Question : Business Contact Manager over VPN

Good day.  As the title says I'm experiencing some troubles with running my BCM over my VPN.

Little bit of background.  BCM used to be running on a client machine with Vista Home Premium and Office 2007 Small Business.  This was then shared out, and all local lan users were able to access it based on the computer name, and vpn users via the ip address.  (VPN headend is a cisco ASA 5505, with the clients being a mix of other ASA 5505s, and the cisco ipsec vpn client.)

Was running into issues sharing files on that machine as vista limits simultanious connections.  Setup a server 2008 computer, installed the BCM 2007 database tool, and imported a copy of my BCM database.  All local LAN computers can still access the DB via the computer name, or the IP address.  Unfortunately now the VPN users can not access.  I have DNS running on my server as well, but haven't gotten that working with my VPN clients yet.  

The things I have tried include verifying that the firewall on the server was allowing port 5356TCP through, as well as that the SQLExpress instance was actually using that port.  I can ping the servers IP through the VPN, and access my file shares with out difficulty.  I also added a firewall rule to my ASA allowing all traffic on port 5356tcp through to the IP of my server.  I don't think I actually need this as the VPN users should be bypassing that portion of the firewall.  The next step I tried was connecting using the syntax serverIP\instancename as I found the SQL instances was named differently then the default. (tried this as per the help menu when the connection fails.)

The actual error I am receiving when I try to connect is this "cannot access the database server on computer serverIP"

Attached is the running config from my headend ASA.  Any assistance would be greatly appreciated.  

Thanks
Scott
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:

: Saved
:
ASA Version 8.2(1) 
!
hostname MyASA
domain-name company.com
enable password ********* encrypted
passwd ************* encrypted
names
name 10.1.0.5 FileServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.0.1 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server FileServer
 domain-name company.com
object-group service OpenVPN udp
 port-object eq 1194
object-group service TCPGroup tcp
 port-object eq 5356
access-list HeadOffice_splitTunnelAcl extended permit ip 10.1.0.0 255.255.0.0 any 
access-list inside_nat0_outbound extended permit ip any 10.10.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
access-list no-nat extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0 
access-list outside_access_in extended permit udp any host 10.1.1.8 eq 1194 
access-list outside_access_in extended permit tcp any host FileServer eq 5356 
access-list test_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0 
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 10.10.0.1-10.10.0.254 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 1194 10.1.1.8 1194 netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns FileServer
dhcpd auto_config outside
!
dhcpd address 10.1.1.1-10.1.1.254 inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-win-2.3.2016-k9.pkg 1
group-policy HeadOffice internal
group-policy HeadOffice attributes
 dns-server value 10.1.0.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value HeadOffice_splitTunnelAcl
 nem enable
username User1 password ************** encrypted
username User1 attributes
 vpn-group-policy HeadOffice
username City1 password ************ encrypted privilege 0
username City1 attributes
 vpn-group-policy HeadOffice
username User2 password *********** encrypted
username User2 attributes
 vpn-group-policy HeadOffice
username City2 password ************ encrypted
username City2 attributes
 vpn-group-policy HeadOffice
username City3 password ***************** encrypted privilege 0
username City3 attributes
 vpn-group-policy HeadOffice
username User3 password ************** encrypted
username User3 attributes
 vpn-group-policy HeadOffice
username User4 password *************** encrypted
username User4 attributes
 vpn-group-policy HeadOffice
username User5 password *************** encrypted
username User5 attributes
 vpn-group-policy HeadOffice
username User6 password **************** encrypted
username User6 attributes
 vpn-group-policy HeadOffice
tunnel-group HeadOffice type remote-access
tunnel-group HeadOffice general-attributes
 address-pool VPNPool
 default-group-policy HeadOffice
tunnel-group HeadOffice ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:53a54b7914fb47e576ef15f94a1f1ed1
: end
asdm image disk0:/asdm-621.bin
asdm location 10.1.1.8 255.255.255.255 inside
asdm location FileServer 255.255.255.255 inside
asdm history enable
Open in New Window
Select All

Answer : Business Contact Manager over VPN

Hi Scott, I have a few questions.

1) Do you have the Windows Firewall running on this 2008 Server? I ask because there may be rule allowing local LAN access but not remote  network access.

2) Is your new server using the same IP address as the old "server"

3) Have you rebooted the ASA or cleared nat translations (clear xlate) since the switch?

I would also try a manual telnet to 5356 from a VPN client while issuing netstat -an |find ":5356" to see if your request is even hitting the server. If it is, you may have a surface area configuration issue with SQL.

Cheers,
Juice
Random Solutions  
 
programming4us programming4us