Solved

Unable to RDP from Cisco VPN Client.

Posted on 2009-05-06
15
825 Views
Last Modified: 2012-05-06
Hi,
I am unable to establish a remote desktop session from the cisco vpn client to a PC sitting inside the LAN.
The tunnel establishes fine, i can ping the from vpn client to the PC and vice versa.
I can also RDP from the PC inside the LAN to the vpn client but can not RDP from client to the PC.
Any suggestions ??
0
Comment
Question by:WannabeNerd
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24317169
Turn off the Windows firewall on the PC inside the LAN
0
 

Author Comment

by:WannabeNerd
ID: 24317186
Already off , anti virus also disabled
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24317243
Does the PC have RDP enabled?  Can you RDP to the PC from inside the LAN?
0
 

Author Comment

by:WannabeNerd
ID: 24317262
Yes, it has .
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24317278
So you can RDP to it from inside the LAN?

From a command prompt on the VPN client, can you do this?

telnet <pc ip address> 3389
0
 

Author Comment

by:WannabeNerd
ID: 24317342
Its just saying connecting to 10.0.0.160.....
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24317362
You are positive RDP is running?  From a 10.0.0.x PC, you can RDP to 10.0.0.160?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:WannabeNerd
ID: 24317405
Yes 100 % sure , i just verified it now . Let me use a different machine and install the client on that and see what happens,
0
 

Author Comment

by:WannabeNerd
ID: 24317559
No its still not working.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24317690
Can you RDP from the VPN client to another PC?

Are there any access restrictions or port filtering being done on the VPN traffic?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24317864
It's got to be a firewall.  Did you turn off WINDOWS firewall on the network interface, not the third party firewall/AV
0
 
LVL 1

Expert Comment

by:IT_Desktop_Support
ID: 24318591
Yeah it definitely sounds like a firewall issue.  If it's not windows, it could be Norton, Mcafee, Zone alarm?

There are a ton of different firewalls out there, and it's not just software.  Do you have a hardware firewall or is this all internally?
0
 

Author Comment

by:WannabeNerd
ID: 24323583
Yes, turned out to be an ACL ,denying the incoming traffic from the vpn clients.. I had enabled icmp and hence i was able to ping bu not rdp.. Problem solved.

Thanks!!
0
 

Author Comment

by:WannabeNerd
ID: 24323669
Although my above problem is solved but i am unable to undertand why i am not able to telnet from the internet to the router or use SDM to connect from the internet to the router.. I know its again some ACL thats blocking it. Can you please tell me where is it :-


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BM
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login USERAUTHENTICATION local
aaa authorization console
aaa authorization exec EXECMODE local
aaa authorization network NETWORKAUTHORIZATION local
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint tti
 revocation-check crl
 rsakeypair tti
!
crypto pki trustpoint LOCAL
 enrollment selfsigned
 serial-number
 ip-address 10.0.0.251
 revocation-check crl
!
!
crypto pki certificate chain tti
crypto pki certificate chain LOCAL
 certificate self-signed 49
  3082028B 308201F4 A0030201 02020149 300D0609 2A864886 F70D0101 04050030
  51314F30 12060355 0405130B 46435A31 32333131 30383430 1706092A 864886F7
  0D010908 130A3130 2E302E30 2E323531 30200609 2A864886 F70D0109 02161342
  454C544F 4E4D4153 5345592E 424D2E63 6F6D301E 170D3039 30343039 31363231
  31385A17 0D323030 31303130 30303030 305A3051 314F3012 06035504 05130B46
  435A3132 33313130 38343017 06092A86 4886F70D 01090813 0A31302E 302E302E
  32353130 2006092A 864886F7 0D010902 16134245 4C544F4E 4D415353 45592E42
  4D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DA4F A6BD12EB D61D6F4D 21C473E6 8156985C 15EC95A4 63EBC921 EEE21120
  F8E6C9E5 C759F705 B7467AA4 DFF2BAB2 BE85116B 3080476D 866EA65C 95F6CC90
  7D4257CE D2B08E9F 1E855090 6063F5B2 EB785E9A 69FC60A4 6F9C3FC7 E979E64A
  39CBEFAF 299B4C22 125A76CF 4D6040CB 433FE7C3 E0C88ABB C6C96BC1 54946D1E
  A9750203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 1342454C 544F4E4D 41535345 592E424D 2E636F6D 301F0603
  551D2304 18301680 14C654A2 DA63BD3E 0A31E975 39F5FCE8 0411BB1B C3301D06
  03551D0E 04160414 C654A2DA 63BD3E0A 31E97539 F5FCE804 11BB1BC3 300D0609
  2A864886 F70D0101 04050003 818100BA 3D6158E7 C9F9FCCE 6F793E37 F67ADF82
  B621B199 F1B68A8A 71A2B2E9 814FDC4F 1B533C11 61587FC0 57BB12B8 06C31581
  5493A37A C1B447E6 E65BC64A 798C25CA 151A7C04 5D2F7F67 EB8903C5 0FCAEE33
  1DF7D3EC 137DAD25 7DA67BCF 071CCF61 9B1B4D5C 50E7F640 4F64F659 C7282B88
  D7F37819 83950403 38804485 5B4741
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name BM.com
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp timeout 200
ip inspect name FIREWALL_RULES ftp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
username beltonmassey privilege 15 secret 5 $1$o0j7$y4vBET8YTk9vCob.Gu1wS/
username test privilege 0 secret 5 $1$TIKO$lIbIDhwVbTlMsQLQJsoUX.
!
! crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
!
crypto isakmp client configuration group vpnclient
 key cisco123
 dns 10.0.0.4
 domain BM.com
 pool ippool
!
 acl VPN_TRAFFIC_SPLIT_TUNNEL
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list USERAUTHENTICATION
crypto map clientmap isakmp authorization list NETWORKAUTHORIZATION
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
!
!
!
!
interface FastEthernet0/0
 description INTERNAL LAN INTERFACE$FW_INSIDE$
 ip address 10.0.0.251 255.255.255.0
 ip access-group DMZ_TO_LAN out
 ip nat inside
 ip inspect FIREWALL_RULES in
 ip virtual-reassembly
 ip policy route-map ADSL
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE BT 10 MEG INTERFACE$FW_OUTSIDE$
 ip address 160.X.Y.178 255.255.255.240
 ip access-group OUTSIDE_IN_BT in
 ip nat outside
 ip virtual-reassembly
!  duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet0/1/0
 description ADSL INTERFACE
 ip address 192.168.0.2 255.255.255.0
 ip access-group OUTSIDE_IN_ADSL in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/3/0
 description DMZ INTERFACE$FW_DMZ$
 ip address 172.31.0.1 255.255.255.0
 ip access-group LAN_TO_DMZ out
 ip nat inside
 ip inspect FIREWALL_RULES in
 ip virtual-reassembly
 ip policy route-map ADSL
 duplex auto
 speed auto
!
ip local pool ippool 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 160.X.Y.178
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map ADSL interface FastEthernet0/1/0 overload
ip nat inside source route-map LEASEDLINE interface FastEthernet0/1 overload
ip nat inside source static 172.31.0.100 62.X.Y.180
!
ip access-list extended DEFAULT_ALLOW_ALL
deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
ip access-list extended DMZ_TO_LAN
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip host 172.31.0.100 host 10.0.0.6
 permit ip host 172.31.0.100 host 10.0.0.4
 permit icmp any any
 deny   ip any any
ip access-list extended INTERNET_TRAFFIC_FROM_ISASERVER
 permit ip host 172.31.0.200 any
ip access-list extended INTERNET_TRAFFIC_FROM_LAN
 permit tcp 10.0.0.0 0.0.0.255 any eq www
 permit udp 10.0.0.0 0.0.0.255 any eq domain
 permit tcp 10.0.0.0 0.0.0.255 any eq 443
ip access-list extended LAN_TO_DMZ
 permit ip host 10.0.0.2 host 172.31.0.100
 permit ip host 10.0.0.4 host 172.31.0.100
 permit ip host 10.0.0.6 host 172.31.0.100
 permit icmp any any
 deny   ip any any
ip access-list extended OUTSIDE_IN_ADSL
 permit icmp any any
 deny   ip any any
ip access-list extended OUTSIDE_IN_BT
 permit tcp any host 172.31.0.100 eq smtp
 permit tcp any host 172.31.0.100 eq pop3
 permit icmp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 deny   ip any any
ip access-list extended VPN_TRAFFIC
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_TRAFFIC_SPLIT_TUNNEL
 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
route-map LEASEDLINE permit 10
 match ip address DEFAULT_ALLOW_ALL
 match interface FastEthernet0/1
!
route-map ADSL permit 10
 match ip address INTERNET_TRAFFIC_FROM_LAN INTERNET_TRAFFIC_FROM_ISASERVER
 match interface FastEthernet0/1/0
 set ip default next-hop 192.168.0.1
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
 
!
line con 0
 exec-timeout 0 0
 authorization exec EXECMODE
 logging synchronous
 login authentication USERAUTHENTICATION
line aux 0
line vty 0 4
 authorization exec EXECMODE
 logging synchronous
 login authentication USERAUTHENTICATION
 transport input telnet ssh
line vty 5 15
 authorization exec EXECMODE
 login authentication USERAUTHENTICATION
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
end



0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24323981
You need to open a separate question and award the points for the original problem.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now