Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA - Branch Office Connection

Status
Not open for further replies.
wkim623

wkim623

Technical User
Aug 26, 2003
53
CA
Here is a quick look at my connectivity

Internet ---- ASA ---(192.168.1.0)----Router --(192.168.95.0, Direct connection Fiber) ---Router --(172.29.94.0)
192.168.1.0
|
|
Internet ---- Router

Anyway I can reach both destinations fine can ping a workstation from the 172.29.94.0 network from the 192.168.1.0 and vice versa. But I am unable to remote desktop to a host from either side, nor can I reach the existing AD in the 192.168.1.0 network. I am sure it's ACL issue. Can anyone tell me how I can achieve this?

Thanks.

I'll post all the ACL's

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 any any
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_2 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_5
access-list testacl extended permit ip 192.168.1.0 255.255.255.0 any
access-list testacl extended permit object-group DM_INLINE_PROTOCOL_1 172.29.94.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list testacl extended permit object-group DM_INLINE_PROTOCOL_2 192.168.95.0 255.255.255.252 192.168.1.0 255.255.255.0
access-list testacl extended permit object-group DM_INLINE_SERVICE_3 192.168.1.0 255.255.255.0 172.29.94.0 255.255.254.0
access-list testacl extended permit object-group DM_INLINE_SERVICE_4 192.168.1.0 255.255.255.0 192.168.95.0 255.255.255.252
access-list inside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list outside_access_in extended permit tcp any host waterloo-public eq imap4
access-list outside_access_in extended permit tcp any host waterloo-public eq 5500
access-list outside_access_in extended permit tcp any host waterloo-public eq 888
access-list outside_access_in extended permit tcp any host waterloo-public eq smtp
access-list outside_access_in extended permit tcp any host waterloo-public eq ssh
access-list outside_access_in extended permit tcp any host waterloo-public eq lotusnotes
access-list outside_access_in extended permit tcp any host waterloo-public eq https
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host waterloo-public eq 3389
access-list outside_access_in extended permit tcp any host waterloo-public eq www
access-list outside_access_in extended permit tcp any host waterloo-public eq 10000
access-list outside_access_in extended permit tcp any host waterloo-public eq ftp
access-list outside_access_in extended permit tcp any host waterloo-public eq ftp-data
access-list outside_access_in extended permit tcp any host waterloo-public range 5600 5700
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_6 any any
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.224
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_11 object-group DM_INLINE_NETWORK_3 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_12 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list vpn_accessible_nets remark Waterloo inside network
access-list vpn_accessible_nets standard permit 192.168.1.0 255.255.255.0
access-list vpn_accessible_nets remark Germany inside network
access-list vpn_accessible_nets standard permit 192.168.60.0 255.255.255.0

And the following is my NAT statements

static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
static (inside,outside) tcp interface lotusnotes 192.168.1.4 lotusnotes netmask 255.255.255.255
static (inside,outside) tcp interface 222 192.168.1.4 ssh netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 5500 192.168.1.4 5500 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.1.4 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 6502 192.168.1.21 6502 netmask 255.255.255.255
static (inside,outside) tcp interface 6503 192.168.1.22 6503 netmask 255.255.255.255
static (inside,outside) tcp interface 6504 192.168.1.23 6504 netmask 255.255.255.255
static (inside,outside) tcp interface 6505 192.168.1.24 6505 netmask 255.255.255.255
static (inside,outside) tcp interface 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.9 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.43 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.43 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface 5600 192.168.1.43 5600 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
 
Sort by date Sort by votes
what is this line for?
static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255

what are the IP's associated with this object group?
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host waterloo-public eq 3389
 
Upvote 0 Downvote
Hi Thanks for your response.

That 192.168.1.100 is for a machine located in our lab, that a vendor needs to connect to. Same for the other statement it is to let our vendor's networks connect to our environment with RDP.
 
Upvote 0 Downvote
Forgot to mention that the ASA is a 5505 and the routers are 2800 series and 3500 series.
 
Upvote 0 Downvote
Yes I'm allowed to create a new one.
 
Upvote 0 Downvote
I've done a few not going to say I'm an expert at it.
 
Upvote 0 Downvote
give it a try and see what happens...whats the worst that could happen?
 
Upvote 0 Downvote
What do you want me input? I odn't understand.
 
Upvote 0 Downvote
this is an acl:
access-list outside_access_in extended permit tcp any host waterloo-public eq www

open notepad and type it out to look just like that with the source mask and destination with port so its something like

config t
access-list outside_access_in extended permit tcp x.x.x.x y.y.y.y host server eq 3389

 
Upvote 0 Downvote
But it's not an outside interface, it's coming from behind and it's just a different subnet. Or you just throwing that as an example. I just don't want to give access for RDP though, I want to give access to all traffice between the subnets. How would I accomplish that?
 
Upvote 0 Downvote
thats just an example. you can apply the acl to any interface. if it is on another interface, change the name and add in

access-group somename in interface whatever-interface
 
Upvote 0 Downvote
Thanks for your assistance.

Well I decided to check the logs while I try to attempt the connection this is what I'm getting.

6 Mar 05 2009 14:58:48 106015 192.168.1.146 172.29.94.100 Deny TCP (no connection) from 192.168.1.146/3350 to 172.29.94.100/3389 flags RST on interface inside

I've done a statement for inside/inside already, the ASA is running EIGRP and let the IP services be allowed between the two subnets. Does this help any?
 
Upvote 0 Downvote
you should see a line in your ASA something like
access-group outside_access_in in interface something

you probably need to have another acl list something like

access-list NEW_Name extended permit tcp host 192.168.1.146 172.29.94.100 eq 3389
access-group NEW_Name in interface INSIDE

something like that, i dont see the rest of your ASA config
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
586
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
448
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
636
intel233
intel233
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
592
Johnkite
Johnkite
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top