RDP thru RRAS basic firewall

We have a site-to-site VPN through WS2003 R2 SP2 RRAS. Basic Firewall & the
standard VPN packet filters are in place.

The VPN is working, but I'd like to have RDP available through the RRAS
server to another machine inside the LAN for emergency use in case RRAS
can't connect for some reason. I'm having trouble configuring the firewall
and packet filters.

I can make an RDP connection to the admin machine from the internal network,
so that's working.

External NIC is in a perimeter network behind a NAT router, but it's in the
DMZ so the NAT router isn't dropping the packets.

In RRAS, here is what I have right now for RDP:

External NIC Inbound Filters--
Drop all except:
Source Address: Any, Source Mask: Any
Destination Address: <external IP>, Destination Mask: 255.255.255.255
Protocol: TCP, Source Port: Any, Destination Port: 3389

External NIC Outbound Filters:
Drop all except:
Source Address: <external IP>, Source Mask: 255.255.255.255
Destination Address: Any, Destination Mask: Any
Protocol: TCP (established), Source port: 3389, Destination port: Any

No packet filters on internal NIC.

On "NAT/Basic Firewall" tab, "Basic firewall only" is selected. On "Services
and Ports" tab, Remote Desktop is turned on, and Private Address is set to
the internal, static IP of the admin computer.

When I try to connect, I get this message:

[Window Title]
Remote Desktop Disconnected

[Content]
This computer can't connect to the remote computer.

Try connecting again. If the problem continues, contact the owner of the
remote computer or your network administrator.

[OK] [Help]

When I enable "Log additional RRAS information" and try connecting, I don't
see anything telling me about dropped packets.

What am I doing wrong?

--
Jeff Vandervoort
JRVsystems
http://www.jrvsystems.com

On Jan 24, 3:58*am, "Jeff Vandervoort" <jeffv @ jrvsystems dot com>
wrote:
> We have a site-to-site VPN through WS2003 R2 SP2 RRAS. Basic Firewall & the
> standard VPN packet filters are in place.
>
> The VPN is working, but I'd like to have RDP available through the RRAS
> server to another machine inside the LAN for emergency use in case RRAS
> can't connect for some reason. I'm having trouble configuring the firewall
> and packet filters.
>
> I can make an RDP connection to the admin machine from the internal network,
> so that's working.
>
> External NIC is in a perimeter network behind a NAT router, but it's in the
> DMZ so the NAT router isn't dropping the packets.
>
> In RRAS, here is what I have right now for RDP:
>
> External NIC Inbound Filters--
> Drop all except:
> Source Address: Any, Source Mask: Any
> Destination Address: <external IP>, Destination Mask: 255.255.255.255
> Protocol: TCP, Source Port: Any, Destination Port: 3389
>
> External NIC Outbound Filters:
> Drop all except:
> Source Address: <external IP>, Source Mask: 255.255.255.255
> Destination Address: Any, Destination Mask: Any
> Protocol: TCP (established), Source port: 3389, Destination port: Any
>
> No packet filters on internal NIC.
>
> On "NAT/Basic Firewall" tab, "Basic firewall only" is selected. On "Services
> and Ports" tab, Remote Desktop is turned on, and Private Address is set to
> the internal, static IP of the admin computer.
>
> When I try to connect, I get this message:
>
> [Window Title]
> Remote Desktop Disconnected
>
> [Content]
> This computer can't connect to the remote computer.
>
> Try connecting again. If the problem continues, contact the owner of the
> remote computer or your network administrator.
>
> [OK] [Help]
>
> When I enable "Log additional RRAS information" and try connecting, I don't
> see anything telling me about dropped packets.
>
> What am I doing wrong?
>
> --
> Jeff Vandervoort
> JRVsystemshttp://www.jrvsystems.com

No simple answer but I would try by removing the filters first, may
open you up, but at least it will prove if this is the problem

If that works add them back one at a time

Scott

Remove the RDP filters?? Well...if I remove the filters, it DEFINITELY won't
work. To be secure, RRAS VPN's require the "Drop all packets except"
setting, with specific packet filters for VPN ports & protocols. So that's
not what I'm doing wrong, for sure.

Anyone else know what I'm doing wrong?

