Cannot remote desktop to machines on different subnet behind PIX firewalls
I am trying to setup the ability to provide support for our branch offices using remote desktop. I can use remote desktop within our building to provide support, but when I attempt to use remote desktop to our branch offices which are on a different subnet and behind pix firewalls it does not work. Do I need to explicitly open access for remote desktop?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
russell124
Do you have a VPN client or tunnel set up between you and the remote site?
ASKER
Yes I have a VPN up between HQ and each branch office.
first of all, you should check that acls allow tcp port 3389 between offices.
you should also check windows firewall on the remote pc. usually remote desktop is blocked there also
you should also check windows firewall on the remote pc. usually remote desktop is blocked there also
If you're VPN tunnel allows all IP traffic and the routing is setup properly, then you should already be able to use RDP to the remote site. Post your main site and remote site PIX configs (sanitized, of course) and we can take a look at what the problem could be. You should probably list the source IP and destination IP of the RDP traffic for troubleshooting.
ASKER
Sorry for the delay. Here are the PIX configurations.
HQ PIX
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname fw-bs
domain-name xxxxxxxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554]
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2050
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2050
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 50
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 500
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2052
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2053
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2052
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2053
access-list permit-in permit udp any host x.x.x.x eq 5008
access-list permit-in permit tcp any host x.x.x.x eq www
access-list encrypt-cp permit ip any 172.16.35.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.35.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.36.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.38.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.39.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.40.0 255.255.255.0
access-list encrypt-boa permit ip any 172.16.36.0 255.255.255.0
access-list encrypt-sv permit ip any 172.16.38.0 255.255.255.0
access-list encrypt-ss permit ip any 172.16.39.0 255.255.255.0
access-list encrypt-bam permit ip any 172.16.40.0 255.255.255.0
pager lines 24
logging timestamp
logging trap debugging
logging host inside 10.10.10.1
logging host inside 192.168.5.215
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside 172.16.33.254 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-encrypt
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 192.168.5.15 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.5.27 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.5.35 netmask 255.255.255.255 0 0
access-group permit-in in interface outside
route inside 0.0.0.0 0.0.0.0 172.16.33.253 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
route outside 172.16.35.0 255.255.255.0 x.x.x.x 1
route outside 172.16.36.0 255.255.255.0 x.x.x.x 1
route outside 172.16.38.0 255.255.255.0 x.x.x.x 1
route outside 172.16.39.0 255.255.255.0 x.x.x.x 1
route outside 172.16.40.0 255.255.255.0 x.x.x.x 1
route inside 192.168.1.0 255.255.255.0 172.16.33.253 1
route inside 192.168.5.0 255.255.255.0 172.16.33.253 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ch-strong esp-3des esp-sha-hmac
crypto map ch-vpn 10 ipsec-isakmp
crypto map ch-vpn 10 match address encrypt-cop
crypto map ch-vpn 10 set peer x.x.x.x
crypto map ch-vpn 10 set transform-set ch-strong
crypto map ch-vpn 20 ipsec-isakmp
crypto map ch-vpn 20 match address encrypt-boa
crypto map ch-vpn 20 set peer x.x.x.x
crypto map ch-vpn 20 set transform-set ch-strong
crypto map ch-vpn 30 ipsec-isakmp
crypto map ch-vpn 30 match address encrypt-sv
crypto map ch-vpn 30 set peer x.x.x.x
crypto map ch-vpn 30 set transform-set ch-strong
crypto map ch-vpn 40 ipsec-isakmp
crypto map ch-vpn 40 match address encrypt-ss
crypto map ch-vpn 40 set peer x.x.x.x
crypto map ch-vpn 40 set transform-set ch-strong
crypto map ch-vpn 50 ipsec-isakmp
crypto map ch-vpn 50 match address encrypt-bam
crypto map ch-vpn 50 set peer x.x.x.x
crypto map ch-vpn 50 set transform-set ch-strong
crypto map chd-vpn interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.5.0 255.255.255.0 inside
telnet 172.16.33.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Branch office PIX
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname m100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit icmp any any echo-reply
access-list permit-in permit icmp any any echo
access-list encrypt permit ip 172.16.40.0 255.255.255.0 any
access-list no-encrypt permit ip 172.16.40.0 255.255.255.0 any
pager lines 24
logging timestamp
logging trap debugging
logging host inside 172.16.40.2
logging host inside 172.16.40.1
mtu outside 1500
mtu inside 1500
ip address outside 192.168.50.1 255.255.255.0
ip address inside 172.16.40.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-encrypt
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group permit-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.50.254 1
route outside 172.16.33.0 255.255.255.0 x.x.x.x 1
route outside 192.168.5.0 255.255.255.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ch-strong esp-3des esp-sha-hmac
crypto map ch-vpn 10 ipsec-isakmp
crypto map ch-vpn 10 match address encrypt
crypto map ch-vpn 10 set peer x.x.x.x
crypto map ch-vpn 10 set transform-set ch-strong
