RDP Access

Unanswered Question
Jul 30th, 2009

I have a client who has a Cisco Pix 506 and a Catalyst 3560 switch. They have multiple VLAN's configured on the switch and everything seems to be working great internally.

They are trying to allow the local prosecutor's office to VPN into their system and look at files. We have PPTP setup for the prosecutor to VPN in and that part works well.

Once the prosecutor's office is connected though they cannot connect via RDP to any available machines in the Clerk of Courts office. They can however, RDP to servers on a different VLAN.

Is this a problem with an access-list on the switch or on the Pix? I'm assuming the switch but want to make sure.

Any help with this would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Peter Paluch Thu, 07/30/2009 - 11:09

Hi Steven,

Without knowing more about existing ACLs on the PIX and the 3560, it's quite hard to tell what the problem could be.

The only thing I can recommend now is to simply follow the path from the client PC to the machine with the RDP, and verify the security settings on each network device whether it allows

1.) TCP connections from the client to the RDP machine with the destination port 3389

2.) TCP replies in the opposite direction

Also - just in case - it would be beneficial to check if the RDP machine actually allows RDP connections in its firewall or settings. Also, does it have a route back to the client?

Best regards,


sonitadmin Thu, 07/30/2009 - 12:18

I'm not 100% sure where the problem lies. The PPTP connection connects to network on VLAN10. The RDP machine is on network on VLAN8.

The access-list for VLAN 108 shows the following:

5 permit tcp any any eq 3389 log (1 match)

10 permit icmp any any (82 matches)

20 permit tcp host any

30 permit tcp host any

40 permit ip any

50 permit ip any (19 matches

60 permit ip any

70 permit tcp any eq www

90 deny ip any

100 deny ip any (53 matche

110 permit ip any any (4 matches)

I would think that the first line would permit the traffic.

Peter Paluch Thu, 07/30/2009 - 12:31


Some traffic was permitted alright. Is also the corresponding return traffic permitted? Is it possible to use a packet sniffer in the destination network to see if at least the TCP SYN packets arrive from the client?

Best regards,


sonitadmin Thu, 07/30/2009 - 15:52


Thanks for the reply. Would the ACL for the return traffic be on the VLAN that the network is on and what would that rule look like?


Peter Paluch Fri, 07/31/2009 - 00:16

Hi Steven,

Can you please tell me where is the ACL for the VLAN 108 exactly placed and in what direction?

The ACL entry for the opposite direction would look something like

access-list N permit tcp any eq 3389 any

Replace the 'any' with proper networks.

Also note that the PIX has security levels on its interfaces. By default, traffic from higher security-level interfaces can flow to lower security-level interface but not vice versa. Therefore, even if no ACLs are used on the PIX, it might be actually necessary to add some.

Best regards,



This Discussion