10-12-2010 12:50 PM
Hi,
Have been troubled with the following thing:
I've got Cisco ASA 8.2 configured to use WebVPN. And seems that everything works correctly.
But, when I try to run the remote application via Microsoft TS (RemoteApp service web-page), it returns me the error: The host is unreachable.
The application running correct inside the lan, and the execution profile includes IP address of the host. The application installed on the same host where the Microsoft RemoteApp service is running. So, if I have an access to the server, than I should have an access to the application as well..
So, does anyone know where the hook?
! acl
access-list acl_vpn_clients remark *** VPN access for Customers to resources ***
access-list acl_vpn_clients extended permit ip 172.16.13.0 255.255.255.0 host 172.16.3.101
! web-acl
access-list acl_web_clients webtype permit url http://172.16.3.101/* log default
access-list acl_web_clients webtype permit url rdp://172.16.3.101/* log default
! default policy
dynamic-access-policy-record ClientsAccessPolicy
description "Default Access Policy for clients WebVPN/Anyconnect users"
network-acl acl_vpn_clients
webvpn
appl-acl acl_web_clients
url-list value Corporative
...
...
wbr,
Serg
Solved! Go to Solution.
10-13-2010 02:41 AM
Serg,
can you say try adding:
iexplore.exe
mstsc.exe
TSWbPrxy.exe
This is the process involved as far as I understand which app you're using.
The processes were "reverse engineered" by looking at process monitor duing execution ;-)
Marcin
10-12-2010 02:06 PM
Serg,
Can you try it out with split-tunneling enabled?
What's most likely failing is a connection open by mstsc to the host itself...
Sniff traffic, logs... I wonder if it makes it through ASA at all.
Marcin
10-12-2010 04:42 PM
Marcin,
Well, I have split-tunneling enabled there.
group-policy col.clients attributes
vpn-filter value acl_vpn_clients
vpn-tunnel-protocol svc webvpn
group-lock value col.clients
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_clients
access-list vpn_clients extended permit ip host 172.16.3.101 172.16.13.0 255.255.255.0
172.16.13.0/24 - webvpn clients
172.16.3.101 - mstsc and the remoteapp as well
The matter is that that I have no access to the remote host.. But, as I said the remote app runs properly while running within the 172.16.3.0/24 inside. as well as while anyconnect client is running, btw. So, I have no idea where the problem could be..
wbr,
Serg
10-12-2010 11:15 PM
Serg,
Apologies! I think I was tired yesterday night. I meant smart tunneling and not split tunneling. Split tunneling will not affect clientlless access.
Marcin
10-13-2010 01:36 AM
Marcin,
Well, the smart tunelling is enabled as well.
webvpn
...
smart-tunnel list ST_Clients App1 app1.exe platform windows
smart-tunnel list ST_Clients App2 app2.exe platform windows
...
group-policy col.clients attributes
...
webvpn
...
smart-tunnel auto-start ST_Clients
10-13-2010 01:48 AM
Serg,
This is copy and paste from configuration? :O
What applications are being smart tunneled (and is your browser itself smart tunneled).
Marcin
10-13-2010 02:33 AM
Marcin,
Yes. This is copy/paste from current asa running-config.
I just replaced the names of the applications, and nothing more.
But first one is a billing one, another one is an accounting. Both are working under windows environment.
And as I wrote before, both working properly under anyconnect and LAN inside..
Dunno what to think..
P.S. No, I haven't added the browser itself into the smart-tunneling environment.
wbr,
Serg
10-13-2010 02:41 AM
Serg,
can you say try adding:
iexplore.exe
mstsc.exe
TSWbPrxy.exe
This is the process involved as far as I understand which app you're using.
The processes were "reverse engineered" by looking at process monitor duing execution ;-)
Marcin
10-13-2010 04:23 AM
Marcin,
Wow!! Everything goes on after adding three lines you wrote above! Reversed engineering hooks awesome!))
THANK YOU!!!!!
-)
wbr,
Serg
10-13-2010 04:32 AM
Serg,
Awesome
Can you run two more tests for me? (If you have the time)
1) Try with smart tunneling only
mstsc.exe
2) Try with smart tunneling :
mstsc.exe
and
TSWbPrxy.exe
At least we'd understand which one makes it work exactly :-)
Marcin
10-13-2010 05:08 AM
Marcin,
It's been started properly with mstsc.exe helper only.
So, I suppose the other additional helpers (iexplorer/proxy) can be removed with no influence to the service execution.
THANKS)
wbr,
Serg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide