Cannot remote desktop to machines on different subnet behind PIX firewalls

I am trying to setup the ability to provide support for our branch offices using remote desktop. I can use remote desktop within our building to provide support, but when I attempt to use remote desktop to our branch offices which are on a different subnet and behind pix firewalls it does not work. Do I need to explicitly open access for remote desktop?
LVL 12
valiconAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QBRadCommented:
Yes, you need to open port 3389.

http://support.microsoft.com/kb/187628
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
russell124Commented:
Do you have a VPN client or tunnel set up between you and the remote site?
0
valiconAuthor Commented:
Yes I have a VPN up between HQ and each branch office.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

from_expCommented:
first of all, you should check that acls allow tcp port 3389 between offices.
you should also check windows firewall on the remote pc. usually remote desktop is blocked there also
0
batry_boyCommented:
If you're VPN tunnel allows all IP traffic and the routing is setup properly, then you should already be able to use RDP to the remote site.  Post your main site and remote site PIX configs (sanitized, of course) and we can take a look at what the problem could be.  You should probably list the source IP and destination IP of the RDP traffic for troubleshooting.
0
valiconAuthor Commented:
Sorry for the delay. Here are the PIX configurations.


HQ PIX

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname fw-bs
domain-name xxxxxxxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554]
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2050
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2050
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 50
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 500
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2052
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2053
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2052
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2053
access-list permit-in permit udp any host x.x.x.x eq 5008
access-list permit-in permit tcp any host x.x.x.x eq www
access-list encrypt-cp permit ip any 172.16.35.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.35.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.36.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.38.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.39.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.40.0 255.255.255.0
access-list encrypt-boa permit ip any 172.16.36.0 255.255.255.0
access-list encrypt-sv permit ip any 172.16.38.0 255.255.255.0
access-list encrypt-ss permit ip any 172.16.39.0 255.255.255.0
access-list encrypt-bam permit ip any 172.16.40.0 255.255.255.0
pager lines 24
logging timestamp
logging trap debugging
logging host inside 10.10.10.1
logging host inside 192.168.5.215
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside 172.16.33.254 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-encrypt
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 192.168.5.15 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.5.27 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.5.35 netmask 255.255.255.255 0 0
access-group permit-in in interface outside
route inside 0.0.0.0 0.0.0.0 172.16.33.253 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
route outside 172.16.35.0 255.255.255.0 x.x.x.x 1
route outside 172.16.36.0 255.255.255.0 x.x.x.x 1
route outside 172.16.38.0 255.255.255.0 x.x.x.x 1
route outside 172.16.39.0 255.255.255.0 x.x.x.x 1
route outside 172.16.40.0 255.255.255.0 x.x.x.x 1
route inside 192.168.1.0 255.255.255.0 172.16.33.253 1
route inside 192.168.5.0 255.255.255.0 172.16.33.253 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ch-strong esp-3des esp-sha-hmac
crypto map ch-vpn 10 ipsec-isakmp
crypto map ch-vpn 10 match address encrypt-cop
crypto map ch-vpn 10 set peer x.x.x.x
crypto map ch-vpn 10 set transform-set ch-strong
crypto map ch-vpn 20 ipsec-isakmp
crypto map ch-vpn 20 match address encrypt-boa
crypto map ch-vpn 20 set peer x.x.x.x
crypto map ch-vpn 20 set transform-set ch-strong
crypto map ch-vpn 30 ipsec-isakmp
crypto map ch-vpn 30 match address encrypt-sv
crypto map ch-vpn 30 set peer x.x.x.x
crypto map ch-vpn 30 set transform-set ch-strong
crypto map ch-vpn 40 ipsec-isakmp
crypto map ch-vpn 40 match address encrypt-ss
crypto map ch-vpn 40 set peer x.x.x.x
crypto map ch-vpn 40 set transform-set ch-strong
crypto map ch-vpn 50 ipsec-isakmp
crypto map ch-vpn 50 match address encrypt-bam
crypto map ch-vpn 50 set peer x.x.x.x
crypto map ch-vpn 50 set transform-set ch-strong
crypto map chd-vpn interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.5.0 255.255.255.0 inside
telnet 172.16.33.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80



Branch office PIX

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname m100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit icmp any any echo-reply
access-list permit-in permit icmp any any echo
access-list encrypt permit ip 172.16.40.0 255.255.255.0 any
access-list no-encrypt permit ip 172.16.40.0 255.255.255.0 any
pager lines 24
logging timestamp
logging trap debugging
logging host inside 172.16.40.2
logging host inside 172.16.40.1
mtu outside 1500
mtu inside 1500
ip address outside 192.168.50.1 255.255.255.0
ip address inside 172.16.40.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-encrypt
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group permit-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.50.254 1
route outside 172.16.33.0 255.255.255.0 x.x.x.x 1
route outside 192.168.5.0 255.255.255.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ch-strong esp-3des esp-sha-hmac
crypto map ch-vpn 10 ipsec-isakmp
crypto map ch-vpn 10 match address encrypt
crypto map ch-vpn 10 set peer x.x.x.x
crypto map ch-vpn 10 set transform-set ch-strong
crypto map ch-vpn interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.40.1-172.16.40.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
0
batry_boyCommented:
You have quite a few static routes in your HQ PIX that need to be modified.  Frankly, I'm not sure how some of your VPN tunnels are passing traffic properly as it is currently configured.  However, I may not have a clear picture of your overall topology.

