This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

[SOLVED] VPN clients can't do RDP to different subnets

Question
0

Sign in to vote
I have an office branch with a Cisco ASA 5508-X and 3 internal networks:

-> 192.168.150.0/24 (the RRAS server is 192.168.150.252/24)
-> 192.168.151.0/24
-> 192.168.152.0/24

I have deployed a VPN L2TP (which gives 192.168.150.0/24 address) with Windows Server 2012 R2 and RRAS so home users can access office branch resources, so far it's working as expected, users can access shared folders, internal Exchange email, printers but they can only do PING and RDP to computers on the 192.168.150.0/24 network.

I added 2 NICs to the RRAS (1 for 192.168.151.0/24 network and 1 for 192.168.152.0/24 network) and now users CAN PING resources on those networks but RDP to PC's on those networks still fails.

I have deployed the followings GPOs on all networks (image) with no effect:

Windows Defender Firewall: Allow inbound file and printer sharing exception "*"
Windows Defender Firewall: Allow inbound Remote Desktop exceptions "*"
Windows Defender Firewall: Define inbound port exceptions "3389:TCP:*:enabled:RDP
So, now I'm not sure how to follow

Do I need to forward TCP 3389 port to the VPN Server?
Do I need to add anything to my Cisco Firewall configuration?
Do I need to configure anything on RRAS?

SOLVED:

To anyone looking for an answer this is my final configuration (everything was done on the RRAS/VPN Server):

There was no need to enable "Remote Desktop" under RRAS/Server (local)/IPv4/NAT/Properties/Services and Ports, nor modify any GPO.

1. Ethernet Card connected to internal LAN.

IP: 192.168.150.252/24

Gateway: 192.168.150.247 (This one is important since trought this interface the server will reach 192.168.151.0/24 and 192.168.152.0/24 networks).

2. Ethernet Card connected to Internet Source (Modem).

IP: 192.168.4.110/24

Gateway: 192.168.4.97

To fix the problem I added static routes on the RRAS/VPN server with the following commands:

route add -p 192.168.151.0 mask 255.255.255.0 192.168.150.247
route add -p 192.168.152.0 mask 255.255.255.0 192.168.150.247

Once I did this, remote users started to be able to RDP to 192.168.151.0/24 and 192.168.152.0/24

Any questions, feel free to send me a message. Thanks.
- Edited by José Silva G Monday, July 13, 2020 7:04 PM
Wednesday, July 1, 2020 3:12 PM

All replies

0

Sign in to vote

Hi ,

When we connect to VPN successfully, network traffic from the VPN client to internal network will go through the VPN tunnel.So, if clients from subnet 192.168.150.0/24 want to visit other subnet, it needs VPN server to forward the packets. We need to ensure the VPN server could visit 192.168.151.0/24 and 192.168.152.0/24, and ensure it could forward packets for VPN clients.

Here is a similiar thread discussed before, you could have a look:

Cant access other subnets when VPN into Server

Hope this can help you.

Best Regards,

Candy

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Thursday, July 2, 2020 2:33 AM
0

Sign in to vote
Hello Jose,

If you can ping the RDP server then the route to the host works. If you cannot access it using the RDP protocol, you may want to look inside the ASA firewall and the RRAS LAN/VPN firewall to make sure that the firewall rules between the subnets/zones has 3389 open.

When connected to VPN, run 'telnet RDPSERVERIP 3389' and you should get a blank screen. If you get access denied then the port is being blocked or the RDP is set to listen on a different port.

Miguel Fra
Falcon IT Services
https://www.falconitservices.com
- Edited by Miguel Fra Thursday, July 2, 2020 5:05 AM
Thursday, July 2, 2020 4:51 AM
0

Sign in to vote
Miguel,

This is the config of my ASA Firewall, I don't have any port blocked from the ASA.

ASA config #1

ASA config #2

I have disabled the Firewall on both the RRAS/VPN server and on the 192.168.151.252 PC, I have also run the telnet command and I get a black screen when used a 192.168.150.0/24 PC and a connection error when tried telnet to a 192.168.151.01/24 PC, of course I can open a local telnet connection without problem.

Thanks for your time.
- Edited by José Silva G Thursday, July 2, 2020 3:07 PM
Thursday, July 2, 2020 12:15 PM
0

Sign in to vote
Hi Candy,

VPN Server can visit 192.168.151.0/24 and 192.168.152.0/24, but I'm not sure if it can forward packets for VPN clients.

Reading the thread I have tried adding this Static Route but the problem persists:

Interface: "Red LEI 150" is the name of my NIC on the 192.168.150.0/24

Destination/Network mask: 192.168.151.0/24

Gateway: 192.168.150.247 is the Gateway that my RRAS/VPN NIC uses.

Static Route
- Edited by José Silva G Thursday, July 2, 2020 1:53 PM
Thursday, July 2, 2020 1:52 PM
0

Sign in to vote

I have disabled the ASA Firewall on both the RRAS/VPN server and on the 192.168.151.252 PC,

Hello again Jose, Are you referring to the Windows firewall? The ASA firewall is on the router. It should have zone/subnets and rules that control traffic flow between them.
Miguel Fra
Falcon IT Services
https://www.falconitservices.com

Thursday, July 2, 2020 3:05 PM
0

Sign in to vote

I get a black screen when used a 192.168.150.0/24 PC and a connection error when tried telnet to a 192.168.151.01/24

Hello Jose,

if you can ping it from 192.168.150.0 but not telnet on port 3389, then you have the ports being blocked by rules.

if you cannot ping OR telnet from 192.168.150.0 then there is no routing from one subnet to the other

Is the RRAS server or the ASA doing the NAT and routing?
Miguel Fra
Falcon IT Services
https://www.falconitservices.com

Thursday, July 2, 2020 3:09 PM
0

Sign in to vote
Sorry, I was talking about the Firewall on the servers and computers (these Firewalls are off).

I already posted images of the rules of the ASA Firewall.
- Edited by José Silva G Thursday, July 2, 2020 3:13 PM
Thursday, July 2, 2020 3:11 PM
0

Sign in to vote
From the remote computer that are connected to the VPN I can ping 192.168.150.0/24 and 192.168.151.0/24, I can also do telnet 192.168.150.0/24 but I can't do telnet to 192.168.151.0/24.

The VPN/RASS Server is configured to do NAT, this are the screenshot from "RRAS, VPN Server, IPv4, NAT" I'm not sure about the routing question.

NAT #1
NAT #2 (do I need to enable "Remote Desktop" under "Services and Ports"?).
- Edited by José Silva G Thursday, July 2, 2020 3:48 PM
Thursday, July 2, 2020 3:22 PM
0

Sign in to vote

Hi ,

Please enable "Remote Desktop" under "Services and Ports" to do a test and check if you could RDP to different subnet.

If it still doesn't work, please run netstat -an on the computers that on the 192.168.151.0/24 network to check if port 3389 is listening. If yes, then port 3389 might be blocked by network device.

Best Regards,

Candy

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Tuesday, July 7, 2020 2:53 AM
0

Sign in to vote

Hi ,

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

Best Regards,

Candy

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Monday, July 13, 2020 1:56 AM
0

Sign in to vote

I have solved the issue and added the solution to the question. Thanks.

Monday, July 13, 2020 6:57 PM
0

Sign in to vote

Hi ,

Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

Best Regards,

Candy

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Wednesday, July 29, 2020 7:49 AM