cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1991
Views
0
Helpful
16
Replies

Need help with VLAN/Access List/RDP

sonitadmin
Level 1
Level 1

Have an attorneys office that needs to connect via PPTP to a VPN and then RDP into a desktop to access files.

PPTP setup and working on Pix 515e. Can connect fine. When client then tries to RDP into the machine they cannot connect.

Cisco 3560 switch with VLANs configured is where I think the problem lies but can't pinpoint the issue. Clerks office is on VLAN8 with the following ACL assigned to it:

access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

When I connect via the PPTP VPN I have an IP address of 10.10.0.241. I added a line to permit any from 10.10.0.0 0.0.255.255 but that didn't allow it either so I removed it.

I have tried every command I can think of to get this to work but nothing has worked.

Any help would be appreciated.

16 Replies 16

Edison Ortiz
Hall of Fame
Hall of Fame

Can you post the updated ACL with the new line for 10.10.0.0?

__

Edison.

access-list 108 permit icmp any any

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

I did IP and TCP just in case but still was unable to connect.

Can you ping the intended device? If so, it can be a RDP application issue.

__

Edison.

Am able to ping device no problem. Can also RDP to it from server at IP 10.250.0.3.

Are you saying you can RDP from the PPTP connection to server 10.250.0.3?

Or you can RDP from server 10.250.0.3 to a workstation?

If so, the situation is a lot different. RDP can be sensitive to latency on the PPTP connection.

__

Edison.

I connect to PPTP connection and can then RDP to server at 10.250.0.3. From there I can RDP to the PC at 10.70.0.61.

Just connected to PPTP connection I cannot RDP to 10.70.0.61 PC.

The ACL on Vlan8 is an inbound or outbound ACL?

If you remove the ACL, are you able to RDP to devices on the Vlan?

__

Edison.

Says ip access-group 108 out.

I've not tried removing it for fear I would break something else on their network they are using or needing.

Then, your ACE should be

access-list 108 permit ip any 10.10.0.0 0.0.255.255

__

Edison.

does it make a difference where that line goes, as long as it's before the deny statements?

This ACE is blocking any connection from 10/8 out of that Vlan.

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

You need to implement before the ACE above either

access-list 108 permit ip any 10.10.0.0 0.0.255.255

or

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

as the ACL direction is egress, not ingress.

On ingress, the ACEs you had

access-list 108 permit ip 10.10.0.0 0.0.255.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any

would've worked.

Now looks like this:

access-list 108 permit icmp any any

access-list 108 permit tcp host 10.10.0.70 any

access-list 108 permit tcp host 10.10.0.71 any

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

access-list 108 permit ip 10.250.0.0 0.0.0.255 any

access-list 108 permit ip 10.254.0.0 0.0.0.255 any

access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

access-list 108 deny ip 172.16.1.0 0.0.0.255 any

access-list 108 deny ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip any any

Tried to RDP to 10.70.0.61 again and still nothing.

It makes no sense why is not working with this ACE

access-list 108 permit ip 10.70.0.0 0.0.255.255 any

unless there is something else missing.

__

Edison.

There shouldn't be anything on the Pix that's blocking this should there? I wouldn't think so but just checking.

This is why I was stumped as well. I tried to allow everything possible and still couldn't connect.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco