Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

RDP is connecting in Site-to-Site VPN tunnel

We haveestablished a Site-to-Site VPN tunnel between Cisco PIX 525 and Clent's Check Point NGX firewall. Tunnel is established and able to ping from both sides. If the Client people are trying to connect using RDP to one of our Server, they failed to connect. We allowed the RDP ports(3389) in PIX firewall. Please suggest me to resolve this problem.

5 REPLIES

Re: RDP is connecting in Site-to-Site VPN tunnel

issue a low level debug on your pix to determine what could be the issue.

debug packet interface src IP dst ip

ask the source to stablish connection to your server , while doing that issue:

show log

show debug | inc x.x.x.x for source ip

Community Member

Re: RDP is connecting in Site-to-Site VPN tunnel

As suggested, i tried debug while i am ping the machine at remote end.

63: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=17958 length=40

64: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=17958 length=40

65: ICMP echo-request from inside:192.168.25.30 to 10.1.20.35 ID=512 seq=6427 length=40

66: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18214 length=40

67: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18214 length=40

68: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18470 length=40

69: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18470 length=40

70: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18726 length=40

71: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18726 length=40

Community Member

Re: RDP is connecting in Site-to-Site VPN tunnel

It looks communication between your client and server is good,please let your remote site check their outbound rule set.

Simplely, they can use followed way to test if they can touch your server tcp port 3389

1. at dos prompt,telnet SERVER_IP 3389, they should see a black screen

2. use tool from microsoft "portquery".exe,see attachment

if port is not listening, it's supposed some rule block the port.

if the post help,please rate, thanks

Community Member

Re: RDP is connecting in Site-to-Site VPN tunnel

Thank you for your responseI spoke with client people regarding the outbound rules at their end. If they are trying to telnet to my box, means they are not getting the black screen as you told.

Re: RDP is connecting in Site-to-Site VPN tunnel

could you please conduct the follwing:

This is very important to issue on your pix while the source in this case your client is trying RDP, you know that ICMP works but this is not the issue.. port 3389 is the issue so you need to capture it to see if you get a deny or teardown communications between the two hosts and this port.

issue this several times while client tries RDP..

show log | inc xxx.xxx.xxx.xxx (client IP )

please post the reults.

also if you could post your access list syntax for config for ,

your acl should look something like this:

access-list inside_access_in permit tcp host client-IP host destination-IP eq 3389

409
Views
0
Helpful
5
Replies
CreatePlease to create content