Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to connect to a remote server via RDP over a VPN tunnel

I am unable to access a windows 2003 server at a remote location. The server does communicate with an interface server on my side just fine. I can ping and trace route to the server with no issues. Everything seems to be ok EXCEPT when I try to RDP to the server. I can statically assign the server inside address to an outside address at the remote location, and I can remote in to the server from the outside address just fine, so that leads me to believe it is something on my VPN config.

When I try to access the server from here, I get this from the PIX:

02106: Rec'd packet not an IPSEC packet.

I have a 1721 router with DSL at the remote location with the following crypto config and ACL for the VPN traffic. The 172.25.*.* is the remote location LAN, the 198.*.*.* and 10.*.*.*being subnets on my local LAN:

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ******** address <DEST ADDRESS>

crypto ipsec transform-set ***-transform esp-des esp-sha-hmac

!

crypto map ****_map 10 ipsec-isakmp

set peer <address>

set transform-set ***-transform

match address 101

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 10.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 10.*.*.*

This is the config on the PIX (515 w/6.3):

access-list acl-or**** permit ip host citrix-main 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host WHC**** 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-app-main 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-app3 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-training 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host oxihub1 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host old-gds2 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host ads 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-termsrv-main 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host 198.*.*.* 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host AngWaldr 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host Intranet 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host GroupWise 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host ErikPC 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host win-dns1 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host win-dns2 172.25.*.* 255.255.255.0

crypto map whcmap 944 ipsec-isakmp

crypto map whcmap 944 match address acl-or****

crypto map whcmap 944 set peer rtr-or****

crypto map whcmap 944 set transform-set md5set shaset

crypto ipsec transform-set md5set esp-des esp-md5-hmac

crypto ipsec transform-set shaset esp-des esp-sha-hmac

As I said, all other communication is normal, excecpt for using remote desktop to get to the server on the other side.

Any help would be greatly appreciated ! Thanks!

3 REPLIES

Re: Unable to connect to a remote server via RDP over a VPN tunn

Erik, lets see if we could decode the error message

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1055791

RDP packet is been intercepted but it is not encasulated in the tunnel thus droping it.

Things that come in mind would be the IPsec rules at the peer end allowing RDP, the other end have to allow port 3389 as well as the source or nated IP you are tring the rdp from to be part of this particular tunnel policy.

New Member

Re: Unable to connect to a remote server via RDP over a VPN tunn

I have made several changes to my access lists allowing specific RDP traffic going both ways with no luck.

New Member

Re: Unable to connect to a remote server via RDP over a VPN tunn

I would start by making your ACL's mirror each other for the IPSec communication to function correctly. Also if its only a specific protocol/port you are having with across the VPN tunnel verify you are seeing packets encrypted and decrypted correctly. Turn up some debugs as well and see where its breaking. From my experience your output given is usually associated with the tunnel seeing the traffic as interesting outbound and the return traffic is not encrypted since the other side does not deem it interesting.

440
Views
0
Helpful
3
Replies