Thanks for the reply iwen,

   I have configured in the same way, i mean same syntax as you mention. But still no luck. Does the RDP is defaul allow?

I am facing weird situation, i am trying to create an access list to allow 3 servers to communicate on port 2048 and 2049.

But from one of the server i can ping and also do the RDP but from the other server it can't.

I am not able to telnet on port 2048 or 2049 from either of the server.

Hi,

I suppose these servers must communicate through the VPN tunnel ? so they must be exempted from NAT and the crypto ACLs on both sides must be reversed.

Can you provide your running config from both sites.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

   I can provide the running conf of one side as the another side it's already configured. It's our HQ and it has 30 sites already connected up and running....

The strange behavior is that from HQ side from one of the server they can able to ping and RDP clients of my location, but when they tried from other server on the same subnet it's not communicating at all.

Please see the running config of remote site.

ASA Version 8.2(5)
!
hostname ciscoasa
enable password GOuHg2jgVoj08j0Z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.243.21.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.252.5.3 255.0.0.0
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip 10.243.21.0 255.255.255.0 10.11.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.243.21.0 255.255.255.0 10.11.3.0 255.255.255.0
access-list RO_HO extended permit ip 10.243.21.0 255.255.255.0 10.11.15.0 255.255.255.0
access-list RO_HO extended permit ip 10.243.21.0 255.255.255.0 10.11.3.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.252.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.243.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RO_HO_SET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address RO_HO
crypto map outside_map 1 set peer 21.42.90.68
crypto map outside_map 1 set transform-set RO_HO_SET
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.243.21.0 255.255.255.0 inside
telnet timeout 5
ssh 10.243.21.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password LL4iypdnaoQfzobh encrypted privilege 15
tunnel-group 21.42.90.68 type ipsec-l2l
tunnel-group 21.42.90.68 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:feee28144b4c332f4cd7033a89772bb2
: end

you said the tunnel is active right

check whether there is decrypt and encrypt happening ????

Potha

Hi shine,

   yes decrypt and encrypt happening...

#pkts encaps: 16570, #pkts encrypt: 16570, #pkts digest: 16570

      #pkts decaps: 16511, #pkts decrypt: 16512, #pkts verify: 16512

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 16571, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

the encaps and decaps lookis good

pleas let me know from which network to which network you are trying, and mentioned the ip address too.

also run an packet-tracer and see the out.

Hi shine..

   As you see in the running config..I allowed traffic from 10.11.3.0 and 10.11.15.0 subnet. But when i am trying to ping servers on .15 network i can manage to ping only one server and Even I can RDP that server which is not allowed.

I created an acl any any deny but still i was able to ping and RDP this server.

Connection From Remote office  (10.243.21.0 to 10.11.15.0 & 10.11.3.0).

when i run packet tracer i can't see traffic by Access-List

was your config working before or else is this first time config which you did.

Please paste the output of the packet-tracer.

hope u checked with the other end firewall that the network which you are trying to reach is already allowed in the ACL.

Potha

Hi Shine,

   It's first time.. Please see below output of packet tracer.

packet-tracer input inside tcp 10.243.21.5 445 10.11.3.78 445

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.0.0.0       outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip inside 10.243.21.0 255.255.255.0 outside 10.11.3.0 255.255.255.0
    NAT exempt
    translate_hits = 11, untranslate_hits = 10
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (10.252.5.3 [Interface PAT])
    translate_hits = 3880, untranslate_hits = 6
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4101, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

On the other side only the VPN traffic is configured...There is no ACL configured for this subnet 10.243.21.0.

name 10.243.21.0 HO_VPN_RO

access-list inside_nat0_outbound extended permit ip 10.11.15.0 255.255.255.0 HO_VPN_RO 255.255.255.0

access-list dmz-public_nat0_outbound extended permit ip 10.11.3.0 255.255.255.0 HO_VPN_RO 255.255.255.0

access-list RO_HO extended permit ip 10.11.15.0 255.255.255.0 HO_VPN_RO 255.255.255.0

access-list RO_HO extended permit ip 10.11.3.0 255.255.255.0 HO_VPN_RO 255.255.255.0

Hi,

   I manage to resolve the issue with help of one of my colleague. I disable sysopt for vpn, and now its working perfect.

Thanks to all you guys for the help...