asked on

Enable RDP via IPSec Tunnel for Cisco Router

Hi. My site is connected to one of our providers network via an IPSec tunnel

Site A: (my site)

crypto map secure 2 ipsec-isakmp
set peer 123.123.123.12
set security-association lifetime seconds 28800
set transform-set myset1
set pfs group2
match address 110
--------------

c##sh access-list 110
Extended IP access-list 110
10 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
20 permit ip 192.168.100.0 0.0.0.255 123.123.123.100 0.0.0.255

Site B: No access but tunnel is up and running.

Above is part of my running config. Currently RDP is working from Site A to B but not the other way around. Also, SMB and Ping are working from B to A.

What do i need to be able to make RDP from Site B to A working?

I appreciate any guidance.

Thanks.

marek1712

Is the zone based firewall configured? Can you show us full config (of course, censor all the critical parts)?
Also - what is the addressing scheme?
Can you start debugging the ACLs when someone from the SiteB tries to access RD in SiteA?

PS - please, enclose all the configs in the CODE tag - it's easier to browse.

pords

ASKER

User Access Verification

SiteA#sh run
Building configuration...

Current configuration : 6114 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SiteA
!
enable secret 5 $1$PdYC$QWDPktIqXoChbZdk46ma30
enable password 7 01001503
!
username xxxx password 7 0017061614541912
username yyy password 7 06151A315C411B0D
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console none
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall streamworks
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall http java-list 50
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 10
! Default L2TP VPDN group
! Default PPTP VPDN group
 accept-dialin
  protocol any
  virtual-template 10
 no l2tp tunnel authentication
!
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 0 $99t address 2xx.xxx.xx.xxx
crypto isakmp key 0 Qu66 address xxx.xxx.xxx.xxx
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map secure 1 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set security-association lifetime seconds 28800
 set transform-set myset
 set pfs group2
 match address 110
crypto map secure 2 ipsec-isakmp
 description Connected to TUHS (Temple)
 set peer yyy.yyy.yyy.yyy
 set security-association lifetime seconds 28800
 set transform-set myset1
 set pfs group2
 match address 111
!
!
!
!
interface Ethernet0
 ip address 192.168.0.98 255.255.255.0
 ip access-group 100 in
 ip helper-address 192.168.1.200
 ip nat inside
 no cdp enable
!
interface Ethernet1
 description Connected to Internet
 ip address mmm.mmm.mmm.mmm 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip inspect Firewall out
 duplex auto
 no cdp enable
 crypto map secure
!
interface Virtual-Template10
 ip unnumbered Ethernet0
 peer default ip address pool vpnpool
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip local pool vpnpool 192.168.0.240 192.168.0.249
ip nat pool white 67.151.122.13 67.151.122.14 netmask 255.255.255.248
ip nat inside source static tcp 192.168.0.10 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.0.10 1723 interface Ethernet1 1723
ip nat inside source route-map mustnat pool white overload
ip classless
ip route 0.0.0.0 0.0.0.0 mmm.mmm.mmm.mm1
ip route 192.168.1.0 255.255.255.0 mmm.mmm.mmm.mm1
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip host 12.xx.xx.xx0 any
access-list 101 permit ip host 162.xx.xx.xxx any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit tcp any host mmm.mmm.mmm.mmm eq 1723
access-list 101 permit gre any host mmm.mmm.mmm.mmm
access-list 101 permit esp any host mmm.mmm.mmm.mmm
access-list 101 permit udp any host mmm.mmm.mmm.mmm eq isakmp
access-list 101 permit udp any host mmm.mmm.mmm.mmm eq non500-isakmp
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip host nn.nn.nn.nn any
access-list 101 permit ip host ss.ss.ss.ss any
access-list 101 permit ip aa.aa.aa.aa 0.0.0.15 any
access-list 101 permit ip 67.xxx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 155.xx.xx.xx any
access-list 101 permit ip host 155.xx.xx.xx any
access-list 101 permit icmp host xx.xx.xx.xx any echo
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 155.xx.xx.0 0.0.0.255 any
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip host 12.xx.xx.xx any
access-list 105 permit ip host 162.xx.xx.xx any
access-list 105 permit ip host nn.nn.nn.nn any
access-list 105 permit ip host ss.ss.ss.ss any
access-list 105 permit ip aa.aa.aa.aa 0.0.0.15 any
access-list 105 permit ip 67.xx.xx.xx 0.0.0.15 any
access-list 105 permit ip host 155.xx.xx.xx any
access-list 105 permit ip host 155.xx.xx.xx any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.0.0 0.0.0.255 any
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 155.xxx.xx.0 0.0.0.255
access-list 112 permit ip 192.168.0.0 0.0.0.255 host 155.xx.xx.xx
access-list 120 deny   ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny   ip 192.168.0.0 0.0.0.255 155.xx.xx.0 0.0.0.255
access-list 120 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map mustnat permit 10
 match ip address 120
!
!
line con 0
 exec-timeout 120 0
 login authentication console
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 105 in
 exec-timeout 120 0
 password 7 09786B24292932060E000A2F3F
!
scheduler max-task-time 5000
!
end

SiteA#

Open in new window

pords

ASKER

Thanks for responding. just so you know, i just inherited this config and i still dont have a good idea of what other acls do but right now, we are more concerned on the RDP traffic flowing from Site B to A. We will be replacing this router with a firewall that we can easily manage.

marek1712

Hmm, there's quite a mess in the ACL section.
You may try to disable inspection on Ethernet 1:

configure terminal
interface Ethernet 1
no ip inspect Firewall out

Open in new window

Also - issue the following:

ip access-list extended 100 
permit tcp any host X.X.X.X eq 3389 (you can replace any with subnet that has to access RDP and X.X.X.X with the RD server).

Open in new window

But it shouldn't be required as there is permit any any
If it won't work we'll need to perform debugging on ip packet and access-list.

pords

ASKER

I've added the permit rule but didnt remove the inspection. so far no success so i'll remove the inspection later tonight when nobody is online. I'll update the thread as soon as its tested.

Thanks!

pords

ASKER

btw, any reason why RDP is not working while smb and ping works? Just wondering since there is no explicit rule for both protocols.

marek1712

Probably being treated as known protocols by Cisco. I had the same issue with Zone Based Firewall.

pords

ASKER

hey marek,

removing the inspection didnt help either. Of course if i publish port 3389 over the WAN then that will work but not thru the vpn tunnel.

ASKER CERTIFIED SOLUTION

marek1712

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

pords

ASKER

this is what i got from the debugging..

aa.bb.cc.dd = WAN int
aa.bb.cc.ff = WAN Gateway

11:40:37: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:37:     TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
11:40:40: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:40:     TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
11:40:46: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:46:     TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN

Open in new window

I am curious why its coming from the wan and not the private ip. if i do a telnet to smb on the same host, i get the private IP instead of the WAN ip.

SOLUTION

pords

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

marek1712

What does simple port forward have to do with VPN? Strange.

pords

ASKER

found the fix myself but not without the suggestion from the other poster.