topic Re: I'm unable to use Remote desktop from internet to PC in Trust zone in General Topics

I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Sun, 15 Oct 2017 14:16:43 GMT

Hello all,

I wanna Remote desktop from my PC in home to PC in my company but not success

This is my connection diagram

I wanna remote to PC 10.126.123.132 (belong to VLAN 123, I use several VLANs in Core switch) but not success, NAT seems not to work, there's no traffic logs

This is my config..

Virtual router config.

Security rules

NAT rule

I can remote from internet to a server in DMZ zone successfully but L3_Trust zone, so I think because of using VLAN in core switch, it requires some other config.. Please help me 🙂

P/S: The public IP in the pictures is just an example IP

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Mick_Ball — Sun, 15 Oct 2017 19:12:52 GMT

In your nat rule try adding source nat 10.126.125.1.

your dmz may have a default route to the internet but maybe your vlans dont.

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

mgarg — Sun, 15 Oct 2017 19:35:43 GMT

take a packet capture on the firewall and the end client.

If you see the syn packet on the end client this would mean the packet is getting forwarded to the client.

Check if you recieve a syn-ack back on the firewall from the client.

If that is not the case then , check the routing on the switch. For testing in the nat rule that you have created for inbound, source nat the traffic to the trustzone interface.

Share the output of pcaps and session if this still does not resolve

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Mon, 16 Oct 2017 02:06:54 GMT

Thank you all for your help, I added source translation to IP of L3_Trust interface (10.126.125.1) but still not success when Remote Desktop 😞

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

mgarg — Mon, 16 Oct 2017 02:37:10 GMT

at this point. take a pcap on firewall and client together. Share the details.

Provide the below details

After trying rdp connection ,in the command line type

1) show session all filter source<your_public_src_ip> destination 113.160.131.230 destination-port 3389

this command will list the running sessions and the left most column is session id. Select a session id

2) show session id<session_id>

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Mick_Ball — Mon, 16 Oct 2017 06:06:16 GMT

Try modifying your source translation

address type = translated address

translated address = 10.126.125.1

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Mon, 16 Oct 2017 08:20:43 GMT

Thank you Sir, this is the picture of recive.pcap and drop.pcap, there's nothing in transmit.pcap and firewall.pcap. I'm sorry, due to security reason, I'm not allowed to upload capture file here

27.67.9.246 is my public IP from internet zone

I also run command show session all filter source<your_public_src_ip> destination 113.160.131.230 destination-port 3389 but there's no active session

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Mon, 16 Oct 2017 08:19:38 GMT

I change the source translate to "translated address" but it still not working

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Mick_Ball — Mon, 16 Oct 2017 08:30:04 GMT

from the cli.

ping source 10.126.125.1 host 10.126.123.132

do you get replies?

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Mon, 16 Oct 2017 08:34:39 GMT

Yes sir, Ping successful

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Mick_Ball — Mon, 16 Oct 2017 08:56:14 GMT

change your security policy/action/log settings to session start.

attempt a connection and find connection attempt in monitor/traffic.

if you can see the session start then select magnifying glass on left column and post

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Mon, 16 Oct 2017 09:07:06 GMT

I've already choosen both Log at session start and end before 😞

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Mick_Ball — Mon, 16 Oct 2017 09:16:27 GMT

in your security policy, should the destination address be 10.126.123.132 and not 113.160.131.230

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Mon, 16 Oct 2017 09:24:50 GMT

I think it must be 113.160.131.230 but anyway, I tried changing it to 10.126.123.132 or any, it's not working 😞

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

aleksandar.astardzhiev — Mon, 16 Oct 2017 09:48:35 GMT

Of cource it wouldn't work...When using destination NAT, Security policy must contain PRE-NAT addresses and POST-NAT zones. Which means that your original configuration configuration is actually correct.

In my humble opinion your original configuration was correct (correct NAT and correct security policy). There was suggestion to set source NAT and I saw you have enabled source and destination - I would say this is wrong... I believe the suggestion was to configure source static nat and enable bidirectional. That way you should accomplish the same think create static NAT. But you shouldn't enable both source and destination in the same rule.

In the capture you can see that drop capture is filling with with the SYN, so

So my suggestion:

1. Put everything back as you configure it originally.

2. I saw that you are using service group RDP, can you confirm that this service group contain TCP port 3389?

3. Enable log on start for the security rule
4. Check traffic log for log matching your source address. send screenshot for this entry (you can hide the real addresses if you like)

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

aleksandar.astardzhiev — Mon, 16 Oct 2017 09:55:56 GMT

One more think - If you don't see logs for your attempts, please check if you have enabled log for default Intra and Inter zone security policy? If traffic doesn't match any explicit rule is probably being dropped by the default zone rules, and by default they are not logging.

another you can check is run test security-policy-match <fill in the rest> under the CLI

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

mgarg — Wed, 18 Oct 2017 00:35:26 GMT

the reason there is no session on the firewall because i think it dropping the packet due to security rule . You can confirm this by creating a deny alll rule at the bottom and see if your traffic hits this rule.

The service object rdp that you have created, make sure you just put 3389 in destination port and leave the source port as blank and the protocol is tcp.

If this still does not work, open the rule to allow any service. For security just mention your public ip as source.

Check if you are still hitting the same rule or the default deny.

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Wed, 18 Oct 2017 02:55:52 GMT

Yes, I use a "Deny all" rule, I'm sure RDP service is correct with 3389 port 'cause I'm using it to remote to a server in DMZ zone. I create rule with permit access from my PC in internet to any zone and any address in internal network. But it's still not working and there's no any log except ping or telnet (but ping and telnet is not success and destination address is not NATed)

It seems hard to connect directly from internet to L3_trurst zone, so I'll use Globalprotect to setup VPN client to site.

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

yihhow — Wed, 18 Oct 2017 03:06:50 GMT

Hi,

I am having the same issue exaclty you facing now, All the while is working fine, The issue is onli happen i update the PA to 8.0.5, Are you using the same OS version.

Thanks

Re: I'm unable to use Remote desktop from internet to PC in Trust zone

Hongson — Wed, 18 Oct 2017 03:08:40 GMT

I'm using 6.1.16, I think it's not relate to PAN-OS version