can ping but cannot rdp between two diff vlans over a trunk

G

grendel19

Gawd
Joined
Jun 26, 2009
Messages
579
Was wondering if there are any Cisco engineers here that can shed some light. Here is our scenario:

scenario.jpg


Above is a crude diagram I made. The vlans are spanned across both physical sites.

The problem we're having is that a server in vlan 20 site 2 can ping a server in vlan 50 site 1, but cannot rdp into it. RDP is turned on, the firewall at each respective site serves at the gateway.

We've played with the ASA access rules to no avail. We're also suspecting that the rdp packet loses its vlan tag once the ASA inspects the said packet.

If anyone can think of anything that we should also check, would be greatly appreciated.

Thanks in advance. I can provide more info if necessary.
 
OS on both servers? Did you check the firewalls on each machine itself? And make sure all your RDP services are running?
 
no ACLs on either of the ASAs that's denying traffic on port 3389?
 
ShadowStriker said:
OS on both servers? Did you check the firewalls on each machine itself? And make sure all your RDP services are running?
Click to expand...
Server 2003, firewall services are disabled by default. RDP services are all running.

j-sta said:
no ACLs on either of the ASAs that's denying traffic on port 3389?
Click to expand...
I actually have ACLs that explicitly allows 3389. When I run the packet tracer on the ASA, the packet does get through port 3389. I even tried with a source port 3389 and a random higher destination port and that passed through as well.
 
open a command prompt
telnet servername 3389

does it just timeout?
 
Forgot to mention that a RDP session works fine from a server on vlan 20 to another on vlan 50 within the same physical site.

Also, we tried adding a static route on the server itself in vlan 20 site 2. The static route tells it to use the firewall at site 1 as the gateway for the vlan 50 network. When that is done, RDP does work. That makes it seem like someone the vlan tagging is lost within site 2 firewall because the packet doesn't traverse trunk. But if we tell the packet to traverse the trunk first, then hit the site 1 firewall before reaching vlan 50, vlan tagging is retained.

Any other opinions? Thanks in advance.
 
You must log in or register to reply here.
Back
Top