×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

RDP is connecting in Site-to-Site VPN tunnel

Unanswered Question
Dec 20th, 2006
User Badges:

We haveestablished a Site-to-Site VPN tunnel between Cisco PIX 525 and Clent's Check Point NGX firewall. Tunnel is established and able to ping from both sides. If the Client people are trying to connect using RDP to one of our Server, they failed to connect. We allowed the RDP ports(3389) in PIX firewall. Please suggest me to resolve this problem.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 12/20/2006 - 08:03
User Badges:
  • Green, 3000 points or more

issue a low level debug on your pix to determine what could be the issue.


debug packet interface src IP dst ip


ask the source to stablish connection to your server , while doing that issue:


show log

show debug | inc x.x.x.x for source ip








lbabu_mlr Thu, 12/21/2006 - 03:07
User Badges:

As suggested, i tried debug while i am ping the machine at remote end.


63: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=17958 length=40

64: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=17958 length=40

65: ICMP echo-request from inside:192.168.25.30 to 10.1.20.35 ID=512 seq=6427 length=40

66: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18214 length=40

67: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18214 length=40

68: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18470 length=40

69: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18470 length=40

70: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18726 length=40

71: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18726 length=40

pengfang Thu, 12/21/2006 - 11:10
User Badges:

It looks communication between your client and server is good,please let your remote site check their outbound rule set.

Simplely, they can use followed way to test if they can touch your server tcp port 3389


1. at dos prompt,telnet SERVER_IP 3389, they should see a black screen

2. use tool from microsoft "portquery".exe,see attachment


if port is not listening, it's supposed some rule block the port.


if the post help,please rate, thanks





Attachment: 
lbabu_mlr Thu, 12/21/2006 - 21:56
User Badges:

Thank you for your responseI spoke with client people regarding the outbound rules at their end. If they are trying to telnet to my box, means they are not getting the black screen as you told.

JORGE RODRIGUEZ Fri, 12/22/2006 - 08:20
User Badges:
  • Green, 3000 points or more

could you please conduct the follwing:

This is very important to issue on your pix while the source in this case your client is trying RDP, you know that ICMP works but this is not the issue.. port 3389 is the issue so you need to capture it to see if you get a deny or teardown communications between the two hosts and this port.


issue this several times while client tries RDP..


show log | inc xxx.xxx.xxx.xxx (client IP )


please post the reults.


also if you could post your access list syntax for config for ,


your acl should look something like this:


access-list inside_access_in permit tcp host client-IP host destination-IP eq 3389








Actions

This Discussion