pords
asked on
Enable RDP via IPSec Tunnel for Cisco Router
Hi. My site is connected to one of our providers network via an IPSec tunnel
Site A: (my site)
crypto map secure 2 ipsec-isakmp
set peer 123.123.123.12
set security-association lifetime seconds 28800
set transform-set myset1
set pfs group2
match address 110
--------------
c##sh access-list 110
Extended IP access-list 110
10 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
20 permit ip 192.168.100.0 0.0.0.255 123.123.123.100 0.0.0.255
Site B: No access but tunnel is up and running.
Above is part of my running config. Currently RDP is working from Site A to B but not the other way around. Also, SMB and Ping are working from B to A.
What do i need to be able to make RDP from Site B to A working?
I appreciate any guidance.
Thanks.
Site A: (my site)
crypto map secure 2 ipsec-isakmp
set peer 123.123.123.12
set security-association lifetime seconds 28800
set transform-set myset1
set pfs group2
match address 110
--------------
c##sh access-list 110
Extended IP access-list 110
10 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
20 permit ip 192.168.100.0 0.0.0.255 123.123.123.100 0.0.0.255
Site B: No access but tunnel is up and running.
Above is part of my running config. Currently RDP is working from Site A to B but not the other way around. Also, SMB and Ping are working from B to A.
What do i need to be able to make RDP from Site B to A working?
I appreciate any guidance.
Thanks.
ASKER
User Access Verification
SiteA#sh run
Building configuration...
Current configuration : 6114 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SiteA
!
enable secret 5 $1$PdYC$QWDPktIqXoChbZdk46ma30
enable password 7 01001503
!
username xxxx password 7 0017061614541912
username yyy password 7 06151A315C411B0D
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console none
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall streamworks
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall http java-list 50
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 10
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 10
no l2tp tunnel authentication
!
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 $99t address 2xx.xxx.xx.xxx
crypto isakmp key 0 Qu66 address xxx.xxx.xxx.xxx
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map secure 1 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set myset
set pfs group2
match address 110
crypto map secure 2 ipsec-isakmp
description Connected to TUHS (Temple)
set peer yyy.yyy.yyy.yyy
set security-association lifetime seconds 28800
set transform-set myset1
set pfs group2
match address 111
!
!
!
!
interface Ethernet0
ip address 192.168.0.98 255.255.255.0
ip access-group 100 in
ip helper-address 192.168.1.200
ip nat inside
no cdp enable
!
interface Ethernet1
description Connected to Internet
ip address mmm.mmm.mmm.mmm 255.255.255.248
ip access-group 101 in
ip nat outside
ip inspect Firewall out
duplex auto
no cdp enable
crypto map secure
!
interface Virtual-Template10
ip unnumbered Ethernet0
peer default ip address pool vpnpool
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool vpnpool 192.168.0.240 192.168.0.249
ip nat pool white 67.151.122.13 67.151.122.14 netmask 255.255.255.248
ip nat inside source static tcp 192.168.0.10 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.0.10 1723 interface Ethernet1 1723
ip nat inside source route-map mustnat pool white overload
ip classless
ip route 0.0.0.0 0.0.0.0 mmm.mmm.mmm.mm1
ip route 192.168.1.0 255.255.255.0 mmm.mmm.mmm.mm1
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip host 12.xx.xx.xx0 any
access-list 101 permit ip host 162.xx.xx.xxx any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit tcp any host mmm.mmm.mmm.mmm eq 1723
access-list 101 permit gre any host mmm.mmm.mmm.mmm
access-list 101 permit esp any host mmm.mmm.mmm.mmm
access-list 101 permit udp any host mmm.mmm.mmm.mmm eq isakmp
access-list 101 permit udp any host mmm.mmm.mmm.mmm eq non500-isakmp
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip host nn.nn.nn.nn any
access-list 101 permit ip host ss.ss.ss.ss any
access-list 101 permit ip aa.aa.aa.aa 0.0.0.15 any
access-list 101 permit ip 67.xxx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 155.xx.xx.xx any
access-list 101 permit ip host 155.xx.xx.xx any
access-list 101 permit icmp host xx.xx.xx.xx any echo
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 155.xx.xx.0 0.0.0.255 any
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip host 12.xx.xx.xx any
access-list 105 permit ip host 162.xx.xx.xx any
access-list 105 permit ip host nn.nn.nn.nn any
access-list 105 permit ip host ss.ss.ss.ss any
access-list 105 permit ip aa.aa.aa.aa 0.0.0.15 any
access-list 105 permit ip 67.xx.xx.xx 0.0.0.15 any
access-list 105 permit ip host 155.xx.xx.xx any
access-list 105 permit ip host 155.xx.xx.xx any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 155.xxx.xx.0 0.0.0.255
access-list 112 permit ip 192.168.0.0 0.0.0.255 host 155.xx.xx.xx
access-list 120 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 155.xx.xx.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map mustnat permit 10
match ip address 120
!
!
line con 0
exec-timeout 120 0
login authentication console
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 105 in
exec-timeout 120 0
password 7 09786B24292932060E000A2F3F
!
scheduler max-task-time 5000
!
end
SiteA#
ASKER
Thanks for responding. just so you know, i just inherited this config and i still dont have a good idea of what other acls do but right now, we are more concerned on the RDP traffic flowing from Site B to A. We will be replacing this router with a firewall that we can easily manage.
Hmm, there's quite a mess in the ACL section.
You may try to disable inspection on Ethernet 1:
If it won't work we'll need to perform debugging on ip packet and access-list.
You may try to disable inspection on Ethernet 1:
configure terminal
interface Ethernet 1
no ip inspect Firewall out
Also - issue the following:ip access-list extended 100
permit tcp any host X.X.X.X eq 3389 (you can replace any with subnet that has to access RDP and X.X.X.X with the RD server).
But it shouldn't be required as there is permit any anyIf it won't work we'll need to perform debugging on ip packet and access-list.
ASKER
I've added the permit rule but didnt remove the inspection. so far no success so i'll remove the inspection later tonight when nobody is online. I'll update the thread as soon as its tested.
Thanks!
Thanks!
ASKER
btw, any reason why RDP is not working while smb and ping works? Just wondering since there is no explicit rule for both protocols.
Probably being treated as known protocols by Cisco. I had the same issue with Zone Based Firewall.
ASKER
hey marek,
removing the inspection didnt help either. Of course if i publish port 3389 over the WAN then that will work but not thru the vpn tunnel.
removing the inspection didnt help either. Of course if i publish port 3389 over the WAN then that will work but not thru the vpn tunnel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
this is what i got from the debugging..
aa.bb.cc.dd = WAN int
aa.bb.cc.ff = WAN Gateway
I am curious why its coming from the wan and not the private ip. if i do a telnet to smb on the same host, i get the private IP instead of the WAN ip.
aa.bb.cc.dd = WAN int
aa.bb.cc.ff = WAN Gateway
11:40:37: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:37: TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
11:40:40: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:40: TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
11:40:46: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:46: TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
I am curious why its coming from the wan and not the private ip. if i do a telnet to smb on the same host, i get the private IP instead of the WAN ip.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What does simple port forward have to do with VPN? Strange.
ASKER
found the fix myself but not without the suggestion from the other poster.
Also - what is the addressing scheme?
Can you start debugging the ACLs when someone from the SiteB tries to access RD in SiteA?
PS - please, enclose all the configs in the CODE tag - it's easier to browse.