cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
948
Views
0
Helpful
6
Replies

Weird thing going on with ASA and RDP through filtered VPN

Broker_2
Level 1
Level 1

Hello,

I'm hoping to get some support over here as i'm clearly out of options.

I have 3 ASA 2 5505 and one 5510

all of them are connected over the internet by VPN

one 5505 is on my premisis and I use the VPN to service the other 2 locations that belong to the same customer. Clearly I want to filer the VPN going to the other locations aswell as traffic comming from them.

the strange thing is if I put an IP any any on the filter acl I can use RDP, at the moment I enforce the filter where I enable TCP/3389 I get an error that the server cannot be found.

in the logging i see the packet hitting the ACL:

<167>:Jul 05 21:13:19 CEDT: %ASA-session-7-106102: access-list VPN_Filter permitted tcp for user '<unknown>' User-Lan/192.168.1.87(58603) -> XS4ALL/172.31.2.12(3389) hit-cnt 1 first hit [0xbe2548e2, 0x0]

<166>:Jul 05 21:13:19 CEDT: %ASA-session-6-302013: Built outbound TCP connection 43436 for XS4ALL:172.31.2.12/3389 (172.31.2.12/3389) to User-Lan:192.168.1.87/58603 (192.168.1.87/58603)

VPN Filter:

access-list VPN_Filter extended permit ip any any log debugging inactive

access-list VPN_Filter extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat

access-list VPN_Filter extended permit udp object-group DM_INLINE_NETWORK_4 object Lan-Pat eq tftp

access-list VPN_Filter extended permit icmp object-group DM_INLINE_NETWORK_1 object Lan-Pat log debugging

access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_3 object Lan-Pat eq www

access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_5 object Lan-Pat eq https

access-list VPN_Filter extended permit tcp object-group DM_INLINE_NETWORK_6 object Lan-Pat object-group DM_INLINE_TCP_1

access-list VPN_Filter extended deny ip any any log debugging

any help will be greatly appriciated!

1 Accepted Solution

Accepted Solutions

if you do an RDP-session from your PC to the customer, then port TCP/3389 is used on the customer-side and not on your side. So your ACL has to be the following:

access-list VPN_Filter extended permit tcp 172.31.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0

Remember: In a VPN-Filter the syntax is source=remote, destination=local. The port 3389 is on the remote end.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

6 Replies 6

The vpn-filter is using a different syntax then a regular ACL. It is:

permit/deny PROTOCOL REMOTE-IP eq REMOTE-PORT LOCAL-IP eq LOCAL-PORT

So if you want to allow RDP from your side to the customer, your VPN-Filter has to be the following:

access-list VPN_Filter extended permit tcp host CUSTOMER-IP eq 3389 host YOUR-IP

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello Karsten,

Thank you for your post.

this line:

access-list VPN_Filter extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat

handles the RDP as DM_INLINE_NETWORK_8 is the client side and the lan_pat is my local side.

do you have any other thoughts what could cause the problem?

Thanks

please clarify where the RDP-Server is and where the RDP client. And post the relevant lines from "show access-list VPN_Filter" and not from "sh run ...".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello Karsten,

These are the requested lines

192.168.1.x/24 is my local lan.

I want to make a RDP session from my PC (192.168.1.x) to a server on the customer lan for example 172.31.2..x

access-list VPN_Filter line 2 extended permit object RDP object-group DM_INLINE_NETWORK_8 object Lan-Pat 0x7a06853d

  access-list VPN_Filter line 2 extended permit tcp 192.168.5.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0x6dbbab46

  access-list VPN_Filter line 2 extended permit tcp 172.31.2.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0x4fede2a3

  access-list VPN_Filter line 2 extended permit tcp 10.255.2.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0xf63149ed

  access-list VPN_Filter line 2 extended permit tcp 192.168.0.0 255.255.255.0 range 1 65535 192.168.1.0 255.255.255.0 eq 3389 (hitcnt=0) 0xf6c544e9

if you do an RDP-session from your PC to the customer, then port TCP/3389 is used on the customer-side and not on your side. So your ACL has to be the following:

access-list VPN_Filter extended permit tcp 172.31.2.0 255.255.255.0 eq 3389 192.168.1.0 255.255.255.0

Remember: In a VPN-Filter the syntax is source=remote, destination=local. The port 3389 is on the remote end.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks mate,

that did the trick!