-TCP

nat (inside,outside) static CAMERA-OUT service tcp 37777 37777

object network SERVER-Virt-IN

nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390

access-group inside1_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP

-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=SACTSGRO

crl configure

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 15

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 15

dhcpd auto_config inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password xxxxx encrypted privilege 15

username admin attributes

vpn-group-policy DfltGrpPolicy

tunnel-group CTSGRA type remote-access

tunnel-group CTSGRA general-attributes

address-pool RAVPN

tunnel-group CTSGRA ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0140431e7642742a856e91246356e6a2

: end

Thanks for your help