Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
3
Replies

Unable to connect to a remote server via RDP over a VPN tunnel

erik.doss
Level 1
Level 1

‎09-21-2007 11:55 AM - edited ‎03-11-2019 04:15 AM

I am unable to access a windows 2003 server at a remote location. The server does communicate with an interface server on my side just fine. I can ping and trace route to the server with no issues. Everything seems to be ok EXCEPT when I try to RDP to the server. I can statically assign the server inside address to an outside address at the remote location, and I can remote in to the server from the outside address just fine, so that leads me to believe it is something on my VPN config.

When I try to access the server from here, I get this from the PIX:

02106: Rec'd packet not an IPSEC packet.

I have a 1721 router with DSL at the remote location with the following crypto config and ACL for the VPN traffic. The 172.25.*.* is the remote location LAN, the 198.*.*.* and 10.*.*.*being subnets on my local LAN:

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ******** address <DEST ADDRESS>

crypto ipsec transform-set ***-transform esp-des esp-sha-hmac

!

crypto map ****_map 10 ipsec-isakmp

set peer <address>

set transform-set ***-transform

match address 101

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 198.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 10.*.*.*

access-list 101 permit ip 172.25.*.* 0.0.0.255 host 10.*.*.*

This is the config on the PIX (515 w/6.3):

access-list acl-or**** permit ip host citrix-main 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host WHC**** 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-app-main 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-app3 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-training 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host oxihub1 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host old-gds2 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host ads 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host opera-termsrv-main 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host 198.*.*.* 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host AngWaldr 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host Intranet 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host GroupWise 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host ErikPC 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host win-dns1 172.25.*.* 255.255.255.0

access-list acl-or**** permit ip host win-dns2 172.25.*.* 255.255.255.0

crypto map whcmap 944 ipsec-isakmp

crypto map whcmap 944 match address acl-or****

crypto map whcmap 944 set peer rtr-or****

crypto map whcmap 944 set transform-set md5set shaset

crypto ipsec transform-set md5set esp-des esp-md5-hmac

crypto ipsec transform-set shaset esp-des esp-sha-hmac

As I said, all other communication is normal, excecpt for using remote desktop to get to the server on the other side.

Any help would be greatly appreciated ! Thanks!

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎09-23-2007 01:50 PM

Erik, lets see if we could decode the error message

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1055791

RDP packet is been intercepted but it is not encasulated in the tunnel thus droping it.

Things that come in mind would be the IPsec rules at the peer end allowing RDP, the other end have to allow port 3389 as well as the source or nated IP you are tring the rdp from to be part of this particular tunnel policy.

Jorge Rodriguez
0 Helpful

erik.doss
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-24-2007 01:27 PM

I have made several changes to my access lists allowing specific RDP traffic going both ways with no luck.

0 Helpful

jmiller
Level 1
Level 1
In response to erik.doss

‎09-24-2007 03:28 PM

I would start by making your ACL's mirror each other for the IPSec communication to function correctly. Also if its only a specific protocol/port you are having with across the VPN tunnel verify you are seeing packets encrypted and decrypted correctly. Turn up some debugs as well and see where its breaking. From my experience your output given is usually associated with the tunnel seeing the traffic as interesting outbound and the return traffic is not encrypted since the other side does not deem it interesting.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card