02-02-2017 04:38 PM - edited 02-21-2020 09:08 PM
Hello Brothers.
I've configured a remote access VPN on IOS but I don't got access to my servers at RDP port 3389.
I'm able to ping my servers!!!
Configuration from router.
crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group VPN_USERS_GROUP
key 6 ##########
dns 192.168.0.16
wins 192.168.0.16
domain mix.local
pool VPN_ADDRESS
acl VPN
max-logins 1
banner ^C*** ATENCAO ***
ACESSO RESTRITO A PESSOAS AUTORIZADAS
crypto ipsec transform-set REMOTE_ACCESS_SET esp-aes esp-sha-hmac
mode tunnel
crypto dynamic-map REMOTE_ACCESS_DYNMAP 65535
set transform-set REMOTE_ACCESS_SET
reverse-route
crypto map REMOTE_ACCESS_MAP client authentication list LOCAL_USERS
crypto map REMOTE_ACCESS_MAP isakmp authorization list VPN_USERS
crypto map REMOTE_ACCESS_MAP client configuration address respond
crypto map REMOTE_ACCESS_MAP 65535 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP
crypto map REMOTE_ACCESS_MAP
02-02-2017 06:28 PM
Hi
Could you paste your nat and ACL you have on your router?
Have you run a debug ip packet to see if your traffic is forwarded to your server when trying to rdp?
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-02-2017 06:43 PM
Hi Francesco.
Follow my NAT and ACL configuration:
ip nat inside source list PAT interface Dialer0 overload
!
ip access-list extended PAT
deny ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255
permit ip any any
ip access-list extended VPN
permit ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255
I didn't run no debug ip packet.
02-02-2017 06:51 PM
Could you confirm which subnet is your lan and which one vpn?
02-02-2017 06:53 PM
Lan - 192.168.0.0/24
VPN - 192.168.255.0/24
02-02-2017 07:01 PM
Ok thanks.
Your config seems ok. Did you run a wireshark on your server to see if traffic is coming on port rdp?
Is there a firewall set on that machine?
Thanks
02-07-2017 07:41 AM
Hi
First of all, regarding your nat statements. All of them are configured using command ip nat source without any specification of direction inside nor outside.
There are 2 of them using ip nat inside source. I would recommend to always use the same configuration like (example) ip nat inside source.
Now, when you're connected, if you access from internet to your Public IP on dialer0 using RDP, the traffic should be redirected to your internal server : 192.168.0.10
From your server, are you able to ping your vpn client? If you do a traceroute what's the path used?
Thanks
02-07-2017 08:36 PM
Hi.
Yes, I'm.
ping 192.168.255.251 -n 20
Pinging 192.168.255.251 with 32 bytes of data:
Reply from 192.168.255.251: bytes=32 time=62ms TTL=127
Reply from 192.168.255.251: bytes=32 time=140ms TTL=127
Reply from 192.168.255.251: bytes=32 time=253ms TTL=127
Reply from 192.168.255.251: bytes=32 time=60ms TTL=127
Reply from 192.168.255.251: bytes=32 time=205ms TTL=127
Request timed out.
Reply from 192.168.255.251: bytes=32 time=67ms TTL=127
Reply from 192.168.255.251: bytes=32 time=94ms TTL=127
Reply from 192.168.255.251: bytes=32 time=112ms TTL=127
Reply from 192.168.255.251: bytes=32 time=54ms TTL=127
Reply from 192.168.255.251: bytes=32 time=161ms TTL=127
Reply from 192.168.255.251: bytes=32 time=69ms TTL=127
Reply from 192.168.255.251: bytes=32 time=54ms TTL=127
Reply from 192.168.255.251: bytes=32 time=121ms TTL=127
Reply from 192.168.255.251: bytes=32 time=56ms TTL=127
Reply from 192.168.255.251: bytes=32 time=69ms TTL=127
Reply from 192.168.255.251: bytes=32 time=95ms TTL=127
Reply from 192.168.255.251: bytes=32 time=113ms TTL=127
Reply from 192.168.255.251: bytes=32 time=142ms TTL=127
Reply from 192.168.255.251: bytes=32 time=266ms TTL=127
Ping statistics for 192.168.255.251:
Packets: Sent = 20, Received = 19, Lost = 1 (5% loss),
Approximate round trip times in milli-seconds:
Minimum = 54ms, Maximum = 266ms, Average = 115ms
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
tracert 192.168.255.251
Tracing route to 192.168.255.251 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.0.1
2 308 ms 58 ms 56 ms 192.168.255.251
Trace complete.
tracert 192.168.255.251
Tracing route to 192.168.255.251 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.0.1
2 59 ms 58 ms 53 ms 192.168.255.251
Trace complete.
=====================================================================================
Microsoft Windows [versão 6.3.9600]
(c) 2013 Microsoft Corporation. Todos os direitos reservados.
ping 192.168.0.10 -n 20
Disparando 192.168.0.10 com 32 bytes de dados:
Resposta de 192.168.0.10: bytes=32 tempo=61ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=189ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=52ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=52ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=54ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=56ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=55ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=59ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=186ms TTL=127
Esgotado o tempo limite do pedido.
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=319ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=634ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=146ms TTL=127
Estatísticas do Ping para 192.168.0.10:
Pacotes: Enviados = 20, Recebidos = 19, Perdidos = 1 (5% de
perda),
Aproximar um número redondo de vezes em milissegundos:
Mínimo = 52ms, Máximo = 634ms, Média = 119ms
tracert 192.168.0.10
Rastreando a rota para 192.168.0.10 com no máximo 30 saltos
1 51 ms 64 ms 53 ms 179.182.174.169
2 52 ms 51 ms 52 ms 192.168.0.10
Rastreamento concluído.
02-08-2017 05:15 AM
Ok connectivity between Anyconnect client and server is ok.
Let's check if router is forwarding rdp traffic to the server. I assume your anyconnect client has IP 192.168.255.251
access-list 100 permit ip host 192.168.0.10 host 192.168.255.251
access-list 100 permit ip host 192.168.255.251 host 192.168.0.10debug ip packet 100 detail
Put output in a text file and attach it to this post.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-09-2017 05:11 PM
02-10-2017 11:47 AM
On your 2nd capture from 192.168.255.252 to 192.168.0.90, I see that your client sent a SYN but never received a SYN,ACK from your server. Something is blocking on your server side.
On the 1st capture, I don't understand why we see a public IP 189.6.24.207 accessing your server. If there is a NAT, we should see this traffic as well but we don't.
Could you explain more how did you took the traces?
Thanks
02-03-2017 09:33 AM
what is the ACL ? you configured for crypto?
02-03-2017 10:03 AM
acl VPN
ip access-list extended VPN
permit ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255
02-03-2017 03:02 PM
Your config seems ok. Did you run a wireshark on your server to see if traffic is coming on port rdp?
Is there a firewall set on that machine?
Thanks
02-06-2017 01:23 PM
Hello Brothers,
I found out because I don't get access it. There was a PAT for server's IP address.
ip nat source static tcp 192.168.0.11 22 interface dialer 0 22
This server is available for public access.
Now how to do I do to have access through VPN without loss public access (without remove PAT)?
Maybe does below PAT work?
ip nat source static esp 192.168.0.11 interface dialer 0
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide