• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 913
  • Last Modified:

RDP through VPN tunnel

I have a server at a remote site of which we have a Ipsec tunnel set up with them.  I can RDP into any server there except for this new one we set up..  This is a server i set up a NAT statement to allow a remote vendor rdp directly to that box..i also added my house to the list to test.. I can RDP into the WAN ip just fine from my home and it takes me to that server fine. However, if i am at work, where i have the tunnel set up i can't rdp to it.. i can ping it fine..can't remote in though..but i can remote to other servers at the same site.  i'm posting my config..maybe i'm missing something



Current configuration : 9993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname COB_WAN
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login USER_VPN group radius
aaa authorization network GROUP_VPN local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name cityofbellevue.com
ip name-server 10.1.1.10
ip name-server 10.1.1.9
ip name-server 65.24.0.168
ip name-server 65.24.0.169
ip name-server 24.29.161.129
ip name-server 24.29.161.137
!
!
!
!
<cut>
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key MW_COBVPNTunnel address 75.13.63.69 no-xauth
crypto isakmp key REC_VPNTunnel address 216.207.224.5 no-xauth
crypto isakmp key FD_VPNTunnel address 216.207.224.2 no-xauth
crypto isakmp key WAT_VPNTunnel address 216.207.224.3 no-xauth
crypto isakmp key POL_VPNTunnel address 216.207.224.4 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address 216.207.224.6 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address 74.218.83.254 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto isakmp client configuration group COBVPN
 key COBvpn
 dns 10.1.1.10 10.1.1.9
 wins 10.1.1.10
 pool VPN_POOL
 acl ADMIN-VPN
 netmask 255.255.255.0



!
crypto isakmp client configuration group GROUP_VPN
!
crypto isakmp client configuration group CODYVPN
 key COBCodyVPN
 dns 10.1.1.9
 wins 10.1.1.10
 pool CODY_VPN_POOL
 acl CODY-VPN
 netmask 255.255.255.0
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
 set transform-set 3DES
 reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
 description Tunnel to MW
 set peer 75.13.63.69
 set transform-set 3DES
 match address COB2MW
crypto map VPN 15 ipsec-isakmp
 description Tunnel to REC
 set peer 216.207.224.5
 set transform-set 3DES
 match address COB2REC
crypto map VPN 20 ipsec-isakmp
 description Tunnel to FD
 set peer 216.207.224.2
 set transform-set 3DES
 match address COB2FD
crypto map VPN 30 ipsec-isakmp
 description Tunnel to Water
 set peer 216.207.224.3
 set transform-set 3DES
 match address COB2WATER
crypto map VPN 40 ipsec-isakmp
 description Tunnel to Pollution Control
 set peer 216.207.224.4
 set transform-set 3DES
 match address COB2POL
crypto map VPN 60 ipsec-isakmp
 description Tunnel to HC Jail
 set peer 216.207.224.6
 set transform-set 3DES
 match address COB2HCJAIL
crypto map VPN 70 ipsec-isakmp
 description Tunnel To SC Jail
 set peer 74.218.83.254
 set transform-set 3DES
 match address COB2SCJAIL
crypto map VPN 65000 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/0
 description WAN
 ip address 70.62.43.146 255.255.255.248 secondary
 ip address 70.62.43.150 255.255.255.248
 ip access-group inet-in in
 ip access-group FWOUT out
 ip accounting output-packets
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map VPN
!
interface GigabitEthernet0/1
 description LAN
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 duplex auto
 speed auto
!
ip local pool VPN_POOL 10.100.100.1 10.100.100.254
ip local pool CODY_VPN_POOL 10.101.101.1 10.101.101.254
ip classless
ip route 0.0.0.0 0.0.0.0 70.62.43.145
ip route 64.128.51.0 255.255.255.0 10.1.1.12
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 68.236.126.229 2055
!
no ip http server
no ip http secure-server
ip nat pool PAT 70.62.43.146 70.62.43.146 netmask 255.255.255.248
ip nat inside source route-map NAT pool PAT overload
ip nat inside source static tcp 10.1.1.80 23 70.62.43.150 23 extendable
ip nat inside source static tcp 10.1.1.10 25 70.62.43.150 25 extendable
ip nat inside source static tcp 10.1.1.10 80 70.62.43.150 80 extendable
ip nat inside source static tcp 10.1.1.10 110 70.62.43.150 110 extendable
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 extendable
ip nat inside source static tcp 10.1.1.164 5635 70.62.43.150 5635 extendable
ip nat inside source static udp 10.1.1.164 5635 70.62.43.150 5635 extendable
ip nat inside source static tcp 10.1.1.3 5659 70.62.43.150 5659 extendable
ip nat inside source static udp 10.1.1.3 5660 70.62.43.150 5660 extendable
ip nat inside source static tcp 10.1.1.10 5665 70.62.43.150 5665 extendable
ip nat inside source static udp 10.1.1.10 5666 70.62.43.150 5666 extendable
ip nat inside source static tcp 10.1.1.9 5669 70.62.43.150 5669 extendable
ip nat inside source static udp 10.1.1.9 5670 70.62.43.150 5670 extendable
ip nat inside source static tcp 10.1.1.5 5671 70.62.43.150 5671 extendable
ip nat inside source static udp 10.1.1.5 5672 70.62.43.150 5672 extendable
!
ip access-list extended ADMIN-VPN
 remark Access for Admin VPN group
 permit ip 10.1.1.0 0.0.0.255 10.100.100.0 0.0.0.255
ip access-list extended COB2FD
 remark COB VPN to FD
 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255
ip access-list extended COB2HCJAIL
 remark COB VPN to Huron County Jail
 permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended COB2MW
 remark COB VPN to MW
 permit ip 10.1.1.0 0.0.0.255 192.168.57.0 0.0.0.255
ip access-list extended COB2POL
 remark COB VPN to Pollution Control
 permit ip 10.1.1.0 0.0.0.255 10.1.9.0 0.0.0.255
ip access-list extended COB2REC
 remark COB VPN to REC
 permit ip 10.1.1.0 0.0.0.255 10.1.7.0 0.0.0.255
ip access-list extended COB2SCJAIL
 remark COB VPN to Sandusky Country Jail
 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255
ip access-list extended COB2WATER
 remark COB VPN to Water
 permit ip 10.1.1.0 0.0.0.255 10.1.11.0 0.0.0.255
ip access-list extended CODY-VPN
 permit ip host 10.1.1.9 0.0.0.255 10.101.101.0
ip access-list extended FWOUT
 permit ip any any reflect REFLECT
ip access-list extended inet-in
 permit tcp host 157.34.167.149 host 70.62.43.150 eq 3389
 permit tcp host 98.30.99.116 host 70.62.43.150 eq 3389
 deny   tcp any host 70.62.43.150 eq 3389
 permit ip any any
ip access-list extended inet-traffic
 remark inet traffic
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended internet-in
 deny   tcp any host 70.62.43.150 eq 3389
!
snmp-server community cdhelpdot5864 RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps atm subif
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rtr
route-map NAT permit 10
 match ip address inet-traffic
!
!

control-plane
!
!
banner login ^CC
*****************************************************************************
* Unauthorized access will be prosecuted to the fullest extent of the law.  *
* To avoid criminal charges, disconnect NOW!                                *
*****************************************************************************
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.1.1.10
!
end
0
jasonmichel
Asked:
jasonmichel
  • 9
  • 8
  • 2
1 Solution
 
batry_boyCommented:
I'm assuming you are referring to the server at 10.1.1.11 that you are having trouble using RDP to across the L2L tunnel.  When you try from work across the L2L tunnel, are you using 10.1.1.11 (the private IP) or the translated public IP address to access it?
0
 
batry_boyCommented:
That is to say that you should be using the private IP address 10.1.1.11 when accessing it from the office.
0
 
jasonmichelAuthor Commented:
yes..sorry forgot to add...my private IP range here is 192.168.57.0 and yes i was using the  10.1.1.11 to try to connect
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
bkepfordCommented:
Everything looks fine except you may want to adjust this ACL to include your IP address or take out the deny statement and see if that fixes your problem and then adjust accordingly
ip access-list extended inet-in
 permit tcp host 157.34.167.149 host 70.62.43.150 eq 3389
 permit tcp host 98.30.99.116 host 70.62.43.150 eq 3389
 deny   tcp any host 70.62.43.150 eq 3389
 permit ip any any
0
 
jasonmichelAuthor Commented:
i removed the deny statement but still don't work...kinda wierd, cause i can rdp into any other server there, and i can rdp into that server from one of the other servers..also added our WAN Ip no avail
0
 
bkepfordCommented:
Check the subnet mask of your server. Make sure all your network setting s are coorect.
0
 
jasonmichelAuthor Commented:
yeah that's all good
0
 
bkepfordCommented:
Did you check to see if the server could get to other things on the othe side of the tunnel or is just limited to RDP? Or if you could get to other services on the server?
0
 
jasonmichelAuthor Commented:
well i can ping the server from my end  so i can atleast see the server and its responding to icmp.  And from the server i can remote in to a server on my end..
0
 
bkepfordCommented:
Because you can Remote to a server on your side means that RDP packets can flow back and forth. Can you check to see if on your server it allows RDP off of it's network segment. If it is a Windows SMB 2003 server it will restrict off network RDP the problem is that connections from a NATed port looks like it is coming from 10.1.1.1 so you wouldn't have a problem with the customers incoming connections. Look at the local poicy to see if RDP is being restricted that way.
0
 
jasonmichelAuthor Commented:
it is a server 2003 standard.  heres something i tried and it worked but broke something..i removed the

ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 extendable

and i could rdp from my work to the server...but now the whole reason i created that statement was to allow a vendor to rdp directly to that server from the outside
0
 
jasonmichelAuthor Commented:
where would i look in local poliy at...didn't see anything in security options
0
 
bkepfordCommented:
Well if that worked then no need to go any further on the server side since it appears to be a nat issue. Try this (never done it this way but it might work
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 route-map nonat
ip access-list extended nonat
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.1.1.0 0.0.0.255 any

route-map nonat permit 10
 match ip address nonat
0
 
jasonmichelAuthor Commented:
i have that in there as extendable...by doing the way you suggest...would that affect the vendors coming from the outside as well?
0
 
bkepfordCommented:
It shouldn't the only thing the route-map does is specify what gets NATed going out. The only reason taking that out would fix your problem is that  if on the return trip the NAT statement caused it to NAT the traffic and send it out your external interface. You can add the extendable keyword
ip nat inside source static tcp 10.1.1.11 3389 70.62.43.150 3389 route-map nonat extendable
0
 
jasonmichelAuthor Commented:
so i should just delete the old one and put the new one in?
0
 
bkepfordCommented:
It should just ammend to it but to be safe go ahead and remove and add the new NAT line in.
0
 
jasonmichelAuthor Commented:
that worked..i also had

p access-list extended inet-traffic
 remark inet traffic
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 permit ip 10.1.1.0 0.0.0.255 any

could i have  just used that?
0
 
bkepfordCommented:
It should and I almost just linked that one but I didn't want to during the testing phase. You may want to go ahead and link it now just to keep your configuration clean.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now