09-17-2009 07:12 AM - edited 03-06-2019 07:45 AM
Have an attorneys office that needs to connect via PPTP to a VPN and then RDP into a desktop to access files.
PPTP setup and working on Pix 515e. Can connect fine. When client then tries to RDP into the machine they cannot connect.
Cisco 3560 switch with VLANs configured is where I think the problem lies but can't pinpoint the issue. Clerks office is on VLAN8 with the following ACL assigned to it:
access-list 108 permit icmp any any
access-list 108 permit tcp host 10.10.0.70 any
access-list 108 permit tcp host 10.10.0.71 any
access-list 108 permit ip 10.70.0.0 0.0.255.255 any
access-list 108 permit ip 10.250.0.0 0.0.0.255 any
access-list 108 permit ip 10.254.0.0 0.0.0.255 any
access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www
access-list 108 deny ip 172.16.1.0 0.0.0.255 any
access-list 108 deny ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
When I connect via the PPTP VPN I have an IP address of 10.10.0.241. I added a line to permit any from 10.10.0.0 0.0.255.255 but that didn't allow it either so I removed it.
I have tried every command I can think of to get this to work but nothing has worked.
Any help would be appreciated.
09-17-2009 07:37 AM
Can you post the updated ACL with the new line for 10.10.0.0?
__
Edison.
09-17-2009 08:09 AM
access-list 108 permit icmp any any
access-list 108 permit ip 10.10.0.0 0.0.255.255 any
access-list 108 permit tcp 10.10.0.0 0.0.255.255 any
access-list 108 permit tcp host 10.10.0.70 any
access-list 108 permit tcp host 10.10.0.71 any
access-list 108 permit ip 10.70.0.0 0.0.255.255 any
access-list 108 permit ip 10.250.0.0 0.0.0.255 any
access-list 108 permit ip 10.254.0.0 0.0.0.255 any
access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www
access-list 108 deny ip 172.16.1.0 0.0.0.255 any
access-list 108 deny ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
I did IP and TCP just in case but still was unable to connect.
09-17-2009 08:19 AM
Can you ping the intended device? If so, it can be a RDP application issue.
__
Edison.
09-17-2009 08:37 AM
Am able to ping device no problem. Can also RDP to it from server at IP 10.250.0.3.
09-17-2009 08:40 AM
Are you saying you can RDP from the PPTP connection to server 10.250.0.3?
Or you can RDP from server 10.250.0.3 to a workstation?
If so, the situation is a lot different. RDP can be sensitive to latency on the PPTP connection.
__
Edison.
09-17-2009 08:50 AM
I connect to PPTP connection and can then RDP to server at 10.250.0.3. From there I can RDP to the PC at 10.70.0.61.
Just connected to PPTP connection I cannot RDP to 10.70.0.61 PC.
09-17-2009 08:56 AM
The ACL on Vlan8 is an inbound or outbound ACL?
If you remove the ACL, are you able to RDP to devices on the Vlan?
__
Edison.
09-17-2009 09:55 AM
Says ip access-group 108 out.
I've not tried removing it for fear I would break something else on their network they are using or needing.
09-17-2009 09:59 AM
Then, your ACE should be
access-list 108 permit ip any 10.10.0.0 0.0.255.255
__
Edison.
09-17-2009 10:05 AM
does it make a difference where that line goes, as long as it's before the deny statements?
09-17-2009 10:13 AM
This ACE is blocking any connection from 10/8 out of that Vlan.
access-list 108 deny ip 10.0.0.0 0.255.255.255 any
You need to implement before the ACE above either
access-list 108 permit ip any 10.10.0.0 0.0.255.255
or
access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255
as the ACL direction is egress, not ingress.
On ingress, the ACEs you had
access-list 108 permit ip 10.10.0.0 0.0.255.255 any
access-list 108 permit tcp 10.10.0.0 0.0.255.255 any
would've worked.
09-17-2009 10:24 AM
Now looks like this:
access-list 108 permit icmp any any
access-list 108 permit tcp host 10.10.0.70 any
access-list 108 permit tcp host 10.10.0.71 any
access-list 108 permit ip 10.70.0.0 0.0.255.255 any
access-list 108 permit ip 10.250.0.0 0.0.0.255 any
access-list 108 permit ip 10.254.0.0 0.0.0.255 any
access-list 108 permit tcp 10.10.0.0 0.0.255.255 any eq www
access-list 108 permit ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255
access-list 108 deny ip 172.16.1.0 0.0.0.255 any
access-list 108 deny ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
Tried to RDP to 10.70.0.61 again and still nothing.
09-17-2009 10:49 AM
It makes no sense why is not working with this ACE
access-list 108 permit ip 10.70.0.0 0.0.255.255 any
unless there is something else missing.
__
Edison.
09-17-2009 11:27 AM
There shouldn't be anything on the Pix that's blocking this should there? I wouldn't think so but just checking.
This is why I was stumped as well. I tried to allow everything possible and still couldn't connect.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: