RDP thru Cisco VPN client and thru 501 Failure

Discussion in 'Cisco' started by curttampa, Aug 5, 2008.

  1. curttampa

    curttampa Guest

    From home, we use plain old home Netgear routers to connect up to the
    net. We use our laptops and the Cisco VPN client to connect up to a
    Cisco VPN Appliance in a data center and MS’s RDP to connect up to our
    servers. This setup works perfectly. We use a PIX 501 from our office
    to connect to the net. The VPN Client connects up to the applicance
    just fine. However, RDP will not connect up to our servers. We are
    using a 172.16.1.x sub net within the data center. In the office, we
    just a 192.168.4.x subnet. Anyone have any other ideas that might
    explain this failure?

    Thanks in advance. (Our ‘expert’ who setup all these is unable to
    explain it)
    curttampa, Aug 5, 2008
    1. Advertisements

  2. curttampa

    Merv Guest

    RDP packets cannot be fragmented. RDP sets the do-not-fragment bit in
    its TCP packet
    so do a path MTU discovery manually using ping.

    Start with a ping packet length of 1500 and reduce until you have
    successful ping.

    ping -l 1500 -f <IP address>

    Can the VPN clients ping the servers in question - i.e confirm there
    are not other connectivity issues

    If they can ping sucessfully then determine the largest MTU that the
    client can use with no-fragment set

    Adjust you NIC to use the discovered maximum path MTU size

    Then set that MTU size on the VPN client and see if RDP connectivity
    is possilbe
    Merv, Aug 5, 2008
    1. Advertisements

  3. curttampa

    curttampa Guest

    Isn't there an easier way. This seams real complicated. Maybe we
    should just dump this fancy firewall that prevents us from working.
    curttampa, Aug 6, 2008
  4. curttampa

    Merv Guest

    The Cisco VPN client comes with a program SetMTU.exe that can be used
    to set the MTU size on the NIC on the PC's in question.

    If you want to skip the manual path MTU exercise then just set MTO to
    say 1300 temporarily on one PC to see if RDP connectivity is then
    Merv, Aug 6, 2008
  5. curttampa

    CurtTampa Guest

    When I do it from home, I get a packet size of 1273 is the largest
    that pings ok. Remember, my RDP works all the time
    When the person in the office trys to ping at a 1500 size, he gets
    packet needs to be fragmented,at any size < 1273, he gets request
    timed out.
    Sounds like he is not getting thru the Cisco Client at all.
    Next idea please?
    CurtTampa, Aug 8, 2008
  6. curttampa

    CurtTampa Guest

    One more thing, here is the ROUTE PRINT Output from both machines
    I Don't know if this will point out anything or not, if not, sorry to
    waste your time.

    Home Route PRINT (Cisco Client Connected and RDP Working)
    C:\Documents and Settings\Curt>route PRINT

    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 c0 a8 86 b0 45 ...... Realtek RTL8139 Family PCI Fast
    Ethernet NIC
    - Deterministic Network Enhancer Miniport
    0x20004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric 20 1 1 10 10 1 1 1 10 20 20 20 10 20 1 1
    Default Gateway:

    Persistent Routes:

    C:\Documents and Settings\Curt>

    This is in the office where it FAILS

    C:\Documents and Settings\Chuck>route PRINT

    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 06 5b ac 67 43 ...... 3Com 3C920 Integrated Fast Ethernet
    Controller (
    3C905C-TX Compatible) - Packet Scheduler Miniport
    0x3 ...00 0e 2e 52 91 62 ...... Realtek RTL8139 Family PCI Fast
    Ethernet NIC - P
    acket Scheduler Miniport
    0x10005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric 20 1 1 20 20 1 1 1 20 20 20 20 20 20 1
    2 1 1
    Default Gateway:
    Persistent Routes:

    C:\Documents and Settings\Chuck>
    CurtTampa, Aug 8, 2008
  7. curttampa

    Merv Guest

    Can you please provide some clarifications

    Do you have a separate PC at home and at work or it it a laptop that
    you take to and from the office ?

    You say your RDP works all the time - does this mean at home and at
    office ?

    How many PC in the office can use RDP and connect successfully ?

    You have indicated that at least cannot connect using RDP in the
    office - is there more than one that cannot use RDP ?

    What is the device that interconnect the office 192.168.4.x subnet.to
    the datacenter's 172.16.1.x subbnet
    Merv, Aug 9, 2008
  8. curttampa

    CurtTampa Guest

    Chuck has a Desktop in the office that fails. He has a Laptop that fails
    in the office network, but if he plugs it directly into the back of the
    cable modem it works perfectly.
    I on the other hand do not have an office pc, I work from home and Mine
    works perfectly always.

    There are only two of use who attempt to use the VPN. Only 1 in the
    office ever. No pc's going thru the office PIX work ever.

    I have no clue what the device that interconnect the office 192.168.4.x
    subnet.to the datacenter's 172.16.1.x subbnet is at all. I know our
    'expert' has a 506E in his rack. He just calls it a 'Cisco VPN
    Appliance' If that is critical I will attempt to contact him. That
    usually takes a month of so for him to get back to us on anything where
    we are not totally down.

    (Know any good Cisco people in Tampa Florida?)
    CurtTampa, Aug 10, 2008
  9. curttampa

    Merv Guest

    So the datacenter and the office at at two different sites ?

    Clearly if Chuck can connect his PC directly to the office DSL modem
    and is then able to successfully use RDP to datacenter, then this
    would tend to indicate that whatever the device is between Chuck's PC
    and the DSL modem is the source of the problem. If it is a firewall,
    then normally outbound TCP connections are automatically permitted and
    the return TCP traffic is allowed thru the firewall. However the
    firewall may be only permitting certain TCP ports thru and if that is
    the case then RDP could certainly be impacted.

    Call the Cisco sales office in Tampa and ask for the names of a couple
    of good Cisco distributor in Tampa and ring them up and see if they
    provide consulting service so you can get your issue resolved.
    Merv, Aug 10, 2008
  10. curttampa

    CurtTampa Guest

    That's the whole point of this posting and why I included the ROUTE
    Print. We have been told that there are no outgoing ports blocked in
    the office PIX. And since the Cisco VPN Client successfully connects
    to the data center thru the PIX clearly that is not the issue. Traffic
    to the remote network is apparently not being routed thru the VPN
    client. I got there due to the fact that all pings to the remote
    network fail no matter what the packet size is.
    What is weird about this is, we replaced the PIX with a home netgear
    for one day and it works just fine with no changes to any of the PCs
    in the office. So it Must be the PIX somehow, even though it appears
    to be a routing issue.
    CurtTampa, Aug 10, 2008
  11. curttampa

    Merv Guest

    A wild stab would be that NAT traversal is not configured on the PIX
    and is required for client VPN pass-thru

    The NetGear will do that automatically
    Merv, Aug 10, 2008
  12. curttampa

    Merv Guest

    OBTW if Chuck's PC is always at the office, then the office PIX could
    been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    datacenter PIX and then he would not need the Cisco VPN client to
    access the datacenter.
    Merv, Aug 10, 2008
  13. curttampa

    CurtTampa Guest

    Correct, but our 'cisco' dude wants to charge us extra for an 'always
    on' connection.
    CurtTampa, Aug 11, 2008
  14. curttampa

    Merv Guest

    Do you own the Cisco 501 and the Cisco 506E and the datacenter

    Do you own the server at the datacenter
    Merv, Aug 11, 2008
  15. curttampa

    CurtTampa Guest

    We own our servers, We rent the 1/2 rack they sit in. I Only speculated
    that our connection is thru his 506E, I am not sure of that. We are
    patch cable linked to his rack because he still handles our backups. Due
    to the fact we are linked, he insists (with good reason) that we come
    thru his VPN connection so he can limit our connection to our machines.
    I understand his security concerns for the protection of his other
    customers. Once we can afford a rack mount NAS, we will be breaking that
    link. Once we do and I understand we can do a connection using the
    standard M$ connection (not requiring Cisco client) to our 501. When
    that is complete we should no longer have an issue.
    CurtTampa, Aug 11, 2008
  16. curttampa

    Merv Guest

    So sounds like you have plans to deal with several of the technical
    and business issue and your "Cisco guy" long term.

    Do you have access to the office PIX 501 and can you post the PIX 501
    config - sanitized of course - no passwords and no external IP

    There are several very good PIX wizards on this newsgroup and
    hopefully they would respond if they see issues with your office PIX
    501 config.
    Merv, Aug 11, 2008
  17. curttampa

    CurtTampa Guest

    1st: you are correct. Our Cisco/Network dude have got to go, all we
    need is enough money to get rid of him and a replacement we can trust.
    2nd: I will try. I'm not sure that Chuck or I actually know the
    password to get into the office 501. I will have to do some reading on
    this as I have heard the password is not required if you have the
    Serial cable (which we do). So I will investigate getting that config.
    Thanks for all your assistance.
    CurtTampa, Aug 11, 2008
  18. curttampa

    CurtTampa Guest

    Here is the config from our OFFICE PIX.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password PASSWPRD encrypted
    passwd PASSWORD
    hostname HOSTNAME
    domain-name HOSTNAME.local
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name VPNclient
    name XXX.XXX.XXX.XX web_ftp-outside
    name web_ftp-inside
    name XXX.XXX.XXX.XXX email_RDP-outside
    name email_RDP-inside
    access-list 101 permit icmp any any
    access-list 101 remark VPN Access Policy
    access-list 101 permit ip VPNclient
    access-list 101 permit tcp any host email_RDP-outside eq smtp
    access-list 101 permit tcp any host email_RDP-outside eq pop3
    access-list 101 permit tcp any host email_RDP-outside eq 3389
    access-list 101 permit tcp any host web_ftp-outside eq ftp-data
    access-list 101 permit tcp any host web_ftp-outside eq ftp
    access-list 101 permit tcp any host web_ftp-outside eq www
    access-list 101 permit tcp any host web_ftp-outside eq https
    access-list outside_cryptomap_dyn_30 permit ip any VPNclient
    access-list HOSTNAME_splitTunnelAcl permit ip
    access-list inside_outbound_nat0_acl permit ip
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XXX.XXX
    ip address inside
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool HOSTNAMEVPNpool mask
    pdm location email_RDP-outside outside
    pdm location web_ftp-inside inside
    pdm location email_RDP-inside inside
    pdm location VPNclient outside
    pdm location web_ftp-outside outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0 0
    static (inside,outside) email_RDP-outside email_RDP-inside netmask
    55 0 0
    static (inside,outside) web_ftp-outside web_ftp-inside netmask 0
    access-group 101 in interface outside
    route outside XXX.XXX.XXX.XXX 1
    timeout xlate 0:30:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:30:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    ntp server source outside
    ntp server source outside prefer
    http server enable
    http outside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-l2tp
    auth-prompt prompt Enter login authorization
    auth-prompt accept Thank you. Access granted.
    auth-prompt reject Either get it right or stop trying to hack your way
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 30 match address
    crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup HOSTNAME address-pool HOSTNAMEVPNpool
    vpngroup HOSTNAME dns-server email_RDP-inside
    vpngroup HOSTNAME wins-server email_RDP-inside
    vpngroup HOSTNAME default-domain HOSTNAME.local
    vpngroup HOSTNAME split-tunnel HOSTNAME_splitTunnelAcl
    vpngroup HOSTNAME split-dns HOSTNAME.local HOSTNAME.lcl
    vpngroup HOSTNAME idle-time 1800
    vpngroup HOSTNAME password ********
    telnet inside
    telnet timeout 5
    ssh outside
    ssh inside
    ssh timeout 5
    isakmp nat-traversal 20
    management-access inside
    console timeout 0
    username pronetserv password PASSWPRD encrypted privilege 15
    username admin password PASSWORD encrypted privilege 15
    terminal width 80
    : end
    CurtTampa, Aug 11, 2008
  19. curttampa

    CurtTampa Guest

    Did you abandon me?
    CurtTampa, Aug 14, 2008
  20. curttampa

    Merv Guest

    I see the config has nat traversal configured

    Hopefully some of the PIX experts on this group will see the posting
    of your PIX config

    You might want to reposting the PIX config if you do not get any
    feedback on it.
    Merv, Aug 14, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.