Solved

Can't RDP into terminal from remote Cisco VPN office

Posted on 2008-10-02
5
815 Views
Last Modified: 2012-06-27
Hi guys,

I am having an issue where I have users at a remote office working through a VPN connected to the main office that cannot connect to the terminal using its local IP address or FQDN.

It is set up between 2 cisco 877's

the main office is on a 192.168.17 ip scheme

the remote office is on a 192.168.16 scheme

Users get the error message

"the client could not connect to the remote computer remote connections may not be enabled or the computer may be too busy to acccept new connections"

If anyone has any ideas why RDP access is denied then it would be a huge help (It also seems like SMTP access through the VPN is denied, not 100% sure though)

here is my running config for the Cisco 877 in the main office.

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname alfabs
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$YQT.$YVH.j1SbS6P1azRLkvZc21
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name alfabs.local
ip name-server 192.168.16.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-2757758689
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2757758689
 revocation-check none
 rsakeypair TP-self-signed-2757758689
!
!
crypto pki certificate chain TP-self-signed-2757758689
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32373537 37353836 3839301E 170D3037 30313038 30363135
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37353737
  35383638 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C26A DF25F9FF C5A80A47 534424AE 4C9450DD EED735F0 5A84C5E0 035168A4
  774D9AFB 8D874836 43FEEBE6 6DAC87B8 4F0B5B1B C6180BBD CBC95C82 33D80555
  BA7E2B9C 2CBC02FA 0D28E85F 9497FF5B E3BA788F 14ECDF59 A1536A40 BAED6879
  86D448E3 410F9A6F 7ADEBA94 DDB9088C 267DE561 AABBBB37 97ADF6CD 03F7A0B6
  D1F50203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 13616C66 6162732E 616C6661 62732E6C 6F63616C 301F0603
  551D2304 18301680 146BAAC6 ADBB2EE6 DD143AEF 32120C4D B760B0E1 B1301D06
  03551D0E 04160414 6BAAC6AD BB2EE6DD 143AEF32 120C4DB7 60B0E1B1 300D0609
  2A864886 F70D0101 04050003 818100A8 139F75FC CB8E9768 36F20572 850212DC
  64D132DC 61003F52 B3757C32 3AA9BF9C 86F450A0 A3B6C06B F9D13C5E 0CA92A05
  985FD3A6 8F8523E7 9C2DB547 FA7FCEAE 0E9AE465 088E03F7 475F13D4 CE7AD3B1
  384D627D FBC6C6A2 EBF8D1D3 4D09FD55 840A1E98 CAD05298 73C60607 F9CADBE4
  BF5AD06E 26FB27D7 134BD1D3 99BAB2
  quit
username admin privilege 15 secret 5 $1$dSqQ$hUvhU7PGwS/YGQQXrXCVJ1
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key **** address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map alfabsvpn 1 ipsec-isakmp
 description alfabs
 set peer 125.255.41.156
 set transform-set ESP-3DES-SHA
 match address 103
 reverse-route
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.16.254 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *****
 ppp chap password 0 *****
 ppp pap sent-username **** password 0 ****
 crypto map alfabsvpn
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.16.2 3389 interface Dialer0 3390
ip nat inside source static tcp 192.168.16.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.2 110 interface Dialer0 110
ip nat inside source static tcp 192.168.16.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.16.3 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.16.2 4125 interface Dialer0 4125
ip nat inside source static tcp 192.168.16.2 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 125.255.41.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 permit udp any host 192.168.16.254 eq non500-isakmp
access-list 100 permit udp any host 192.168.16.254 eq isakmp
access-list 100 permit esp any host 192.168.16.254
access-list 100 permit ahp any host 192.168.16.254
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark IPSec Rule
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 permit udp host 125.255.41.156 any eq non500-isakmp
access-list 101 permit udp host 125.255.41.156 any eq isakmp
access-list 101 permit esp host 125.255.41.156 any
access-list 101 permit ahp host 125.255.41.156 any
access-list 101 permit udp host 192.168.16.2 eq domain any
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 4125
access-list 101 permit tcp any any range 3389 3390
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 deny   ip 192.168.16.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.16.0 0.0.0.255 125.255.41.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 104 permit ip 192.168.16.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end


Cheers Guys

0
Comment
Question by:SM17CH
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
cammj earned 500 total points
ID: 22630715
Can you access anything at all? Can you ping a machine?

For me it looks like it might have something to do with you not having a route to route traffic for that subnet through to the other router, instead you have a default route routing all trafic through to the Dialer interface
0
 
LVL 2

Author Comment

by:SM17CH
ID: 22631141
yeah they can ping the other Network.

the users have network drives set up giving them access to the servers and machines on the other network which they use daily.

it is just the RDP connection and maybe the SMTP connection (when the VPN was reconfigured the scanners which scanned to email using SMTP stopped working with a local address but worked with the internet IP address of the server)

Cheers
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631282
Can you confirm that RDP is enabled on the machine you're trying to connect to? Please right click on my computer, click properties, then click on the remote tab and ensure the "Allow remote connections to this computer" box is checked. This must be setup on the computer you are trying to reach.
Just check to be sure. I've done this more than once myself.
0
 
LVL 2

Author Comment

by:SM17CH
ID: 22655320
It is a server that was being connected to from the same type of VPN recently and other people RDP to it locally so it is accepting connections fine.

the client had a new internet connection put in and because of a bit of a dodgy setup from the last guys we had to rebuild the VPN on the Cisco's.

I believe its just something in the setup that is not allowing it to connect, but because of my limited Cisco knowledge I am having a bit of trouble finding exactley what it is.

Cheers.

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22660721
Just to be sure - I know I've said this way too much already - but can you please make sure the box is ticked on the server to allow RDP.
Cheers!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now