Since you posted the Branch PIX configuration of the 172.16.40.0/24 subnet, the comments below pertain to troubleshooting this particular remote subnet only.

I would remove the following routes on the HQ PIX:

route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
route outside 172.16.40.0 255.255.255.0 x.x.x.x 1

The first route above is directing all 172.16.x.x traffic to an inside router at 172.16.33.253.  Since the 172.16.40.0/24 subnet falls into this range, the PIX will try to route that traffic back inside instead of letting it go down the tunnel.

Also, I notice that the firewall's default route is set for the inside interface.  This is a very non-standard configuration.  Is this correct?  In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253?  If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better.

For now, see if removing those two routes above helps in sending traffic to the 172.16.40.0/24 subnet from HQ.
0
valiconAuthor Commented:
I can remote desktop from the branch office to HQ but not vice versa.
0
batry_boyCommented:
Can you perform any network connectivity test when initiated from the HQ network to the branch network?  Can you ping any 172.16.40.x address from any 172.16.33.x address?
0
valiconAuthor Commented:
I don't have a diagram that I can post right now, but the 172.16.33.x is between a switch and a pix.  So it looks like this:

 HQ                                                                                Branch Office
Switch --------PIX---------Router---------Internet----------Router-------PIX

I can ping from one pix to the other and from any workstation in HQ.

<<Also, I notice that the firewall's default route is set for the inside interface.  This is a very non-standard configuration>>

What would be an example of an standard configuration?  Thanks
0
batry_boyCommented:
A standard configuration would have a default route that pointed to the outside interface, not to the inside interface.  I don't think I've ever seen a default route on the inside interface before.  Doesn't mean it's wrong, just non-standard.  :)

Usually, you see:

route outside 0.0.0.0 0.0.0.0 <gateway_ip>

where <gateway_ip> is your edge router or the ISP's edge router.

Can you give an example source/destination pair where the RDP connection doesn't work?
0
valiconAuthor Commented:
Anything in HQ cannot remote desktop to the branch office. But if you are in the branch office you can remote desktop to HQ. It looks like its being blocked somewhere.
0
batry_boyCommented:
I believe your subnet mask is wrong on the branch ASA...it is currently set to 255.255.0.0...shouldn't it be 255.255.255.0?

Also, have you removed the routes that I mentioned in my previous post?  I think you have quite a lot of routes that should be removed, but we're focused on getting the 172.16.40.0/24 traffic working first, so just remove the ones I mentioned in my previous post for troubleshooting:

no route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
no route outside 172.16.40.0 255.255.255.0 x.x.x.x 1

Also, you never really addressed the following statements I made in a previous post (unless I missed something which is very likely):

Also, I notice that the firewall's default route is set for the inside interface.  This is a very non-standard configuration.  Is this correct?  In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253?  If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better.


0
valiconAuthor Commented:
<< Also, you never really addressed the following statements I made in a previous post (unless I missed something which is very likely):

Also, I notice that the firewall's default route is set for the inside interface.  This is a very non-standard configuration.  Is this correct?  In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253?  If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better. >>

Sorry!  We have numerous routes to the web, most are proxied, the default route is correct. That is why the packets get sent to the .33.353 interface. I don't have a diagram that I could post currently.  I did remove the routes that you suggested but I still have the same issue.


0
batry_boyCommented:
Yes, if you have a diagram, please post a sanitized version and let's have a look.
0
valiconAuthor Commented:
Best I could do on a diagram is this:

HQ                                                                                Branch Office
Switch --------PIX---------Router---------Internet----------Router-------PIX
     |
     |
     |
     |
    V
Proxy Server for all outside traffic except pixs
0
batry_boyCommented:
This diagram does not show a complete picture of your network if you have "numerous routes to the web".  Until I get a better overall picture of your topology, I don't think I can troubleshoot further.

This should really be a very straightforward thing to allow RDP across a VPN tunnel.  But with the various static routes in your PIX pointing to various gateways, there's no telling what path your packets are taking to reach the branch office.  I still think the issue goes back to all of the static routes you currently have configured in the firewall.
0
valiconAuthor Commented:
There are only two routes to the web as indicated above. I don't have a diagram that I can post unfortuantely. What if I open a port for 3389 on the branch PIX?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.