Site to Site VPN and RPC Traffic

dmox · ‎06-03-2004

We've recently created a new Win2K3 domain on a colocation site that will be mainly a Resource domain. However, we've been unable to replicate the domain, or DCPromo correctly because RPC Traffic is unable to connect. I've been chasing other leads for the last 3 days until today we tried a totally sepreate server and realized that it was a network problem rather than a problem with the DC.

The VPN access-lists are below:

PIX 6.3(3)

access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 vpn 255.255.0.0

access-list inside_outbound_nat0_acl permit tcp 10.0.0.0 255.0.0.0 vpn 255.255.0.0 eq 135

access-list outside_cryptomap_20 permit ip 10.0.0.0 255.0.0.0 vpn 255.255.0.0

access-list outside_cryptomap_20 permit tcp 10.0.0.0 255.0.0.0 host vpn eq 135

As the access-lists state, ANY IP traffic is allowed between the two sites! I've added the second ACL for port 135 (RPC) but that hasn't helped any either.

Is there a fixup protocol for RPC? Anything that needs to be done to allow RPC traffic to travel across the VPN?

ehirsel · ‎06-04-2004

Do the vpn users terminate the vpn connection on the pix outside interface? Is the vpn connection a site-to-site vpn or a remote-access vpn?

Where is the DC in relation to the users? I.E., tell me which interface the DC is off of, and which itnerface the users are off of.

Also, I believe that RPC uses dynamic ports. Is there another firewall being traversed in addition to the pix that you mentioned?

Please post the acl applied to the outside interface. I want to see what entries you have there.

dmox · ‎06-04-2004

The issue has been resolved. Apparently, when you create a VPN tunnel with it's own ACL's you still need to apply ACL's to the outgoing interface (Redundant ACL's).

access-list VPN permit ip any any

Will also have to be applied to

access-list Inside_Access_out permit tcp any any 135

Doesn't make much sense to me...but that's how it's working.