Solved: Re: RDP via ASA5510 using IPSec

Muhammed Islam · ‎05-02-2013

Can anyone advise me how to create an RDP rule to allow clients (on Internet) to RDP to terminal servers using an ASA5510 firewall via its IPSEc VPN ?

The client PCs can successfully connect to this VPN.

The terminal servers using a 192.168.x.x/24 subnet and the client PCs would need to RDP to these servers using their 192.168.x.x/24 IPs or their DNS hostnames.

Muhammed Islam

mvsheik123 · ‎05-08-2013

Glad to hear that everything is resolved. Please rate all helpful postings.

Thx

MS

View solution in original post

mvsheik123 · ‎05-02-2013

Hi Mohammed,

On 5510 you need to have NONAT policy configured for the traffic from 192.168.x.x/24 --> VPN client subnet. Inorder for the VPN clients to be able to use the hostnames (instead of IP), under group policy, you must include atleast one internal DNS server IP for the VPN clients. Also, on the internal switch where the servers are connected, the route to VPN client subnet should be pointing to ASA inside interface. If you post sanitized confgs of the ASA and infrastrucutre connectivity, that helps in resolving this quickly.

hth

MS

Muhammed Islam · ‎05-03-2013

MS

Thanks for your reply.

I am using "split tunnelling" as this is for client users to only access the terminal servers via VPN. For Internet access, they will use their ISP's Internet.

Summary of network topology is

- LAN servers residing on internal subnets 192.168.25.x/24, 50.x/24, 55.x/24, 49.x/24.

- client DHCP subnet is 10.252.1.x/24

- ASA5510 internal LAN IP 192.168.50.6 (listed as "CLCH-Inside")

- ASA5510 external IP 217.207.189.197 (listed as Easynet-Outside)

- external default gateway IP 217.207.189.193

- LAN default gateway IP 192.168.50.1 (this correctly lists VPN DHCP client subnet 10.252.1.x/24 as being routed to ASA's internal LAN IP 192.168.50.6)

- LAN DNS domain is riverside.nhs.uk

- LAN DNS IP 192.168.55.114

- I am not using management interface

- RDP to LAN servers listed in static and access-list commands

- ASA can ping these LAN servers via its internal IP 192.168.50.6

- VPN IPSec client does connect for client devices

Below is my ASA's config

< start of config >

:

ASA Version 8.2(5)

!

hostname HF003088-CLCH-PG-IPSec-FW1

domain-name riverside.nhs.uk

enable password iVamNSP6IPQcCHIY encrypted

passwd qXY8JKej0SAhi0GD encrypted

no names

dns-guard

!

interface Ethernet0/0

nameif Easynet-Outside

security-level 0

ip address 217.207.189.197 255.255.255.240

!

interface Ethernet0/1

nameif CLCH-Inside

security-level 100

ip address 192.168.50.6 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup Easynet-Outside

dns domain-lookup CLCH-Inside

dns server-group DefaultDNS

name-server 192.168.55.114

domain-name riverside.nhs.uk

same-security-traffic permit intra-interface

access-list clchspilttunnel001 extended permit tcp any host 192.168.25.42

access-list clchspilttunnel001 extended permit tcp any host 192.168.25.42 eq 3389

pager lines 24

logging enable

logging asdm informational

mtu Easynet-Outside 1500

mtu CLCH-Inside 1500

mtu management 1500

ip local pool clchip 10.252.1.10-10.252.1.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.50.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.50.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit 192.168.25.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit 192.168.25.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.55.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.55.0 255.255.255.0 echo-reply CLCH-Inside

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (Easynet-Outside) 1 interface

nat (CLCH-Inside) 1 0.0.0.0 0.0.0.0

static (CLCH-Inside,Easynet-Outside) tcp 192.168.50.154 3389 192.168.50.154 338

netmask 255.255.255.255

static (CLCH-Inside,Easynet-Outside) tcp 192.168.25.42 3389 192.168.25.42 3389

etmask 255.255.255.255

static (CLCH-Inside,Easynet-Outside) tcp interface 3389 192.168.25.198 3389 net

ask 255.255.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.50.5 192.168.50.5 netmask 255.255.

55.255

static (CLCH-Inside,Easynet-Outside) 192.168.50.50 192.168.50.50 netmask 255.25

.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.50.57 192.168.50.57 netmask 255.25

.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.50.180 192.168.50.180 netmask 255.

55.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.50.4 192.168.50.4 netmask 255.255.

55.255

static (CLCH-Inside,Easynet-Outside) 192.168.25.52 192.168.25.52 netmask 255.25

.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.25.141 192.168.25.141 netmask 255.

55.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.25.142 192.168.25.142 netmask 255.

55.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.25.43 192.168.25.43 netmask 255.25

.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.25.96 192.168.25.96 netmask 255.25

.255.255

static (CLCH-Inside,Easynet-Outside) 192.168.55.114 192.168.55.114 netmask 255.

55.255.255

access-group clchsplittunnel001 in interface Easynet-Outside

route Easynet-Outside 0.0.0.0 0.0.0.0 217.207.189.193 1

route CLCH-Inside 192.168.0.0 255.255.0.0 192.168.50.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server clchntserver protocol nt

reactivation-mode timed

aaa-server clchntserver (CLCH-Inside) host 192.168.55.114

nt-auth-domain-controller 192.168.55.114

http server enable

http 192.168.50.0 255.255.255.0 CLCH-Inside

http 192.168.55.0 255.255.255.0 CLCH-Inside

http 192.168.25.0 255.255.255.0 CLCH-Inside

http 192.168.1.0 255.255.255.0 management

snmp-server host CLCH-Inside 192.168.49.17 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set clchset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map clchdymap 1 set transform-set clchset

crypto dynamic-map clchdymap 1 set reverse-route

crypto map clchmap 1 ipsec-isakmp dynamic clchdymap

crypto map clchmap interface Easynet-Outside

crypto isakmp identity hostname

crypto isakmp enable Easynet-Outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no crypto isakmp nat-traversal

telnet 192.168.50.0 255.255.255.0 CLCH-Inside

telnet 192.168.25.0 255.255.255.0 CLCH-Inside

telnet 192.168.55.0 255.255.255.0 CLCH-Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy clchpolicy internal

group-policy clchpolicy attributes

dns-server value 192.168.55.114 192.168.37.254

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value clchsplittunnel001

default-domain value riverside.nhs.uk

tunnel-group clchgroup type remote-access

tunnel-group clchgroup general-attributes

address-pool clchip

authentication-server-group clchntserver

default-group-policy clchpolicy

tunnel-group clchgroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

< end of config >

Can you advise me how to create this NONAT policy and anything else I need ?

Muhammed Islam

mvsheik123 · ‎05-03-2013

Hi Mohammed,

To clarify on NONAT -I meant NAT0 config. Your scenario, every firm requirements are different, so I willt try to give you general config info.

1. Remove all the static Translation entries and acces-group command assigned to outside interface.

2. NAT0:

access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 10.252.1.0 255.255.255.0

nat (CLCH-Inside) 0 access-list NONAT

This allows any IP traffic from your internal servers and destined to VPN client will not be NATed to public IP.

3. Split tunnel ACL: Applies to vpn policy.

access-list clchspilttunnel001 standars permit 192.168.0.0 255.255.0.0

4. On your internal switch that is performing routing, make sure you have default route to ASA inside (192.168.50.6). If you are not using default route, add static route 10.252.1.0 255.255.255.0 --> 192.168.50.6.

At this point, you should be able to access your internal resources via ip/dns name.

Once this works, then you can look into restricting VPN cleints to RDP to internal servers. Pls keep in mind that, to allow access via hostnames, the DNS (uses TCP & UDP port 53) needs to be allowed. For this, I suggest you look into VPN filter feature.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

hth

MS

Muhammed Islam · ‎05-03-2013

MS

Thanks for your advice.

I have deleted all static translations and access-group commands applied to my outside interface (labelled "Easynet-Outside), then added the NONAT, a new access control list, and confirmed my internal switch still has a reference for route 10.252.1.0 255.255.255.0 to 192.168.50.6.

I am unable to access my internal servers via RDP rto their IPs nor their DNS hostnames - error message says "cannot connect to server".

See below my ASA firewall's config :-

< start of config >

:

ASA Version 8.2(5)

!

hostname HF003088-CLCH-PG-IPSec-FW1

domain-name riverside.nhs.uk

enable password iVamNSP6IPQcCHIY encrypted

passwd qXY8JKej0SAhi0GD encrypted

no names

dns-guard

!

interface Ethernet0/0

nameif Easynet-Outside

security-level 0

ip address 217.207.189.197 255.255.255.240

!

interface Ethernet0/1

nameif CLCH-Inside

security-level 100

ip address 192.168.50.6 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

dns domain-lookup Easynet-Outside

dns domain-lookup CLCH-Inside

dns server-group DefaultDNS

name-server 192.168.55.114

domain-name riverside.nhs.uk

same-security-traffic permit intra-interface

access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 10.252.1.0 255.255

255.0

access-list clchsplittunnel001 standard permit 192.168.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu Easynet-Outside 1500

mtu CLCH-Inside 1500

mtu management 1500

ip local pool clchip 10.252.1.10-10.252.1.250 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Easynet-Outside

icmp permit 192.168.50.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.50.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit 192.168.25.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit 192.168.25.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.55.0 255.255.255.0 echo CLCH-Inside

icmp permit 192.168.55.0 255.255.255.0 echo-reply CLCH-Inside

icmp permit any CLCH-Inside

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (Easynet-Outside) 1 interface

nat (CLCH-Inside) 0 access-list NONAT

route Easynet-Outside 0.0.0.0 0.0.0.0 217.207.189.193 1

route CLCH-Inside 192.168.0.0 255.255.0.0 192.168.50.1 1

route CLCH-Inside 192.168.25.0 255.255.255.0 192.168.50.1 1

route CLCH-Inside 192.168.49.0 255.255.255.0 192.168.50.1 1

route CLCH-Inside 192.168.55.0 255.255.255.0 192.168.50.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server clchntserver protocol nt

reactivation-mode timed

aaa-server clchntserver (CLCH-Inside) host 192.168.55.114

nt-auth-domain-controller 192.168.55.114

http server enable

http 192.168.50.0 255.255.255.0 CLCH-Inside

http 192.168.55.0 255.255.255.0 CLCH-Inside

http 192.168.25.0 255.255.255.0 CLCH-Inside

http 192.168.1.0 255.255.255.0 management

snmp-server host CLCH-Inside 192.168.49.17 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set clchset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map clchdymap 1 set transform-set clchset

crypto dynamic-map clchdymap 1 set reverse-route

crypto map clchmap 1 ipsec-isakmp dynamic clchdymap

crypto map clchmap interface Easynet-Outside

crypto isakmp identity hostname

crypto isakmp enable Easynet-Outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no crypto isakmp nat-traversal

telnet 192.168.50.0 255.255.255.0 CLCH-Inside

telnet 192.168.25.0 255.255.255.0 CLCH-Inside

telnet 192.168.55.0 255.255.255.0 CLCH-Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy clchpolicy internal

group-policy clchpolicy attributes

dns-server value 192.168.55.114 192.168.37.254

vpn-tunnel-protocol IPSec

split-tunnel-network-list value clchsplittunnel001

default-domain value riverside.nhs.uk

tunnel-group clchgroup type remote-access

tunnel-group clchgroup general-attributes

address-pool clchip

authentication-server-group clchntserver

default-group-policy clchpolicy

tunnel-group clchgroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

< end of config >

I would be grateful for any advice you can offer me.

Muhammed Islam

mvsheik123 · ‎05-03-2013

You can leave the nat for servers to interenernet intact : nat (CLCH-Inside) 1 0 0

For group policy: add the below...

group-policy clchpolicy attributes

dns-server value 192.168.55.114 192.168.37.254

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value clchsplittunnel001

default-domain value riverside.nhs.uk

Post the results.

Thx

MS

Muhammed Islam · ‎05-07-2013

MS

I have added the NAT and split-tunnel-policy as advised.

My firewall has two NATs applied to its internal LAN (CLCH-Inside) - see below :-

(Do I need to keep both NATs ?)