crypto map ch-vpn interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.40.1-172.16.40.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
HQ PIX
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname fw-bs
domain-name xxxxxxxxxxxxxxxxxxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554]
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2050
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2050
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 50
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 500
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2052
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2053
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2052
access-list permit-in permit tcp host x.x.x.x host x.x.x.x eq 2053
access-list permit-in permit udp any host x.x.x.x eq 5008
access-list permit-in permit tcp any host x.x.x.x eq www
access-list encrypt-cp permit ip any 172.16.35.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.35.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.36.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.38.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.39.0 255.255.255.0
access-list no-encrypt permit ip any 172.16.40.0 255.255.255.0
access-list encrypt-boa permit ip any 172.16.36.0 255.255.255.0
access-list encrypt-sv permit ip any 172.16.38.0 255.255.255.0
access-list encrypt-ss permit ip any 172.16.39.0 255.255.255.0
access-list encrypt-bam permit ip any 172.16.40.0 255.255.255.0
pager lines 24
logging timestamp
logging trap debugging
logging host inside 10.10.10.1
logging host inside 192.168.5.215
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.0
ip address inside 172.16.33.254 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-encrypt
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 192.168.5.15 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.5.27 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.5.35 netmask 255.255.255.255 0 0
access-group permit-in in interface outside
route inside 0.0.0.0 0.0.0.0 172.16.33.253 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.0.0 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
route outside 172.16.35.0 255.255.255.0 x.x.x.x 1
route outside 172.16.36.0 255.255.255.0 x.x.x.x 1
route outside 172.16.38.0 255.255.255.0 x.x.x.x 1
route outside 172.16.39.0 255.255.255.0 x.x.x.x 1
route outside 172.16.40.0 255.255.255.0 x.x.x.x 1
route inside 192.168.1.0 255.255.255.0 172.16.33.253 1
route inside 192.168.5.0 255.255.255.0 172.16.33.253 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
route outside x.x.x.x 255.255.255.255 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ch-strong esp-3des esp-sha-hmac
crypto map ch-vpn 10 ipsec-isakmp
crypto map ch-vpn 10 match address encrypt-cop
crypto map ch-vpn 10 set peer x.x.x.x
crypto map ch-vpn 10 set transform-set ch-strong
crypto map ch-vpn 20 ipsec-isakmp
crypto map ch-vpn 20 match address encrypt-boa
crypto map ch-vpn 20 set peer x.x.x.x
crypto map ch-vpn 20 set transform-set ch-strong
crypto map ch-vpn 30 ipsec-isakmp
crypto map ch-vpn 30 match address encrypt-sv
crypto map ch-vpn 30 set peer x.x.x.x
crypto map ch-vpn 30 set transform-set ch-strong
crypto map ch-vpn 40 ipsec-isakmp
crypto map ch-vpn 40 match address encrypt-ss
crypto map ch-vpn 40 set peer x.x.x.x
crypto map ch-vpn 40 set transform-set ch-strong
crypto map ch-vpn 50 ipsec-isakmp
crypto map ch-vpn 50 match address encrypt-bam
crypto map ch-vpn 50 set peer x.x.x.x
crypto map ch-vpn 50 set transform-set ch-strong
crypto map chd-vpn interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.5.0 255.255.255.0 inside
telnet 172.16.33.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Branch office PIX
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k4HlcGX2lC1ypFOm encrypted
passwd y5Nu/Nt1/5dK8Iuf encrypted
hostname m100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list permit-in permit icmp any any echo-reply
access-list permit-in permit icmp any any echo
access-list encrypt permit ip 172.16.40.0 255.255.255.0 any
access-list no-encrypt permit ip 172.16.40.0 255.255.255.0 any
pager lines 24
logging timestamp
logging trap debugging
logging host inside 172.16.40.2
logging host inside 172.16.40.1
mtu outside 1500
mtu inside 1500
ip address outside 192.168.50.1 255.255.255.0
ip address inside 172.16.40.254 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-encrypt
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group permit-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.50.254 1
route outside 172.16.33.0 255.255.255.0 x.x.x.x 1
route outside 192.168.5.0 255.255.255.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set ch-strong esp-3des esp-sha-hmac
crypto map ch-vpn 10 ipsec-isakmp
crypto map ch-vpn 10 match address encrypt
crypto map ch-vpn 10 set peer x.x.x.x
crypto map ch-vpn 10 set transform-set ch-strong
crypto map ch-vpn interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.40.1-172.16.40.10 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
You have quite a few static routes in your HQ PIX that need to be modified. Frankly, I'm not sure how some of your VPN tunnels are passing traffic properly as it is currently configured. However, I may not have a clear picture of your overall topology.
Since you posted the Branch PIX configuration of the 172.16.40.0/24 subnet, the comments below pertain to troubleshooting this particular remote subnet only.
I would remove the following routes on the HQ PIX:
route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
route outside 172.16.40.0 255.255.255.0 x.x.x.x 1
The first route above is directing all 172.16.x.x traffic to an inside router at 172.16.33.253. Since the 172.16.40.0/24 subnet falls into this range, the PIX will try to route that traffic back inside instead of letting it go down the tunnel.
