cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
0
Helpful
5
Replies

RDP is connecting in Site-to-Site VPN tunnel

lbabu_mlr
Level 1
Level 1

We haveestablished a Site-to-Site VPN tunnel between Cisco PIX 525 and Clent's Check Point NGX firewall. Tunnel is established and able to ping from both sides. If the Client people are trying to connect using RDP to one of our Server, they failed to connect. We allowed the RDP ports(3389) in PIX firewall. Please suggest me to resolve this problem.

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

issue a low level debug on your pix to determine what could be the issue.

debug packet interface src IP dst ip

ask the source to stablish connection to your server , while doing that issue:

show log

show debug | inc x.x.x.x for source ip

Jorge Rodriguez

As suggested, i tried debug while i am ping the machine at remote end.

63: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=17958 length=40

64: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=17958 length=40

65: ICMP echo-request from inside:192.168.25.30 to 10.1.20.35 ID=512 seq=6427 length=40

66: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18214 length=40

67: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18214 length=40

68: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18470 length=40

69: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18470 length=40

70: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18726 length=40

71: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18726 length=40

It looks communication between your client and server is good,please let your remote site check their outbound rule set.

Simplely, they can use followed way to test if they can touch your server tcp port 3389

1. at dos prompt,telnet SERVER_IP 3389, they should see a black screen

2. use tool from microsoft "portquery".exe,see attachment

if port is not listening, it's supposed some rule block the port.

if the post help,please rate, thanks

Thank you for your responseI spoke with client people regarding the outbound rules at their end. If they are trying to telnet to my box, means they are not getting the black screen as you told.

could you please conduct the follwing:

This is very important to issue on your pix while the source in this case your client is trying RDP, you know that ICMP works but this is not the issue.. port 3389 is the issue so you need to capture it to see if you get a deny or teardown communications between the two hosts and this port.

issue this several times while client tries RDP..

show log | inc xxx.xxx.xxx.xxx (client IP )

please post the reults.

also if you could post your access list syntax for config for ,

your acl should look something like this:

access-list inside_access_in permit tcp host client-IP host destination-IP eq 3389

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: