0

I have an office branch with a Cisco ASA 5508-X and 3 internal networks:

  • 192.168.150.0/24 (the RRAS server is 192.168.150.252/24)
  • 192.168.151.0/24
  • 192.168.152.0/24

I have deployed a VPN L2TP (which gives 192.168.150.0/24 address) with Windows Server 2012 R2 and RRAS so home users can access office branch resources, so far it's working as expected, users can access shared folders, internal Exchange email, printers but they can only do PING and RDP to computers on the 192.168.150.0/24 network.

I added 2 NICs to the RRAS (1 for 192.168.151.0/24 network and 1 for 192.168.152.0/24 network) and now users CAN PING resources on those networks but RDP to PC's on those networks still fails.

I have deployed the followings GPOs on all networks (image) with no effect:

  • Windows Defender Firewall: Allow inbound file and printer sharing exception "*"
  • Windows Defender Firewall: Allow inbound Remote Desktop exceptions "*"
  • Windows Defender Firewall: Define inbound port exceptions "3389:TCP:*:enabled:RDP Description"

So, now I'm not sure how to follow

  • Do I need to forward TCP 3389 port to the VPN Server?
  • Do I need to add anything to my Cisco Firewall configuration?
  • Do I need to configure anything on RRAS?
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Xim
  • 53
  • 1
  • 6

3 Answers3

0

Yes you need to allow port 3389 in firewall for inbound Policy in firewall allowing all vpn users accessing resources s on port TCP-3389, with source as vpn pool and destination as resources wants to access allowing port 3389

Sagar Uragonda
  • 131
  • 4
0

You’ll probably also need static routes configuring for the client connections. They need to know where and how to traverse and get to the other subjects. You’ll need to provide much more information for any of us to advise on that though

Timothy Frew
  • 582
  • 3
  • 7
0

To anyone looking for an answer this is my final configuration (everything was done on the RRAS/VPN Server):

There was no need to enable "Remote Desktop" under RRAS/Server (local)/IPv4/NAT/Properties/Services and Ports, nor modify any GPO.

  1. Ethernet Card connected to internal LAN.

IP: 192.168.150.252/24

Gateway: 192.168.150.247 (This one is important since thought this interface the server will reach 192.168.151.0/24 and 192.168.152.0/24 networks).

Ethernet Card connected to internal LAN

  1. Ethernet Card connected to Internet Source (Modem).

IP: 192.168.4.110/24

Gateway: 192.168.4.97

Ethernet Card connected to Internet Source

**To fix the problem I added static routes on the RRAS/VPN server with the following commands:

route add -p 192.168.151.0 mask 255.255.255.0 192.168.150.247
route add -p 192.168.152.0 mask 255.255.255.0 192.168.150.247

**

Once I did this, remote users started to be able to RDP to 192.168.151.0/24 and 192.168.152.0/24

Any questions, feel free to send me a message. Thanks.

Xim
  • 53
  • 1
  • 6