VPN Site to Site problem

rbaeditores · ‎02-25-2013

Hello,

I have set up a VPN tunnel that is connecting properly. The problem is that I can't access by RDP, telnet or any other protocol to the computers on the other side of the tunnel. I have only ICMP access.

Every time I try to access by RDP to a computer from the other side of the tunnel in the log of the ASA5520 I see this:

Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

The main FW is a ASA5520 and the remote is a PIX501.

Can you help me, please?

Regards

Andrew Phirsov · ‎02-25-2013

Are you sure that nat-exemption (nat0) rules properly configured on site, where your rdp-servers located?

rbaeditores · ‎02-25-2013

I think yes. Do you want copy/paste my PIX config?

Andrew Phirsov · ‎02-25-2013

Sure, it might help)

rbaeditores · ‎02-25-2013

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8otUk5zsb5KRn1.a encrypted

passwd 8otUk5zsb5KRn1.a encrypted

hostname PIXAUDITORI

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.20.0.0 INTRANET_BCN

access-list outside_cryptomap_20 permit ip 10.108.0.0 255.255.255.0 INTRANET_BCN

255.255.0.0

access-list inside_outbound_nat0_acl permit ip 10.108.0.0 255.255.255.0 INTRANET

_BCN 255.255.0.0

access-list tunnel permit ip 10.108.0.0 255.255.255.0 INTRANET_BCN 255.255.0.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 91.126.135.117 255.255.255.224

ip address inside 10.108.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.0 inside

pdm location INTRANET_BCN 255.255.0.0 outside

pdm location 172.20.0.101 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

route outside 0.0.0.0 0.0.0.0 91.126.135.97 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.108.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 195.77.188.150

crypto map outside_map 20 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 195.77.188.150 netmask 255.255.255.255 no-xauth no-c

onfig-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 172.20.0.101 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.108.0.2-10.108.0.10 inside

dhcpd dns 91.126.224.5 91.126.137.227

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside