WannabeNerd
asked on
Unable to RDP from Cisco VPN Client.
Hi,
I am unable to establish a remote desktop session from the cisco vpn client to a PC sitting inside the LAN.
The tunnel establishes fine, i can ping the from vpn client to the PC and vice versa.
I can also RDP from the PC inside the LAN to the vpn client but can not RDP from client to the PC.
Any suggestions ??
I am unable to establish a remote desktop session from the cisco vpn client to a PC sitting inside the LAN.
The tunnel establishes fine, i can ping the from vpn client to the PC and vice versa.
I can also RDP from the PC inside the LAN to the vpn client but can not RDP from client to the PC.
Any suggestions ??
RPPreacher
Turn off the Windows firewall on the PC inside the LAN
ASKER
Already off , anti virus also disabled
Does the PC have RDP enabled? Can you RDP to the PC from inside the LAN?
ASKER
Yes, it has .
So you can RDP to it from inside the LAN?
From a command prompt on the VPN client, can you do this?
telnet <pc ip address> 3389
From a command prompt on the VPN client, can you do this?
telnet <pc ip address> 3389
ASKER
Its just saying connecting to 10.0.0.160.....
You are positive RDP is running? From a 10.0.0.x PC, you can RDP to 10.0.0.160?
ASKER
Yes 100 % sure , i just verified it now . Let me use a different machine and install the client on that and see what happens,
ASKER
No its still not working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's got to be a firewall. Did you turn off WINDOWS firewall on the network interface, not the third party firewall/AV
Yeah it definitely sounds like a firewall issue. If it's not windows, it could be Norton, Mcafee, Zone alarm?
There are a ton of different firewalls out there, and it's not just software. Do you have a hardware firewall or is this all internally?
There are a ton of different firewalls out there, and it's not just software. Do you have a hardware firewall or is this all internally?
ASKER
Yes, turned out to be an ACL ,denying the incoming traffic from the vpn clients.. I had enabled icmp and hence i was able to ping bu not rdp.. Problem solved.
Thanks!!
Thanks!!
ASKER
Although my above problem is solved but i am unable to undertand why i am not able to telnet from the internet to the router or use SDM to connect from the internet to the router.. I know its again some ACL thats blocking it. Can you please tell me where is it :-
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BM
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login USERAUTHENTICATION local
aaa authorization console
aaa authorization exec EXECMODE local
aaa authorization network NETWORKAUTHORIZATION local
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint LOCAL
enrollment selfsigned
serial-number
ip-address 10.0.0.251
revocation-check crl
!
!
crypto pki certificate chain tti
crypto pki certificate chain LOCAL
certificate self-signed 49
3082028B 308201F4 A0030201 02020149 300D0609 2A864886 F70D0101 04050030
51314F30 12060355 0405130B 46435A31 32333131 30383430 1706092A 864886F7
0D010908 130A3130 2E302E30 2E323531 30200609 2A864886 F70D0109 02161342
454C544F 4E4D4153 5345592E 424D2E63 6F6D301E 170D3039 30343039 31363231
31385A17 0D323030 31303130 30303030 305A3051 314F3012 06035504 05130B46
435A3132 33313130 38343017 06092A86 4886F70D 01090813 0A31302E 302E302E
32353130 2006092A 864886F7 0D010902 16134245 4C544F4E 4D415353 45592E42
4D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DA4F A6BD12EB D61D6F4D 21C473E6 8156985C 15EC95A4 63EBC921 EEE21120
F8E6C9E5 C759F705 B7467AA4 DFF2BAB2 BE85116B 3080476D 866EA65C 95F6CC90
7D4257CE D2B08E9F 1E855090 6063F5B2 EB785E9A 69FC60A4 6F9C3FC7 E979E64A
39CBEFAF 299B4C22 125A76CF 4D6040CB 433FE7C3 E0C88ABB C6C96BC1 54946D1E
A9750203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 1342454C 544F4E4D 41535345 592E424D 2E636F6D 301F0603
551D2304 18301680 14C654A2 DA63BD3E 0A31E975 39F5FCE8 0411BB1B C3301D06
03551D0E 04160414 C654A2DA 63BD3E0A 31E97539 F5FCE804 11BB1BC3 300D0609
2A864886 F70D0101 04050003 818100BA 3D6158E7 C9F9FCCE 6F793E37 F67ADF82
B621B199 F1B68A8A 71A2B2E9 814FDC4F 1B533C11 61587FC0 57BB12B8 06C31581
5493A37A C1B447E6 E65BC64A 798C25CA 151A7C04 5D2F7F67 EB8903C5 0FCAEE33
1DF7D3EC 137DAD25 7DA67BCF 071CCF61 9B1B4D5C 50E7F640 4F64F659 C7282B88
D7F37819 83950403 38804485 5B4741
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name BM.com
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp timeout 200
ip inspect name FIREWALL_RULES ftp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
username beltonmassey privilege 15 secret 5 $1$o0j7$y4vBET8YTk9vCob.Gu
username test privilege 0 secret 5 $1$TIKO$lIbIDhwVbTlMsQLQJs
!
! crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.0.0.4
domain BM.com
pool ippool
!
acl VPN_TRAFFIC_SPLIT_TUNNEL
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list USERAUTHENTICATION
crypto map clientmap isakmp authorization list NETWORKAUTHORIZATION
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
!
!
!
interface FastEthernet0/0
description INTERNAL LAN INTERFACE$FW_INSIDE$
ip address 10.0.0.251 255.255.255.0
ip access-group DMZ_TO_LAN out
ip nat inside
ip inspect FIREWALL_RULES in
ip virtual-reassembly
ip policy route-map ADSL
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE BT 10 MEG INTERFACE$FW_OUTSIDE$
ip address 160.X.Y.178 255.255.255.240
ip access-group OUTSIDE_IN_BT in
ip nat outside
ip virtual-reassembly
! duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1/0
description ADSL INTERFACE
ip address 192.168.0.2 255.255.255.0
ip access-group OUTSIDE_IN_ADSL in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
description DMZ INTERFACE$FW_DMZ$
ip address 172.31.0.1 255.255.255.0
ip access-group LAN_TO_DMZ out
ip nat inside
ip inspect FIREWALL_RULES in
ip virtual-reassembly
ip policy route-map ADSL
duplex auto
speed auto
!
ip local pool ippool 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 160.X.Y.178
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map ADSL interface FastEthernet0/1/0 overload
ip nat inside source route-map LEASEDLINE interface FastEthernet0/1 overload
ip nat inside source static 172.31.0.100 62.X.Y.180
!
ip access-list extended DEFAULT_ALLOW_ALL
deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended DMZ_TO_LAN
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip host 172.31.0.100 host 10.0.0.6
permit ip host 172.31.0.100 host 10.0.0.4
permit icmp any any
deny ip any any
ip access-list extended INTERNET_TRAFFIC_FROM_ISAS
permit ip host 172.31.0.200 any
ip access-list extended INTERNET_TRAFFIC_FROM_LAN
permit tcp 10.0.0.0 0.0.0.255 any eq www
permit udp 10.0.0.0 0.0.0.255 any eq domain
permit tcp 10.0.0.0 0.0.0.255 any eq 443
ip access-list extended LAN_TO_DMZ
permit ip host 10.0.0.2 host 172.31.0.100
permit ip host 10.0.0.4 host 172.31.0.100
permit ip host 10.0.0.6 host 172.31.0.100
permit icmp any any
deny ip any any
ip access-list extended OUTSIDE_IN_ADSL
permit icmp any any
deny ip any any
ip access-list extended OUTSIDE_IN_BT
permit tcp any host 172.31.0.100 eq smtp
permit tcp any host 172.31.0.100 eq pop3
permit icmp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
deny ip any any
ip access-list extended VPN_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_TRAFFIC_SPLIT_TUNNEL
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
route-map LEASEDLINE permit 10
match ip address DEFAULT_ALLOW_ALL
match interface FastEthernet0/1
!
route-map ADSL permit 10
match ip address INTERNET_TRAFFIC_FROM_LAN INTERNET_TRAFFIC_FROM_ISAS
match interface FastEthernet0/1/0
set ip default next-hop 192.168.0.1
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
exec-timeout 0 0
authorization exec EXECMODE
logging synchronous
login authentication USERAUTHENTICATION
line aux 0
line vty 0 4
authorization exec EXECMODE
logging synchronous
login authentication USERAUTHENTICATION
transport input telnet ssh
line vty 5 15
authorization exec EXECMODE
login authentication USERAUTHENTICATION
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
end
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BM
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login USERAUTHENTICATION local
aaa authorization console
aaa authorization exec EXECMODE local
aaa authorization network NETWORKAUTHORIZATION local
!
!
aaa session-id common
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint LOCAL
enrollment selfsigned
serial-number
ip-address 10.0.0.251
revocation-check crl
!
!
crypto pki certificate chain tti
crypto pki certificate chain LOCAL
certificate self-signed 49
3082028B 308201F4 A0030201 02020149 300D0609 2A864886 F70D0101 04050030
51314F30 12060355 0405130B 46435A31 32333131 30383430 1706092A 864886F7
0D010908 130A3130 2E302E30 2E323531 30200609 2A864886 F70D0109 02161342
454C544F 4E4D4153 5345592E 424D2E63 6F6D301E 170D3039 30343039 31363231
31385A17 0D323030 31303130 30303030 305A3051 314F3012 06035504 05130B46
435A3132 33313130 38343017 06092A86 4886F70D 01090813 0A31302E 302E302E
32353130 2006092A 864886F7 0D010902 16134245 4C544F4E 4D415353 45592E42
4D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DA4F A6BD12EB D61D6F4D 21C473E6 8156985C 15EC95A4 63EBC921 EEE21120
F8E6C9E5 C759F705 B7467AA4 DFF2BAB2 BE85116B 3080476D 866EA65C 95F6CC90
7D4257CE D2B08E9F 1E855090 6063F5B2 EB785E9A 69FC60A4 6F9C3FC7 E979E64A
39CBEFAF 299B4C22 125A76CF 4D6040CB 433FE7C3 E0C88ABB C6C96BC1 54946D1E
A9750203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 1342454C 544F4E4D 41535345 592E424D 2E636F6D 301F0603
551D2304 18301680 14C654A2 DA63BD3E 0A31E975 39F5FCE8 0411BB1B C3301D06
03551D0E 04160414 C654A2DA 63BD3E0A 31E97539 F5FCE804 11BB1BC3 300D0609
2A864886 F70D0101 04050003 818100BA 3D6158E7 C9F9FCCE 6F793E37 F67ADF82
B621B199 F1B68A8A 71A2B2E9 814FDC4F 1B533C11 61587FC0 57BB12B8 06C31581
5493A37A C1B447E6 E65BC64A 798C25CA 151A7C04 5D2F7F67 EB8903C5 0FCAEE33
1DF7D3EC 137DAD25 7DA67BCF 071CCF61 9B1B4D5C 50E7F640 4F64F659 C7282B88
D7F37819 83950403 38804485 5B4741
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name BM.com
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp timeout 200
ip inspect name FIREWALL_RULES ftp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
username beltonmassey privilege 15 secret 5 $1$o0j7$y4vBET8YTk9vCob.Gu
username test privilege 0 secret 5 $1$TIKO$lIbIDhwVbTlMsQLQJs
!
! crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.0.0.4
domain BM.com
pool ippool
!
acl VPN_TRAFFIC_SPLIT_TUNNEL
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list USERAUTHENTICATION
crypto map clientmap isakmp authorization list NETWORKAUTHORIZATION
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
!
!
!
interface FastEthernet0/0
description INTERNAL LAN INTERFACE$FW_INSIDE$
ip address 10.0.0.251 255.255.255.0
ip access-group DMZ_TO_LAN out
ip nat inside
ip inspect FIREWALL_RULES in
ip virtual-reassembly
ip policy route-map ADSL
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE BT 10 MEG INTERFACE$FW_OUTSIDE$
ip address 160.X.Y.178 255.255.255.240
ip access-group OUTSIDE_IN_BT in
ip nat outside
ip virtual-reassembly
! duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1/0
description ADSL INTERFACE
ip address 192.168.0.2 255.255.255.0
ip access-group OUTSIDE_IN_ADSL in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
description DMZ INTERFACE$FW_DMZ$
ip address 172.31.0.1 255.255.255.0
ip access-group LAN_TO_DMZ out
ip nat inside
ip inspect FIREWALL_RULES in
ip virtual-reassembly
ip policy route-map ADSL
duplex auto
speed auto
!
ip local pool ippool 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 160.X.Y.178
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map ADSL interface FastEthernet0/1/0 overload
ip nat inside source route-map LEASEDLINE interface FastEthernet0/1 overload
ip nat inside source static 172.31.0.100 62.X.Y.180
!
ip access-list extended DEFAULT_ALLOW_ALL
deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended DMZ_TO_LAN
permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip host 172.31.0.100 host 10.0.0.6
permit ip host 172.31.0.100 host 10.0.0.4
permit icmp any any
deny ip any any
ip access-list extended INTERNET_TRAFFIC_FROM_ISAS
permit ip host 172.31.0.200 any
ip access-list extended INTERNET_TRAFFIC_FROM_LAN
permit tcp 10.0.0.0 0.0.0.255 any eq www
permit udp 10.0.0.0 0.0.0.255 any eq domain
permit tcp 10.0.0.0 0.0.0.255 any eq 443
ip access-list extended LAN_TO_DMZ
permit ip host 10.0.0.2 host 172.31.0.100
permit ip host 10.0.0.4 host 172.31.0.100
permit ip host 10.0.0.6 host 172.31.0.100
permit icmp any any
deny ip any any
ip access-list extended OUTSIDE_IN_ADSL
permit icmp any any
deny ip any any
ip access-list extended OUTSIDE_IN_BT
permit tcp any host 172.31.0.100 eq smtp
permit tcp any host 172.31.0.100 eq pop3
permit icmp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
deny ip any any
ip access-list extended VPN_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN_TRAFFIC_SPLIT_TUNNEL
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
route-map LEASEDLINE permit 10
match ip address DEFAULT_ALLOW_ALL
match interface FastEthernet0/1
!
route-map ADSL permit 10
match ip address INTERNET_TRAFFIC_FROM_LAN INTERNET_TRAFFIC_FROM_ISAS
match interface FastEthernet0/1/0
set ip default next-hop 192.168.0.1
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
exec-timeout 0 0
authorization exec EXECMODE
logging synchronous
login authentication USERAUTHENTICATION
line aux 0
line vty 0 4
authorization exec EXECMODE
logging synchronous
login authentication USERAUTHENTICATION
transport input telnet ssh
line vty 5 15
authorization exec EXECMODE
login authentication USERAUTHENTICATION
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
end
You need to open a separate question and award the points for the original problem.