cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1811
Views
0
Helpful
10
Replies

VPN traffic to server - cisco newbie

mlungu1969
Level 1
Level 1

Hi;

Looking for help with getting RDP from remote site over cisco VPN to head office. Limited cisco knowledge unfortunately but last 2 months have been steep learning curve. My situation is this:

I have managed to configure ipsec tunnels between remote site and head office and they work great - I can ping and rdp test devices from and to 192.168.5.0/24 and 192.168.2.0/24 segments. However, the next step is to allow user RDP access - if a user at remote site (192.168.5.1) types in address of terminal server (192.168.1.15) how do I get this traffic down the tunnel as it seems current nat rules for tunnel at remote site will prevent this? Since the user will only be running a thin client (RDP) from site with no web access I assume I could force all traffic down tunnel ie no split?


There are also static nats for smtp/http etc which I assume get the traffic through ISA to various servers? Would something similar need to be done for RDP traffic?

Thanks in advance
Kern

Attached are rough config files and (hopefully correct) network diagram. Configs are a bit rough as they have been created by SDM and pieces picked up from around the net. I will try to tidy up as I learn more and things work as planned.

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

When traffic destined for 192.168.2.x from your remote site hits the router, the router will send the traffic across the tunnel.Your routing table should reflect this (show ip route).

Looking at your NAT statement, the 192.168.5.x network will NOT nat to 192.168.2.x, which is correct.

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

The next line will NAT all other traffic from 192.168.5.x (ie to the internet), this is also correct.

access-list 105 permit ip 192.168.5.0 0.0.0.255 any

ACL number 110 permits traffic to 192.168.2x across the tunnel, but only that traffic. This is typically called 'interesting traffic' and that is traffic sent across the VPN tunnel.

access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.5.0 0.0.0.255 any

If RDP is failing, it's probably because of the the MTU on the LAN side. It needs to be decreased because of the VPN overhead. Under Ethernet0 you will need something like this-

ip tcp adjust-mss 1360

Hope that helps.

Hi Colin;

Thanks for reply - still confused but after only one month of cisco usage please understand basic questions.

I understand the implementation of NAT rules below - just not sure what would happen to traffic originating from 192.168.5.x

and destined for 192.168.1.15 (Terminal Server). Also - since the remote site would foreseaably only use RDP (2X thin client)

do I need split tunnel as internet browsing is restricted to certain sites over terminal server. Is the implementation of a "non-split"

tunnel just the simple removal of the 105 permit rule?

I can RDP across tunnel from XP pc's on 192.168.5.x to 192.168.2.x and back.

Would this mean fragmentation is not an issue at the moment but would need further tweaking?

>>Looking at your NAT statement, the 192.168.5.x network will NOT nat to 192.168.2.x, which is correct.

>>access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

>>The next line will NAT all other traffic from 192.168.5.x (ie to the internet), this is also correct.

>>access-list 105 permit ip 192.168.5.0 0.0.0.255 any

Thanks again

Kern

Sorry, I just looked at your configs and not the diagram. Since you have multiple subnets at HQ, each one of them need to be in the NAT0 access list to prevent NAT and added to the interesting traffic ACL so the router knows to route that traffic over the tunnel. Something like this-

NAT EXAMPLE-

   access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

   access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.250.0 0.0.0.255

The same needs to be done at the HQ router.

    access-list 105 deny ip 192.168.1.0 0.0.0.0.255 192.168.5.0

    access-list 105 deny ip 192.168.2.0 0.0.0.0.255 192.168.5.0

    access-list 105 deny ip 192.168.250.0 0.0.0.0.255 192.168.5.0

There is no need to split tunnel since as you stated, the users only have thin client access. Better security would be to tunnel all traffic. If RDP is working fine now, you do not need to adjust your MTU. If it aint broke don't fix it :-)

Hi Collin;

Made changes as suggested but still no luck. Read your other post on VPN debugging which leads to a question:

Do I also need to add subnets (192.168.1.0) to crypto ACL as well as NAT routemap?

crypto map cm-cryptomap 110 ipsec-isakmp
set peer 219.88.69.188
set transform-set tr-set-tunnel
match address 110

access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.5.0 0.0.0.255 any log

When I RDP from remote 192.168.5.0 to 192.168.2.0 wireshark shows all traffic as expected and debug on router shows the following messages:

no peer struct to get peer description

ce_engine[1] does not accept the capabilities

ce_engine[3] does not accept the capabilities

No idea and resources are sparse on Google? However tunnel stays up and RDP works - maybe differences between IOS versions?

When I try to RDP to 192.168.1.15 not much luck. Debug shows traffic coming through tunnel with the same errors as above

which is better than no traffic at all I suppose. What I don't understand is what the router should do with the traffic once it arrives?

How does it get to the 192.168.1.0/24 network - especially through ISA? Should I be looking at implementing static NAT as indicated

by existing rules for smtp etc - but then what address translations do I use?

Thanks

Kern

Ye sit needs to not be NATed and on the interesting traffic ACL. Can you post your lastest config? I think just the ACLs will be enough.

Config's attached. Thanks

Kern-

Can the HQ router access resources on the 192.168.1.x network (ie can it ping)? I don't see a route for 192.168.1.0 in its config.

Hi Collin

I  assume the ISA 2004 server (192.168.2.2) sitting between 192.168.2.0/24 and 192.168.1.0/24 will have a roll to play but not sure what.

From what I understand the NAT statements below will translate traffic to ISA compatible address and forward?

I thought I would need to have an additional statement for RDP but was not sure of which addresses to use in translation?

OR - have a routing statement for 192.168.1.0/24?

ip nat inside source static tcp 192.168.2.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.2.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.2 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.2 1723 interface Dialer0 1723

Apologies for convoluted setup - I inherited this site and definitely would have done things different with regards to overly complicated setup

involving ISA and routers.

Regards

Kern

The ISA server needs to have a route to 192.168.5.0 and the HQ router will need a route to 192.168.1.0.

To add a route in Windows, go to a command prompt andt type-

route -p ADD 192.168.5.0 MASK 255.255.255.0  192.168.2.1

To add the route in the HQ router-

ip route 192.168.1.0 255.255.255.0 192.168.2.2

The NAT statements you listed above are so you can access services from the internet and will not be used across the VPN tunnel. All traffic that goes across the tunnel will use real private IP's.

Hi Collin;

A few steps further but I am now getting spoof address errors on ISA - I assume that it is due to 192.168.5.0/24 is outside of internal network etc.

Instead of now having to hang out at an ISA forum I was wondering if you could comment on my change of direction with regards to VPN-

A colleague commented that the VPN should terminate on the inside network anyway and that got me thinking. I only have 1 adsl connection at head office which provides internet access for all users and current test VPN termination. Would I be better off having 2 ADSL connections at head office - 1 for internet access and 1 solely for RDP VPN connections - with the VPN router connected behind the ISA server? I know there are considerable security issues but would I not then be able to configure routers with maximum security i.e no split tunnels, only ipsec traffic from selected peers etc.

Regards

Kern

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: