Solved

Enable RDP via IPSec Tunnel for Cisco Router

Posted on 2014-01-14
14
801 Views
Last Modified: 2014-01-21
Hi. My site is connected to one of our providers network via an IPSec tunnel

Site A: (my site)

crypto map secure 2 ipsec-isakmp
 set peer 123.123.123.12
 set security-association lifetime seconds 28800
 set transform-set myset1
 set pfs group2
 match address 110
--------------

c##sh access-list 110
Extended IP access-list 110
        10 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
        20 permit ip 192.168.100.0 0.0.0.255 123.123.123.100 0.0.0.255


Site B: No access but tunnel is up and running.

Above is part of my running config. Currently RDP is working from Site A to B but not the other way around. Also, SMB and Ping are working from B to A.

What do i need to be able to make RDP from Site B to A working?

I appreciate any guidance.

Thanks.
0
Comment
Question by:pords
  • 8
  • 5
14 Comments
 
LVL 11

Expert Comment

by:marek1712
ID: 39781678
Is the zone based firewall configured? Can you show us full config (of course, censor all the critical parts)?
Also - what is the addressing scheme?
Can you start debugging the ACLs when someone from the SiteB tries to access RD in SiteA?

PS - please, enclose all the configs in the CODE tag - it's easier to browse.
0
 

Author Comment

by:pords
ID: 39782381
User Access Verification

SiteA#sh run
Building configuration...

Current configuration : 6114 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SiteA
!
enable secret 5 $1$PdYC$QWDPktIqXoChbZdk46ma30
enable password 7 01001503
!
username xxxx password 7 0017061614541912
username yyy password 7 06151A315C411B0D
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console none
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
!
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall streamworks
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall http java-list 50
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 10
! Default L2TP VPDN group
! Default PPTP VPDN group
 accept-dialin
  protocol any
  virtual-template 10
 no l2tp tunnel authentication
!
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 0 $99t address 2xx.xxx.xx.xxx
crypto isakmp key 0 Qu66 address xxx.xxx.xxx.xxx
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map secure 1 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set security-association lifetime seconds 28800
 set transform-set myset
 set pfs group2
 match address 110
crypto map secure 2 ipsec-isakmp
 description Connected to TUHS (Temple)
 set peer yyy.yyy.yyy.yyy
 set security-association lifetime seconds 28800
 set transform-set myset1
 set pfs group2
 match address 111
!
!
!
!
interface Ethernet0
 ip address 192.168.0.98 255.255.255.0
 ip access-group 100 in
 ip helper-address 192.168.1.200
 ip nat inside
 no cdp enable
!
interface Ethernet1
 description Connected to Internet
 ip address mmm.mmm.mmm.mmm 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip inspect Firewall out
 duplex auto
 no cdp enable
 crypto map secure
!
interface Virtual-Template10
 ip unnumbered Ethernet0
 peer default ip address pool vpnpool
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip local pool vpnpool 192.168.0.240 192.168.0.249
ip nat pool white 67.151.122.13 67.151.122.14 netmask 255.255.255.248
ip nat inside source static tcp 192.168.0.10 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.0.10 1723 interface Ethernet1 1723
ip nat inside source route-map mustnat pool white overload
ip classless
ip route 0.0.0.0 0.0.0.0 mmm.mmm.mmm.mm1
ip route 192.168.1.0 255.255.255.0 mmm.mmm.mmm.mm1
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip host 12.xx.xx.xx0 any
access-list 101 permit ip host 162.xx.xx.xxx any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit tcp any host mmm.mmm.mmm.mmm eq 1723
access-list 101 permit gre any host mmm.mmm.mmm.mmm
access-list 101 permit esp any host mmm.mmm.mmm.mmm
access-list 101 permit udp any host mmm.mmm.mmm.mmm eq isakmp
access-list 101 permit udp any host mmm.mmm.mmm.mmm eq non500-isakmp
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip host nn.nn.nn.nn any
access-list 101 permit ip host ss.ss.ss.ss any
access-list 101 permit ip aa.aa.aa.aa 0.0.0.15 any
access-list 101 permit ip 67.xxx.xx.xx 0.0.0.15 any
access-list 101 permit ip host 155.xx.xx.xx any
access-list 101 permit ip host 155.xx.xx.xx any
access-list 101 permit icmp host xx.xx.xx.xx any echo
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 155.xx.xx.0 0.0.0.255 any
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip host 12.xx.xx.xx any
access-list 105 permit ip host 162.xx.xx.xx any
access-list 105 permit ip host nn.nn.nn.nn any
access-list 105 permit ip host ss.ss.ss.ss any
access-list 105 permit ip aa.aa.aa.aa 0.0.0.15 any
access-list 105 permit ip 67.xx.xx.xx 0.0.0.15 any
access-list 105 permit ip host 155.xx.xx.xx any
access-list 105 permit ip host 155.xx.xx.xx any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 192.168.0.0 0.0.0.255 any
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 155.xxx.xx.0 0.0.0.255
access-list 112 permit ip 192.168.0.0 0.0.0.255 host 155.xx.xx.xx
access-list 120 deny   ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny   ip 192.168.0.0 0.0.0.255 155.xx.xx.0 0.0.0.255
access-list 120 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map mustnat permit 10
 match ip address 120
!
!
line con 0
 exec-timeout 120 0
 login authentication console
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 105 in
 exec-timeout 120 0
 password 7 09786B24292932060E000A2F3F
!
scheduler max-task-time 5000
!
end

SiteA#

Open in new window

0
 

Author Comment

by:pords
ID: 39782387
Thanks for responding. just so you know, i just inherited this config and i still dont have a good idea of what other acls do but right now, we are more concerned on the RDP traffic flowing from Site B to A. We will be replacing this router with a firewall that we can easily manage.
0
 
LVL 11

Expert Comment

by:marek1712
ID: 39783103
Hmm, there's quite a mess in the ACL section.
You may try to disable inspection on Ethernet 1:
configure terminal
interface Ethernet 1
no ip inspect Firewall out

Open in new window

Also - issue the following:
ip access-list extended 100 
permit tcp any host X.X.X.X eq 3389 (you can replace any with subnet that has to access RDP and X.X.X.X with the RD server).

Open in new window

But it shouldn't be required as there is permit any any
If it won't work we'll need to perform debugging on ip packet and access-list.
0
 

Author Comment

by:pords
ID: 39783841
I've added the permit rule but didnt remove the inspection. so far no success so i'll remove the inspection later tonight when nobody is online. I'll update the thread as soon as its tested.

Thanks!
0
 

Author Comment

by:pords
ID: 39783849
btw, any reason why RDP is not working while smb and ping works? Just wondering since there is no explicit rule for both protocols.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Expert Comment

by:marek1712
ID: 39783856
Probably being treated as known protocols by Cisco. I had the same issue with Zone Based Firewall.
0
 

Author Comment

by:pords
ID: 39784427
hey marek,

removing the inspection didnt help either. Of course if i publish port 3389 over the WAN then that will work but not thru the vpn tunnel.
0
 
LVL 11

Accepted Solution

by:
marek1712 earned 350 total points
ID: 39784755
No no, port forwarding the RDP is really bad idea as you know :)
Anyway - I'd look closely to ACL no 110. Before this deny - I'd place explicit list to allow RDP from the remote network.

And as I've mentioned - please, debug the ACLs. Short information HERE.
0
 

Author Comment

by:pords
ID: 39785549
this is what i got from the debugging..

aa.bb.cc.dd = WAN int
aa.bb.cc.ff = WAN Gateway

11:40:37: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:37:     TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
11:40:40: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:40:     TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN
11:40:46: IP: s=aa.bb.cc.dd (Ethernet0), d=10.xx.56.62 (Ethernet1), g=aa.bb.cc.ff, len 52, forward
11:40:46:     TCP src=3389, dst=64156, seq=2645208567, ack=1450691754, win=16384 ACK SYN

Open in new window


I am curious why its coming from the wan and not the private ip. if i do a telnet to smb on the same host, i get the private IP instead of the WAN ip.
0
 

Assisted Solution

by:pords
pords earned 0 total points
ID: 39785804
its fixed. removing the entry below resolved the issue.

ip nat inside source static tcp 192.168.0.10 3389 interface Ethernet1 3389

Open in new window


Thanks for your debugging suggestion. I found the clue there.
0
 
LVL 11

Expert Comment

by:marek1712
ID: 39786696
What does simple port forward have to do with VPN? Strange.
0
 

Author Closing Comment

by:pords
ID: 39796414
found the fix myself but not without the suggestion from the other poster.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now