07-30-2009 03:12 AM - edited 03-06-2019 07:01 AM
I have a client who has a Cisco Pix 506 and a Catalyst 3560 switch. They have multiple VLAN's configured on the switch and everything seems to be working great internally.
They are trying to allow the local prosecutor's office to VPN into their system and look at files. We have PPTP setup for the prosecutor to VPN in and that part works well.
Once the prosecutor's office is connected though they cannot connect via RDP to any available machines in the Clerk of Courts office. They can however, RDP to servers on a different VLAN.
Is this a problem with an access-list on the switch or on the Pix? I'm assuming the switch but want to make sure.
Any help with this would be appreciated.
07-30-2009 11:09 AM
Hi Steven,
Without knowing more about existing ACLs on the PIX and the 3560, it's quite hard to tell what the problem could be.
The only thing I can recommend now is to simply follow the path from the client PC to the machine with the RDP, and verify the security settings on each network device whether it allows
1.) TCP connections from the client to the RDP machine with the destination port 3389
2.) TCP replies in the opposite direction
Also - just in case - it would be beneficial to check if the RDP machine actually allows RDP connections in its firewall or settings. Also, does it have a route back to the client?
Best regards,
Peter
07-30-2009 12:18 PM
I'm not 100% sure where the problem lies. The PPTP connection connects to 10.10.0.0 network on VLAN10. The RDP machine is on 10.70.0.0 network on VLAN8.
The access-list for VLAN 108 shows the following:
5 permit tcp any any eq 3389 log (1 match)
10 permit icmp any any (82 matches)
20 permit tcp host 10.10.0.70 any
30 permit tcp host 10.10.0.71 any
40 permit ip 10.70.0.0 0.0.255.255 any
50 permit ip 10.250.0.0 0.0.0.255 any (19 matches
60 permit ip 10.254.0.0 0.0.0.255 any
70 permit tcp 10.10.0.0 0.0.255.255 any eq www
90 deny ip 172.16.1.0 0.0.0.255 any
100 deny ip 10.0.0.0 0.255.255.255 any (53 matche
110 permit ip any any (4 matches)
I would think that the first line would permit the traffic.
07-30-2009 12:31 PM
Hello,
Some traffic was permitted alright. Is also the corresponding return traffic permitted? Is it possible to use a packet sniffer in the destination network to see if at least the TCP SYN packets arrive from the client?
Best regards,
Peter
07-30-2009 03:52 PM
Peter,
Thanks for the reply. Would the ACL for the return traffic be on the VLAN that the 10.10.0.0 network is on and what would that rule look like?
Thanks!
07-31-2009 12:16 AM
Hi Steven,
Can you please tell me where is the ACL for the VLAN 108 exactly placed and in what direction?
The ACL entry for the opposite direction would look something like
access-list N permit tcp any eq 3389 any
Replace the 'any' with proper networks.
Also note that the PIX has security levels on its interfaces. By default, traffic from higher security-level interfaces can flow to lower security-level interface but not vice versa. Therefore, even if no ACLs are used on the PIX, it might be actually necessary to add some.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: