Need help with VLAN/Access List/RDP

Unanswered Question
Sep 17th, 2009
User Badges:

Have an attorneys office that needs to connect via PPTP to a VPN and then RDP into a desktop to access files.


PPTP setup and working on Pix 515e. Can connect fine. When client then tries to RDP into the machine they cannot connect.


Cisco 3560 switch with VLANs configured is where I think the problem lies but can't pinpoint the issue. Clerks office is on VLAN8 with the following ACL assigned to it:


access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any


When I connect via the PPTP VPN I have an IP address of 10.10.0.241. I added a line to permit any from 10.10.0.0 0.0.255.255 but that didn't allow it either so I removed it.


I have tried every command I can think of to get this to work but nothing has worked.


Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Thu, 09/17/2009 - 07:37
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you post the updated ACL with the new line for 10.10.0.0?


__



Edison.

sonitadmin Thu, 09/17/2009 - 08:09
User Badges:

access-list 108 permit icmp any any

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any


I did IP and TCP just in case but still was unable to connect.

Edison Ortiz Thu, 09/17/2009 - 08:19
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you ping the intended device? If so, it can be a RDP application issue.


__


Edison.

sonitadmin Thu, 09/17/2009 - 08:37
User Badges:

Am able to ping device no problem. Can also RDP to it from server at IP 10.250.0.3.

Edison Ortiz Thu, 09/17/2009 - 08:40
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Are you saying you can RDP from the PPTP connection to server 10.250.0.3?


Or you can RDP from server 10.250.0.3 to a workstation?


If so, the situation is a lot different. RDP can be sensitive to latency on the PPTP connection.


__


Edison.

sonitadmin Thu, 09/17/2009 - 08:50
User Badges:

I connect to PPTP connection and can then RDP to server at 10.250.0.3. From there I can RDP to the PC at 10.70.0.61.


Just connected to PPTP connection I cannot RDP to 10.70.0.61 PC.

Edison Ortiz Thu, 09/17/2009 - 08:56
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The ACL on Vlan8 is an inbound or outbound ACL?


If you remove the ACL, are you able to RDP to devices on the Vlan?


__


Edison.

sonitadmin Thu, 09/17/2009 - 09:55
User Badges:

Says ip access-group 108 out.


I've not tried removing it for fear I would break something else on their network they are using or needing.

Edison Ortiz Thu, 09/17/2009 - 09:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Then, your ACE should be


access-list 108 permit ip any 10.10.0.0 0.0.255.255


__


Edison.

sonitadmin Thu, 09/17/2009 - 10:05
User Badges:

does it make a difference where that line goes, as long as it's before the deny statements?

Edison Ortiz Thu, 09/17/2009 - 10:13
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

This ACE is blocking any connection from 10/8 out of that Vlan.


access-list 108 deny ip 10.0.0.0 0.255.255.255 any


You need to implement before the ACE above either


access-list 108 permit ip any 10.10.0.0 0.0.255.255


or


access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255


as the ACL direction is egress, not ingress.


On ingress, the ACEs you had


access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any


would've worked.





sonitadmin Thu, 09/17/2009 - 10:24
User Badges:

Now looks like this:


access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any


Tried to RDP to 10.70.0.61 again and still nothing.

Edison Ortiz Thu, 09/17/2009 - 10:49
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

It makes no sense why is not working with this ACE


access-list 108 permit ip 10.70.0.0 0.0.255.255 any


unless there is something else missing.


__


Edison.

sonitadmin Thu, 09/17/2009 - 11:27
User Badges:

There shouldn't be anything on the Pix that's blocking this should there? I wouldn't think so but just checking.


This is why I was stumped as well. I tried to allow everything possible and still couldn't connect.

Edison Ortiz Thu, 09/17/2009 - 11:29
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

There shouldn't be anything on the Pix that's blocking this should there?


We don't know the PIX config. For PIX assistance, please repost in the firewall section of these forums.


__


Edison.

sonitadmin Thu, 09/17/2009 - 12:00
User Badges:

If I can connect to PPTP through the Pix though, that should be about all that I need from there correct? I can't think of and don't see any rules that would block access. Just wanted to check that though.

Actions

This Discussion