# CISCO ASA RDP question



## mrw5641 (Aug 14, 2015)

Hi there. I am trying to RDP from my (VPN) guest network (192.168.1.1/24) to my inside network (172.16.1.1/24) but I am having trouble doing so.

From my guest network I am able to ping 172.16.1.1 but I can't ping 172.16.1.xx

Any suggestions?


----------



## mrw5641 (Aug 14, 2015)

Interface: LPOUT 
Source: 192.168.1.41 DESTINATION: 172.16.1.50

It fails at WEBVPN-SVC (ACL-DROP).


----------



## MitchConner (May 8, 2015)

Hi mate,

Can I take a look at your access-lists please?


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch!

Thank you!

access-list cisco_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list DMZ_nat0_outbound extended permit ip 10.100.0.0 255.255.255.0 172.16.1.64 255.255.255.192
access-list Systems_splitTunnelAcl standard permit 10.100.0.0 255.255.255.0
access-list Systems_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list DMZ_access_in extended permit ip any object CUNY
access-list DMZ_access_in extended permit ip any object IBMFTP
access-list DMZ_access_in extended permit ip object inside_NEALTST any
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 object inside_OPENSUSE any log debugging
access-list DMZ_access_in extended permit ip object inside_BlockCHAIN any
access-list DMZ_access_in extended permit ip object inside_Ubuntu_Beta2 any
access-list DMZ_access_in extended permit ip object inside_UbuntuBETA_zVM any
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 object inside_Block_Marbles any
access-list DMZ_access_in extended permit ip object inside_Block_Marbles any
access-list DMZ_access_in extended permit ip object inside_VERISK_TEST any
access-list DMZ_access_in extended permit ip object inside_INFINITEBLUE any
access-list DMZ_access_in extended permit ip object inside-officeFTP any
access-list DMZ_access_in extended permit ip object inside_Marbles any
access-list DMZ_access_in extended permit ip object inside_TIBERO any
access-list DMZ_access_in extended permit ip object inside_WindowsServer2012 any
access-list DMZ_access_in extended permit tcp object inside_V7000 any object-group DM_INLINE_TCP_12
access-list DMZ_access_in extended permit ip object inside_Andy_Spooner_Guest any
access-list DMZ_access_in extended permit ip object inside_ALDO_RHEL any
access-list DMZ_access_in extended permit ip object inside_Ubuntu_Aldo any
access-list ip-qos extended permit ip 192.168.16.0 255.255.255.0 any
access-list ip-qos extended permit ip any 192.168.16.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list outside_cryptomap extended permit ip any 170.2.32.0 255.255.240.0
access-list nat_outbound-site-DTNA extended permit ip object-group VI-Access object-group VPN-Site-DTNA
access-list test1 extended deny ip any any
access-list ACL-LPOUT-INBOUND extended permit tcp any host 10.100.0.4 object-group DM_INLINE_TCP_24
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_TIMESHEET_TEST eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_LPAR4 object-group DM_INLINE_TCP_6
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_HMC object-group DM_INLINE_TCP_29
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_OSA_ICC object-group DM_INLINE_TCP_7
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_LPAR3 object-group DM_INLINE_TCP_15
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_z63TSTLPAR_NAT object-group DM_INLINE_TCP_10
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_z63DEMOlpar object-group DM_INLINE_TCP_8
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_INFINITEBLUE eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_INFINITYCSM eq www
access-list ACL-LPOUT-INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host 10.100.0.20
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group ThinAire_1 object-group DM_INLINE_TCP_9
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_parentGUARD eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Timesheets object-group DM_INLINE_TCP_3
access-list ACL-LPOUT-INBOUND extended permit tcp any object Inside_ISSIQuickR object-group DM_INLINE_TCP_22
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_VIHTTP eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_z63PROD01 object-group DM_INLINE_TCP_2
access-list ACL-LPOUT-INBOUND extended permit object-group TCPUDP any object inside_ChristinaSAMBA object-group DM_INLINE_TCPUDP_1
access-list ACL-LPOUT-INBOUND extended permit ip 192.168.101.32 255.255.255.224 53.220.50.0 255.255.254.0
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside-officeFTP object-group DM_INLINE_TCP_1
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_VICOMINVENTORY eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_CMS_TEST_DEMO object-group DM_INLINE_TCP_4
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_TEST_TIMESHEET object-group DM_INLINE_TCP_5
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_QUICKLOAD eq www
access-list ACL-LPOUT-INBOUND extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_11
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Verisk eq ssh
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Marbles object-group DM_INLINE_TCP_13
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_ALDO_RHEL eq ssh
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_Aldo_Ubuntu eq ssh
access-list ACL-LPOUT-INBOUND extended permit tcp any object inside_VERISK_SYNCSORT eq ssh
access-list 100 extended permit ip object inside_gateway any
access-list guest_INBOUND extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch, any thoughts?


