RDP LAN connection failing utilizing Cisco Site-to-Site VPN
We have an IPsec Site to Site VPN connection between Cisco 2911 router, (Home Office) and Cisco 861 router, (Remote site).
1. Users behind 861 router ARE able to access resources behind 2911. Site-to-site working great.
2. Users behind 861 ARE able to establish RDP connection to Terminal Server IF they use Public/Wan IP address, as in: 172.164.x.x:3389.
3. However, users behind 861 ARE NOT able to establish RDP connection to Terminal Server IF they use Terminal Server LAN IP address, as in: 10.11.X.X:3389. Receiving “Remote Desktop Can’t connect to the remote computer” …. Error.
4. Remote users utilizing established Cisco VPN Client connection, NOT behind 2911 or 861, ARE able to RDP to Terminal Server IF they use Server LAN IP address, as in 10.11.X.X:3389
Appears to be issue with RDP while utilizing Site-to-Site. Any thoughts or suggestions would be greatly appreciated.
Thank you!
Chip
1. Users behind 861 router ARE able to access resources behind 2911. Site-to-site working great.
2. Users behind 861 ARE able to establish RDP connection to Terminal Server IF they use Public/Wan IP address, as in: 172.164.x.x:3389.
3. However, users behind 861 ARE NOT able to establish RDP connection to Terminal Server IF they use Terminal Server LAN IP address, as in: 10.11.X.X:3389. Receiving “Remote Desktop Can’t connect to the remote computer” …. Error.
4. Remote users utilizing established Cisco VPN Client connection, NOT behind 2911 or 861, ARE able to RDP to Terminal Server IF they use Server LAN IP address, as in 10.11.X.X:3389
Appears to be issue with RDP while utilizing Site-to-Site. Any thoughts or suggestions would be greatly appreciated.
Thank you!
Chip
ASKER
Thanks for the quick response John. I'll double check Cisco configs tomorrow and let you know. I did try entries in HOSTS file.
Chip
Chip
Can the S-2-S users ping the terminal server's local IP.
If not, what is the address pool for the S-2-S VPN users
If different from the LAN, is the address included in the ACL (interesting traffic)
If not, what is the address pool for the S-2-S VPN users
If different from the LAN, is the address included in the ACL (interesting traffic)
ASKER
Thanks for the response Akinsd.
Yes. Users can ping Terminal Servers local IP. They have complete access to TS files and resources
Both LAN's are in different Subnets
John - Both External/WAN IP's are different
861 router has access-list permit IP from 2911 LAN
2911 router has access-list permit IP from 861 LAN
I found a couple of posts stating Split-DNS must be configured and Crypto level 3DES must be used. Both are configured.
Any other thoughts?
Thanks!
Chip
Yes. Users can ping Terminal Servers local IP. They have complete access to TS files and resources
Both LAN's are in different Subnets
John - Both External/WAN IP's are different
861 router has access-list permit IP from 2911 LAN
2911 router has access-list permit IP from 861 LAN
I found a couple of posts stating Split-DNS must be configured and Crypto level 3DES must be used. Both are configured.
Any other thoughts?
Thanks!
Chip
Users can ping Terminal Servers local IP
Tunnel is up and you cannot access resources: What happens (what error) for the following:
NET USE T: \\IP Address of resource\folder name and authenticate. What error.
Tunnel is up and you cannot access resources: What happens (what error) for the following:
NET USE T: \\IP Address of resource\folder name and authenticate. What error.
ASKER
Hi John,
Tunnel is fine. Users CAN access resources and map drives.
Issue is: Users behind 861 ARE NOT able to establish RDP connection to Terminal Server IF they use Terminal Server LAN IP address, as in: 10.11.X.X:3389. Receiving “Remote Desktop Can’t connect to the remote computer” …. Error.
Users behind 861 ARE able to establish RDP connection to Terminal Server IF they use Public/Wan IP address, as in: 172.164.x.x:3389.
What I'm trying to accomplish is users must utilize RDP to Terminal Server over VPN. I want to close RDP Port access from WAN. We had a security related issue with RDP from WAN.
Thanks!
Chip
Tunnel is fine. Users CAN access resources and map drives.
Issue is: Users behind 861 ARE NOT able to establish RDP connection to Terminal Server IF they use Terminal Server LAN IP address, as in: 10.11.X.X:3389. Receiving “Remote Desktop Can’t connect to the remote computer” …. Error.
Users behind 861 ARE able to establish RDP connection to Terminal Server IF they use Public/Wan IP address, as in: 172.164.x.x:3389.
What I'm trying to accomplish is users must utilize RDP to Terminal Server over VPN. I want to close RDP Port access from WAN. We had a security related issue with RDP from WAN.
Thanks!
Chip
You might want to look into the NAT configuration of your 2911 & 861
Since you mentioned the TS server is being accessed via public IP (172.164.x.x:3389), this means most likely you have a configuration for port forwarding/NAT between 10.11.X.X:3389 | 172.164.x.x:3389
Depending on how the port forwarding and general NATing is configured, you might need to replace/remove it to enable direct communication between Site-861 and Site-2911.
If you could share your sanitized configuration for Site-2911 (where TS reside) & Site-861, more specifically relating to NAT, VPN, ACL, experts might be able to better assist you on the configuration.
Since you mentioned the TS server is being accessed via public IP (172.164.x.x:3389), this means most likely you have a configuration for port forwarding/NAT between 10.11.X.X:3389 | 172.164.x.x:3389
Depending on how the port forwarding and general NATing is configured, you might need to replace/remove it to enable direct communication between Site-861 and Site-2911.
If you could share your sanitized configuration for Site-2911 (where TS reside) & Site-861, more specifically relating to NAT, VPN, ACL, experts might be able to better assist you on the configuration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
WOW Ffieisma. Outstanding response. Thanks for the time, effort, and such detail. I'm out of the office. Will take a look ASAP.
Chip
Chip
ASKER
I apologize for the delay ffleisma. Your assumption and resolution were right on. Issue has been resolved. Outstanding detail and support.
Thanks for your help ffleisma!
Chip
Thanks for your help ffleisma!
Chip
Internal IP x.y.z.w -> External IP (Home) -> Internet <- External IP (Office) <- Internal IP a.b.c.d
The two external IP addresses are different (must be) and then make sure the Internal Addresses are on different subnets. This is necessary.
You may need to make HOSTS entries for the other site at each machine (c:\windows\system32\drive