HF003088-CLCH-PG-IPSec-FW1# sh ru group-policy

group-policy clchpolicy internal

group-policy clchpolicy attributes

dns-server value 192.168.55.114 192.168.37.254

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value clchsplittunnel001

default-domain value riverside.nhs.uk

HF003088-CLCH-PG-IPSec-FW1#

HF003088-CLCH-PG-IPSec-FW1# sh ru nat

nat (CLCH-Inside) 0 access-list NONAT

nat (CLCH-Inside) 1 0.0.0.0 0.0.0.0

When connected to the VPN

- I am unable to RDP to terminal servers that use LAN IP subnet 192.168.50.0/24 - error message being "cannot connect to server".

- the IPSec VPN client's "route details" does show the internal subnets 192.168.0.0 listed as secured routes

- a trace route to server IP 192.168.50.154's default gateway (IP 192.168.50.1) times out after the first hop

- my network uses an Internet proxy - and adding this to my laptop's Internet proxy settings does allow internet access.

- if I take off the Internet proxy settings, Internet is still accessible.

- Intranet access (ie internal websites) bring up message "cannot display message" - with Internet proxy settings enabled

- my route print shows subnets 192.168.0.0 255.255.0.0 redirected to my ASA's IPSec DHCP gateway 10.252.1.1 (10.252.1.10 is the DHCP IP my laptop detects once connected to the VPN) - see below :-

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 On-link 10.49.222.233 31

10.49.222.233 255.255.255.255 On-link 10.49.222.233 286

10.252.1.0 255.255.255.0 On-link 10.252.1.10 286

10.252.1.10 255.255.255.255 On-link 10.252.1.10 286

10.252.1.255 255.255.255.255 On-link 10.252.1.10 286

127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531

127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531

127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531

192.168.0.0 255.255.0.0 10.252.1.1 10.252.1.10 100

217.207.189.197 255.255.255.255 On-link 10.49.222.233 100

224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531

224.0.0.0 240.0.0.0 On-link 10.49.222.233 31

224.0.0.0 240.0.0.0 On-link 10.252.1.10 286

255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531

255.255.255.255 255.255.255.255 On-link 10.49.222.233 286

255.255.255.255 255.255.255.255 On-link 10.252.1.10 286

C:\Users\mislam\Desktop>ping 192.168.50.1

Pinging 192.168.50.1 with 32 bytes of data:

Request timed out.

Ping statistics for 192.168.50.1:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\mislam\Desktop>

C:\Users\mislam\Desktop>tracert 192.168.50.1

Tracing route to 192.168.50.1 over a maximum of 30 hops

1 * * * Request timed out.

2 * * * Request timed out.

Via ASDM on my firewall, I ran a packet trace from source IP 10.252.1.10 (= DHCP IP of my laptop) to the server IP 192.168.50.154 using RDP port 3389, this shows it being blocked as it has no NAT rule (see attached screenshot below).

Can you advise what NAT rule I can use ?

Muhammed

Muhammed Islam · ‎05-07-2013

MS

Sorry - I have add the packet trace from the outside interface (listed as Easynet-Outside) showing RDP protocol 3389 between source IP 10.252.1.10 (DHC IP of my laptop when connected to VPN) to destination IP 192.168.50.154 (IP of server I am trying to RDP to).

I forgot to add this to my earlier response above.

Muhammed

mvsheik123 · ‎05-07-2013

Can you try by adding - crypto isakmp nat-traversal 21?

EDIT: Also, iam not sure of you proxy setup. Can you try bypassing ipsec on that?

Thx

MS

Muhammed Islam · ‎05-08-2013

MS

I tested RDP as successfully accessible via another public Internet connection I have.

I have removed icmp and access-lists referencing to my firewall's outside connection (labelled "Easynet-Outside") to improve security from outside access.

I have not added the "crypto isakmp nat-traversal 21" you advised.

Thanks for your help. I appreciate your advice in helping me.

Muhammed

mvsheik123 · ‎05-08-2013

Glad to hear that everything is resolved. Please rate all helpful postings.

Thx

MS