ISR 877 to PIX 525 VPN RDP issue

Unanswered Question
Apr 10th, 2009
User Badges:


I have a site-to-site VPN from a remote office to a HQ site. At the remote site I have an ISR 877 ADSL router(zone based firewall) and a PIX 523 (7.2) at the HQ site.

The problem is I can ping and connect to anything in the HQ site. But I can only ping from HQ to remote LAN(I need to be able to RDP).

I enabled logging on the polciy map and I can see traffic being logged on the console from HQ to remote LAN.

Routing is OK on the remote side as connectivity works from remote to HQ. Has anyone any ideas on this.

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-10

pass log

have included configs, HELP!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
omar.elmohri Fri, 04/10/2009 - 04:45
User Badges:


I sent you a reply on the old posted question.

And I think that I have the same problem unless I have to ping the host to permit the RDP to this same host. ARP problem ?



darkbeatzz Fri, 04/10/2009 - 04:57
User Badges:

I have not worked on a zone based firewall before so I dont fully understand how it should work.

the arp table has an entry for the host I am trying to communicate with.

there is also a domain controller which is replication without any issues so is there something funny about allowing RDP over the tunnel on these zone based firewalls?

omar.elmohri Fri, 04/10/2009 - 23:31
User Badges:

RDP is an application protocol.

Which is normal that if you arrive to ping, every application is allowable as we ensure in this way a full IP access.

Anyone have any suggestion?

darkbeatzz Tue, 04/14/2009 - 01:31
User Badges:

guys dont suppost anyone has any suggestions on this? Im stuck

darkbeatzz Fri, 04/17/2009 - 05:49
User Badges:

I figued out what the problem was.

inspect tcp

I have turned that off and its working now. Im wondering now though what am I loosing by turning this off?


This Discussion