----------



## MitchConner (May 8, 2015)

Hi mate,

Sorry for the delayed reply, and happy new year!

Have you added the management-access inside command to your config?


----------



## mrw5641 (Aug 14, 2015)

No I do not believe I have. Did you want me to share my full config with you via drop box?


----------



## MitchConner (May 8, 2015)

Please and thank you.


----------



## mrw5641 (Aug 14, 2015)

No. Thank you!

I sent you a PM


----------



## MitchConner (May 8, 2015)

No worries mate  I'll have a look and get back to you asap.


----------



## mrw5641 (Aug 14, 2015)

Thanks Mitch!!!


----------



## MitchConner (May 8, 2015)

Hi mate.

Can you show me the output of a show route please?


----------



## mrw5641 (Aug 14, 2015)

inside# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 47.19.64.65 to network 0.0.0.0

C 172.16.1.0 255.255.255.0 is directly connected, inside
C 10.10.10.0 255.255.255.0 is directly connected, test
C 10.100.0.0 255.255.255.0 is directly connected, DMZ
C 192.168.16.0 255.255.255.0 is directly connected, guests
S 192.168.1.42 255.255.255.255 [1/0] via 47.19.64.65, LPOUT
C 47.19.64.64 255.255.255.192 is directly connected, LPOUT
S* 0.0.0.0 0.0.0.0 [1/0] via 47.19.64.65, LPOUT


----------



## MitchConner (May 8, 2015)

I think it's going to be one of those days today 

Your config looks ok to be honest mate. Do any other services work through your Anyconnect or is this the only one?

When you try and RDP into the network, if you have a look at the log in the ASDM, can you see the drops there?

Is there another device behind the ASA at all?


----------



## mrw5641 (Aug 14, 2015)

There is nothing else there. Besides the firewall that's the only other device is a Windows XP machine Is which I am trying to get too. 

The only thing I can try is move the segment to 10.100.0.xx andtry it that way. 

Any other suggestions?


----------



## mrw5641 (Aug 14, 2015)

I don't see anything in the logs either.


----------



## MitchConner (May 8, 2015)

Your ICMP traffic is hitting the firewall, which suggests to me that there may be an issue with the return traffic.

Are you able to run a capture on the ASA?


----------



## mrw5641 (Aug 14, 2015)

Yes I would be glad to. Can you pleae let me know how?


----------



## MitchConner (May 8, 2015)

Sure.

From the CLI (you can use the wizard in the ASDM as well):

capture capin interface inside match ip 172.16.1.x 255.255.255.255 192.168.1.x 255.255.255.255

capture capout interface outside match ip 192.168.1.x 255.255.255.255 172.16.1.x 255.255.255.255

You'll just need to fill in the blanks (x's) for source and destination machines.

Once complete, try to RDP from your VPN client then run:

show cap capin
show cap capout


----------



## mrw5641 (Aug 14, 2015)

0 packets on each


----------



## MitchConner (May 8, 2015)

I realised I made a mistake (about an hour ago), the capture should be on your LPOUT interface, not outside.

Can you correct and try again please (if you didn't notice it either )


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch

Still nada

inside# capture capin interface inside match ip 172.16.1.50 255.255.255.255 19$
inside# capture capout interface LPOUT match ip 192.168.1.43 255.255.255.255 1$
inside# show cap capin

0 packet captured

0 packet shown
inside# show cap capout

0 packet captured

0 packet shown
inside#


----------



## MitchConner (May 8, 2015)

Hi mate.

Really sorry for the delay in getting back to you.

Have you been able to get any logs from the ASA (the log monitor would suffice), and can you confirm whether you can access any other LAN resources when connected using the VPN?


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch, can you send me a PM when you get a chance


----------