--
Jeff Vandervoort
JRVsystems
http://www.jrvsystems.com

"Scooty" <(E-Mail Removed)> wrote in message
news:216dd25e-d818-4b81-ae9a-(E-Mail Removed)...
On Jan 24, 3:58 am, "Jeff Vandervoort" <jeffv @ jrvsystems dot com>
wrote:
> We have a site-to-site VPN through WS2003 R2 SP2 RRAS. Basic Firewall &
> the
> standard VPN packet filters are in place.
>
> The VPN is working, but I'd like to have RDP available through the RRAS
> server to another machine inside the LAN for emergency use in case RRAS
> can't connect for some reason. I'm having trouble configuring the firewall
> and packet filters.
>
> I can make an RDP connection to the admin machine from the internal
> network,
> so that's working.
>
> External NIC is in a perimeter network behind a NAT router, but it's in
> the
> DMZ so the NAT router isn't dropping the packets.
>
> In RRAS, here is what I have right now for RDP:
>
> External NIC Inbound Filters--
> Drop all except:
> Source Address: Any, Source Mask: Any
> Destination Address: <external IP>, Destination Mask: 255.255.255.255
> Protocol: TCP, Source Port: Any, Destination Port: 3389
>
> External NIC Outbound Filters:
> Drop all except:
> Source Address: <external IP>, Source Mask: 255.255.255.255
> Destination Address: Any, Destination Mask: Any
> Protocol: TCP (established), Source port: 3389, Destination port: Any
>
> No packet filters on internal NIC.
>
> On "NAT/Basic Firewall" tab, "Basic firewall only" is selected. On
> "Services
> and Ports" tab, Remote Desktop is turned on, and Private Address is set to
> the internal, static IP of the admin computer.
>
> When I try to connect, I get this message:
>
> [Window Title]
> Remote Desktop Disconnected
>
> [Content]
> This computer can't connect to the remote computer.
>
> Try connecting again. If the problem continues, contact the owner of the
> remote computer or your network administrator.
>
> [OK] [Help]
>
> When I enable "Log additional RRAS information" and try connecting, I
> don't
> see anything telling me about dropped packets.
>
> What am I doing wrong?
>
> --
> Jeff Vandervoort
> JRVsystemshttp://www.jrvsystems.com

No simple answer but I would try by removing the filters first, may
open you up, but at least it will prove if this is the problem

If that works add them back one at a time

Scott

On Jan 24, 10:50*pm, "Jeff Vandervoort" <jeffv @ jrvsystems dot com>
wrote:
> Remove the RDP filters?? Well...if I remove the filters, it DEFINITELY won't
> work. To be secure, RRAS VPN's require the "Drop all packets except"
> setting, with specific packet filters for VPN ports & protocols. So that's
> not what I'm doing wrong, for sure.
>
> Anyone else know what I'm doing wrong?
>
> --
> Jeff Vandervoort
> JRVsystemshttp://www.jrvsystems.com
>
> "Scooty" <scootyjthomp...@gmail.com> wrote in message
>
> news:216dd25e-d818-4b81-ae9a-(E-Mail Removed)...
> On Jan 24, 3:58 am, "Jeff Vandervoort" <jeffv @ jrvsystems dot com>
> wrote:
>
>
>
>
>
> > We have a site-to-site VPN through WS2003 R2 SP2 RRAS. Basic Firewall &
> > the
> > standard VPN packet filters are in place.
>
> > The VPN is working, but I'd like to have RDP available through the RRAS
> > server to another machine inside the LAN for emergency use in case RRAS
> > can't connect for some reason. I'm having trouble configuring the firewall
> > and packet filters.
>
> > I can make an RDP connection to the admin machine from the internal
> > network,
> > so that's working.
>
> > External NIC is in a perimeter network behind a NAT router, but it's in
> > the
> > DMZ so the NAT router isn't dropping the packets.
>
> > In RRAS, here is what I have right now for RDP:
>
> > External NIC Inbound Filters--
> > Drop all except:
> > Source Address: Any, Source Mask: Any
> > Destination Address: <external IP>, Destination Mask: 255.255.255.255
> > Protocol: TCP, Source Port: Any, Destination Port: 3389
>
> > External NIC Outbound Filters:
> > Drop all except:
> > Source Address: <external IP>, Source Mask: 255.255.255.255
> > Destination Address: Any, Destination Mask: Any
> > Protocol: TCP (established), Source port: 3389, Destination port: Any
>
> > No packet filters on internal NIC.
>
> > On "NAT/Basic Firewall" tab, "Basic firewall only" is selected. On
> > "Services
> > and Ports" tab, Remote Desktop is turned on, and Private Address is set to
> > the internal, static IP of the admin computer.
>
> > When I try to connect, I get this message:
>
> > [Window Title]
> > Remote Desktop Disconnected
>
> > [Content]
> > This computer can't connect to the remote computer.
>
> > Try connecting again. If the problem continues, contact the owner of the
> > remote computer or your network administrator.
>
> > [OK] [Help]
>
> > When I enable "Log additional RRAS information" and try connecting, I
> > don't
> > see anything telling me about dropped packets.
>
> > What am I doing wrong?
>
> > --
> > Jeff Vandervoort
> > JRVsystemshttp://www.jrvsystems.com
>
> No simple answer but I would try by removing the filters first, may
> open you up, but at least it will prove if this is the problem
>
> If that works add them back one at a time
>
> Scott- Hide quoted text -
>
> - Show quoted text -

The only way you can prove if it's the filters is to maybe try and set
the inbound destination port to any and the outbond source port to any
I know it opens you up but we are talking 5 minutes to prove that it
is not your filters that are casuing the issues
From what you describe everything else sounds correct
Other than that use netstat -an on the systems to see what ports and
addresses are in use and being mapped

Only trying to help!!!