VPN up and running but no traffic

Pratik Prajapati · ‎10-28-2011

I have VPN up and running between two sites. Both sites have Cisco ASA 5505. I can ping across the devices from both networks. But I cannot remote into the servers on the other network.

Jennifer Halim · ‎10-28-2011

Ensure that you have allowed RDP access on those servers, and there is no firewall rules that might be blocking the RDP connection.

Also can you telnet on the RDP port (TCP/3389) to see if the connectivity is there?

Pratik Prajapati · ‎11-03-2011

Jennifer,

I cannot telnet on the RDP Port to the remote server.

Thanks,

Pratik

caseth0102 · ‎11-03-2011

If you haven't pinpointed this issue yet. Try using the 'packet-tracer' command as follows. This should tell you exactly where your failure is.

!-below is assuming your interface is named 'inside' replace that with the closest firewall interface to the source of the RDP.

!-1.1.1.1 = src IP and 2.2.2.2=dst IP

packet-tracer input inside tcp 1.1.1.1 1024 2.2.2.2 3389 detail

Pratik Prajapati · ‎11-04-2011

So now the VPN is up and running. I can ping either side. I can even access files and folder of the remote servers. But I still cannot RDP into the servers on the remote network. I don't know what's blocking the rdp connection. Any suggestions???

Thanks,

Pratik

cadet alain · ‎11-04-2011

Hi,

sniff the server interface to see if it receives the rdp packets and replies to them.

Alain.

Don't forget to rate helpful posts.

Pratik Prajapati · ‎11-04-2011

Cadet,

Sorry if I am being dumb, but can you tell me how do i do that?

Thanks,

Pratik

cadet alain · ‎11-04-2011

Hi,

if linux just use tcpdump and save as pcap file then post here

if windows then install wireshark and sniff your interface and save as pcap and post here.

Alain.

Don't forget to rate helpful posts.

caseth0102 · ‎11-04-2011

Have you tried the 'packet-tracer' command? If you can access (via file browsing or whatever), the same destination network from your side of the tunnel with no issues, then we can rule out routing. The 'packet-tracer' will identify where and if there is an issue with your 'proxy-domain' (ie. the crypto ACL), and any other issues that may be evident. This should be your first step. If all is well, then you can do a tcpdump on the server side. Being that your using RDP, it would suspect your destination server is Microsoft. After <<< running the packet-tracer >>> (if all is well), then as stated above, download the wireshark, and sniff the interface on the server to see if the packets are making it there. Also you may want to run the 'netstat -a', to see if the service is even listening. But I will say again, use the 'packet-tracer', as this would be best practice in troubleshooting to start local, then to the remote side if needed.