Also, I notice that the firewall's default route is set for the inside interface. This is a very non-standard configuration. Is this correct? In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253? If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better.
For now, see if removing those two routes above helps in sending traffic to the 172.16.40.0/24 subnet from HQ.
Since you posted the Branch PIX configuration of the 172.16.40.0/24 subnet, the comments below pertain to troubleshooting this particular remote subnet only.
I would remove the following routes on the HQ PIX:
route inside 172.16.0.0 255.255.0.0 172.16.33.253 1
route outside 172.16.40.0 255.255.255.0 x.x.x.x 1
The first route above is directing all 172.16.x.x traffic to an inside router at 172.16.33.253. Since the 172.16.40.0/24 subnet falls into this range, the PIX will try to route that traffic back inside instead of letting it go down the tunnel.
Also, I notice that the firewall's default route is set for the inside interface. This is a very non-standard configuration. Is this correct? In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253? If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better.
For now, see if removing those two routes above helps in sending traffic to the 172.16.40.0/24 subnet from HQ.
ASKER
I can remote desktop from the branch office to HQ but not vice versa.
Can you perform any network connectivity test when initiated from the HQ network to the branch network? Can you ping any 172.16.40.x address from any 172.16.33.x address?
ASKER
I don't have a diagram that I can post right now, but the 172.16.33.x is between a switch and a pix. So it looks like this:
HQ Branch Office
Switch --------PIX---------Router
I can ping from one pix to the other and from any workstation in HQ.
<<Also, I notice that the firewall's default route is set for the inside interface. This is a very non-standard configuration>>
What would be an example of an standard configuration? Thanks
HQ Branch Office
Switch --------PIX---------Router
I can ping from one pix to the other and from any workstation in HQ.
<<Also, I notice that the firewall's default route is set for the inside interface. This is a very non-standard configuration>>
What would be an example of an standard configuration? Thanks
A standard configuration would have a default route that pointed to the outside interface, not to the inside interface. I don't think I've ever seen a default route on the inside interface before. Doesn't mean it's wrong, just non-standard. :)
Usually, you see:
route outside 0.0.0.0 0.0.0.0 <gateway_ip>
where <gateway_ip> is your edge router or the ISP's edge router.
Can you give an example source/destination pair where the RDP connection doesn't work?
Usually, you see:
route outside 0.0.0.0 0.0.0.0 <gateway_ip>
where <gateway_ip> is your edge router or the ISP's edge router.
Can you give an example source/destination pair where the RDP connection doesn't work?
ASKER
Anything in HQ cannot remote desktop to the branch office. But if you are in the branch office you can remote desktop to HQ. It looks like its being blocked somewhere.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
<< Also, you never really addressed the following statements I made in a previous post (unless I missed something which is very likely):
Also, I notice that the firewall's default route is set for the inside interface. This is a very non-standard configuration. Is this correct? In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253? If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better. >>
Sorry! We have numerous routes to the web, most are proxied, the default route is correct. That is why the packets get sent to the .33.353 interface. I don't have a diagram that I could post currently. I did remove the routes that you suggested but I still have the same issue.
Also, I notice that the firewall's default route is set for the inside interface. This is a very non-standard configuration. Is this correct? In other words, when a packet is sent to the PIX for a certain destination IP address and the destination IP address isn't on one of the firewall's directly connected interfaces, do you really want the firewall to forward this packet to the inside router at 172.16.33.253? If this is correct, you may want to post a network diagram so that it will be easier to troubleshoot this issue by understanding your network topology a little better. >>
Sorry! We have numerous routes to the web, most are proxied, the default route is correct. That is why the packets get sent to the .33.353 interface. I don't have a diagram that I could post currently. I did remove the routes that you suggested but I still have the same issue.
Yes, if you have a diagram, please post a sanitized version and let's have a look.
ASKER
Best I could do on a diagram is this:
HQ Branch Office
Switch --------PIX---------Router
|
|
|
|
V
Proxy Server for all outside traffic except pixs
HQ Branch Office
Switch --------PIX---------Router
|
|
|
|
V
Proxy Server for all outside traffic except pixs
This diagram does not show a complete picture of your network if you have "numerous routes to the web". Until I get a better overall picture of your topology, I don't think I can troubleshoot further.
This should really be a very straightforward thing to allow RDP across a VPN tunnel. But with the various static routes in your PIX pointing to various gateways, there's no telling what path your packets are taking to reach the branch office. I still think the issue goes back to all of the static routes you currently have configured in the firewall.
This should really be a very straightforward thing to allow RDP across a VPN tunnel. But with the various static routes in your PIX pointing to various gateways, there's no telling what path your packets are taking to reach the branch office. I still think the issue goes back to all of the static routes you currently have configured in the firewall.
ASKER
There are only two routes to the web as indicated above. I don't have a diagram that I can post unfortuantely. What if I open a port for 3389 on the branch PIX?