cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
539
Views
0
Helpful
5
Replies

RDP Access

sonitadmin
Level 1
Level 1

I have a client who has a Cisco Pix 506 and a Catalyst 3560 switch. They have multiple VLAN's configured on the switch and everything seems to be working great internally.

They are trying to allow the local prosecutor's office to VPN into their system and look at files. We have PPTP setup for the prosecutor to VPN in and that part works well.

Once the prosecutor's office is connected though they cannot connect via RDP to any available machines in the Clerk of Courts office. They can however, RDP to servers on a different VLAN.

Is this a problem with an access-list on the switch or on the Pix? I'm assuming the switch but want to make sure.

Any help with this would be appreciated.

5 Replies 5

Peter Paluch
Cisco Employee
Cisco Employee

Hi Steven,

Without knowing more about existing ACLs on the PIX and the 3560, it's quite hard to tell what the problem could be.

The only thing I can recommend now is to simply follow the path from the client PC to the machine with the RDP, and verify the security settings on each network device whether it allows

1.) TCP connections from the client to the RDP machine with the destination port 3389

2.) TCP replies in the opposite direction

Also - just in case - it would be beneficial to check if the RDP machine actually allows RDP connections in its firewall or settings. Also, does it have a route back to the client?

Best regards,

Peter

I'm not 100% sure where the problem lies. The PPTP connection connects to 10.10.0.0 network on VLAN10. The RDP machine is on 10.70.0.0 network on VLAN8.

The access-list for VLAN 108 shows the following:

5 permit tcp any any eq 3389 log (1 match)

10 permit icmp any any (82 matches)

20 permit tcp host 10.10.0.70 any

30 permit tcp host 10.10.0.71 any

40 permit ip 10.70.0.0 0.0.255.255 any

50 permit ip 10.250.0.0 0.0.0.255 any (19 matches

60 permit ip 10.254.0.0 0.0.0.255 any

70 permit tcp 10.10.0.0 0.0.255.255 any eq www

90 deny ip 172.16.1.0 0.0.0.255 any

100 deny ip 10.0.0.0 0.255.255.255 any (53 matche

110 permit ip any any (4 matches)

I would think that the first line would permit the traffic.

Hello,

Some traffic was permitted alright. Is also the corresponding return traffic permitted? Is it possible to use a packet sniffer in the destination network to see if at least the TCP SYN packets arrive from the client?

Best regards,

Peter

Peter,

Thanks for the reply. Would the ACL for the return traffic be on the VLAN that the 10.10.0.0 network is on and what would that rule look like?

Thanks!

Hi Steven,

Can you please tell me where is the ACL for the VLAN 108 exactly placed and in what direction?

The ACL entry for the opposite direction would look something like

access-list N permit tcp any eq 3389 any

Replace the 'any' with proper networks.

Also note that the PIX has security levels on its interfaces. By default, traffic from higher security-level interfaces can flow to lower security-level interface but not vice versa. Therefore, even if no ACLs are used on the PIX, it might be actually necessary to add some.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco