12-20-2006 01:28 AM - edited 03-11-2019 02:11 AM
We haveestablished a Site-to-Site VPN tunnel between Cisco PIX 525 and Clent's Check Point NGX firewall. Tunnel is established and able to ping from both sides. If the Client people are trying to connect using RDP to one of our Server, they failed to connect. We allowed the RDP ports(3389) in PIX firewall. Please suggest me to resolve this problem.
12-20-2006 08:03 AM
issue a low level debug on your pix to determine what could be the issue.
debug packet interface src IP dst ip
ask the source to stablish connection to your server , while doing that issue:
show log
show debug | inc x.x.x.x for source ip
12-21-2006 03:07 AM
As suggested, i tried debug while i am ping the machine at remote end.
63: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=17958 length=40
64: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=17958 length=40
65: ICMP echo-request from inside:192.168.25.30 to 10.1.20.35 ID=512 seq=6427 length=40
66: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18214 length=40
67: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18214 length=40
68: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18470 length=40
69: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18470 length=40
70: ICMP echo-request from inside:192.168.28.20 to 10.1.20.35 ID=512 seq=18726 length=40
71: ICMP echo-reply from outside:10.1.20.35 to 192.168.28.20 ID=512 seq=18726 length=40
12-21-2006 11:10 AM
It looks communication between your client and server is good,please let your remote site check their outbound rule set.
Simplely, they can use followed way to test if they can touch your server tcp port 3389
1. at dos prompt,telnet SERVER_IP 3389, they should see a black screen
2. use tool from microsoft "portquery".exe,see attachment
if port is not listening, it's supposed some rule block the port.
if the post help,please rate, thanks
12-21-2006 09:56 PM
Thank you for your responseI spoke with client people regarding the outbound rules at their end. If they are trying to telnet to my box, means they are not getting the black screen as you told.
12-22-2006 08:20 AM
could you please conduct the follwing:
This is very important to issue on your pix while the source in this case your client is trying RDP, you know that ICMP works but this is not the issue.. port 3389 is the issue so you need to capture it to see if you get a deny or teardown communications between the two hosts and this port.
issue this several times while client tries RDP..
show log | inc xxx.xxx.xxx.xxx (client IP )
please post the reults.
also if you could post your access list syntax for config for ,
your acl should look something like this:
access-list inside_access_in permit tcp host client-IP host destination-IP eq 3389
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: