Need help with VLAN/Access List/RDP

Unanswered Question
Sep 17th, 2009

Have an attorneys office that needs to connect via PPTP to a VPN and then RDP into a desktop to access files.

PPTP setup and working on Pix 515e. Can connect fine. When client then tries to RDP into the machine they cannot connect.

Cisco 3560 switch with VLANs configured is where I think the problem lies but can't pinpoint the issue. Clerks office is on VLAN8 with the following ACL assigned to it:

access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

When I connect via the PPTP VPN I have an IP address of 10.10.0.241. I added a line to permit any from 10.10.0.0 0.0.255.255 but that didn't allow it either so I removed it.

I have tried every command I can think of to get this to work but nothing has worked.

Any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sonitadmin Thu, 09/17/2009 - 08:09

access-list 108 permit icmp any any

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

I did IP and TCP just in case but still was unable to connect.

Edison Ortiz Thu, 09/17/2009 - 08:19

Can you ping the intended device? If so, it can be a RDP application issue.

__

Edison.

sonitadmin Thu, 09/17/2009 - 08:37

Am able to ping device no problem. Can also RDP to it from server at IP 10.250.0.3.

Edison Ortiz Thu, 09/17/2009 - 08:40

Are you saying you can RDP from the PPTP connection to server 10.250.0.3?

Or you can RDP from server 10.250.0.3 to a workstation?

If so, the situation is a lot different. RDP can be sensitive to latency on the PPTP connection.

__

Edison.

sonitadmin Thu, 09/17/2009 - 08:50

I connect to PPTP connection and can then RDP to server at 10.250.0.3. From there I can RDP to the PC at 10.70.0.61.

Just connected to PPTP connection I cannot RDP to 10.70.0.61 PC.

Edison Ortiz Thu, 09/17/2009 - 08:56

The ACL on Vlan8 is an inbound or outbound ACL?

If you remove the ACL, are you able to RDP to devices on the Vlan?

__

Edison.

sonitadmin Thu, 09/17/2009 - 09:55

Says ip access-group 108 out.

I've not tried removing it for fear I would break something else on their network they are using or needing.

Edison Ortiz Thu, 09/17/2009 - 09:59

Then, your ACE should be

access-list 108 permit ip any 10.10.0.0 0.0.255.255

__

Edison.

sonitadmin Thu, 09/17/2009 - 10:05

does it make a difference where that line goes, as long as it's before the deny statements?

Edison Ortiz Thu, 09/17/2009 - 10:13

This ACE is blocking any connection from 10/8 out of that Vlan.

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

You need to implement before the ACE above either

access-list 108 permit ip any 10.10.0.0 0.0.255.255

or

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

as the ACL direction is egress, not ingress.

On ingress, the ACEs you had

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

would've worked.

sonitadmin Thu, 09/17/2009 - 10:24

Now looks like this:

access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

Tried to RDP to 10.70.0.61 again and still nothing.

Edison Ortiz Thu, 09/17/2009 - 10:49

It makes no sense why is not working with this ACE

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

unless there is something else missing.

__

Edison.

sonitadmin Thu, 09/17/2009 - 11:27

There shouldn't be anything on the Pix that's blocking this should there? I wouldn't think so but just checking.

This is why I was stumped as well. I tried to allow everything possible and still couldn't connect.

Edison Ortiz Thu, 09/17/2009 - 11:29

There shouldn't be anything on the Pix that's blocking this should there?

We don't know the PIX config. For PIX assistance, please repost in the firewall section of these forums.

__

Edison.

sonitadmin Thu, 09/17/2009 - 12:00

If I can connect to PPTP through the Pix though, that should be about all that I need from there correct? I can't think of and don't see any rules that would block access. Just wanted to check that though.

Actions

This Discussion