This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

I'm unable to use Remote desktop from internet to PC in Trust zone

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

I'm unable to use Remote desktop from internet to PC in Trust zone

Go to solution
Hongson
L2 Linker

‎10-15-2017 07:08 AM - edited ‎10-15-2017 07:16 AM

Hello all,

I wanna Remote desktop from my PC in home to PC in my company but not success

This is my connection diagram

Untitled Diagram (1).jpg

 

I wanna remote to PC 10.126.123.132 (belong to VLAN 123, I use several VLANs in Core switch) but not success, NAT seems not to work, there's no traffic logs

This is my config..

Virtual router config.Virtual router config.

 

Security rulesSecurity rules

 

NAT ruleNAT rule

 

I can remote from internet to a server in DMZ zone successfully but L3_Trust zone, so I think because of using VLAN in core switch, it requires some other config.. Please help me 🙂

P/S: The public IP in the pictures is just an example IP 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
yihhow
L1 Bithead
In response to Hongson

‎10-20-2017 12:44 AM

I just found out my root issue that cause my incoming nat is not working, The reason been block is due to my dos policy, After disable the dos policy, It was working fine

View solution in original post

32 REPLIES 32

Go to solution
Mick_Ball
L7 Applicator

‎10-15-2017 12:12 PM

In your nat rule try adding source nat 10.126.125.1.

 

your dmz may have a default route to the internet but maybe your vlans dont.

Go to solution
mgarg
L3 Networker

‎10-15-2017 12:35 PM

take a packet capture on the firewall and the end client.

If you see the syn packet on the end client this would mean the packet is getting forwarded to the client.

Check if you recieve a syn-ack back on the firewall from the client.

 

If that is not the case then , check the routing on the switch. For testing in the nat rule that you have created for inbound, source nat the traffic to the trustzone interface.

 

Share the output of pcaps and session if this still does not resolve

Go to solution
Hongson
L2 Linker

‎10-15-2017 07:04 PM - edited ‎10-15-2017 07:06 PM

Thank you all for your help, I added source translation to IP of L3_Trust interface (10.126.125.1) but still not success when Remote Desktop 😞

 

Capture.JPG

0 Likes Likes

Go to solution
mgarg
L3 Networker
In response to Hongson

‎10-15-2017 07:36 PM - edited ‎10-15-2017 07:37 PM

at this point. take a pcap on firewall and client together. Share the details.

 

Provide the below details

 

After trying rdp connection ,in the command line type

1) show session all filter source<your_public_src_ip> destination 113.160.131.230 destination-port 3389

this command will list the running sessions and the left most column is session id. Select a session id

2) show session id<session_id>

 

 

 

Go to solution
Mick_Ball
L7 Applicator
In response to Hongson

‎10-15-2017 11:06 PM

Try modifying your source translation 

 

address type = translated address

translated address = 10.126.125.1

 

Go to solution
Hongson
L2 Linker
In response to mgarg

‎10-16-2017 01:17 AM - edited ‎10-16-2017 01:20 AM

Thank you Sir, this is the picture of recive.pcap and drop.pcap, there's nothing in transmit.pcap and firewall.pcap. I'm sorry, due to security reason, I'm not allowed to upload capture file here

27.67.9.246 is my public IP from internet zone

1.JPG2.JPG

I also run command show session all filter source<your_public_src_ip> destination 113.160.131.230 destination-port 3389 but there's no active session

0 Likes Likes

Go to solution
Hongson
L2 Linker
In response to Mick_Ball

‎10-16-2017 01:19 AM

I change the source translate to "translated address" but it still not working

3.JPG

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator

‎10-16-2017 01:30 AM

from the cli.

 

ping source 10.126.125.1 host 10.126.123.132

 

do you get replies?

Go to solution
Hongson
L2 Linker
In response to Mick_Ball

‎10-16-2017 01:33 AM - edited ‎10-16-2017 01:34 AM

Yes sir, Ping successful

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator
In response to Hongson

‎10-16-2017 01:56 AM

change your security policy/action/log settings to session start.

 

attempt a connection and find connection attempt in monitor/traffic.

 

if you can see the session start then select magnifying glass on left column and post 

Go to solution
Hongson
L2 Linker
In response to Mick_Ball

‎10-16-2017 02:06 AM - edited ‎10-16-2017 02:07 AM

I've already choosen both Log at session start and end before 😞

0 Likes Likes

Go to solution
Mick_Ball
L7 Applicator

‎10-16-2017 02:16 AM

in your security policy, should the destination address be 10.126.123.132 and not 113.160.131.230

0 Likes Likes

Go to solution
Hongson
L2 Linker
In response to Mick_Ball

‎10-16-2017 02:24 AM

I think it must be 113.160.131.230 but anyway, I tried changing it to 10.126.123.132 or any, it's not working 😞

0 Likes Likes

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to Hongson

‎10-16-2017 02:48 AM

Of cource it wouldn't work...When using destination NAT, Security policy must contain PRE-NAT addresses and POST-NAT zones. Which means that your original configuration configuration is actually correct.

 

In my humble opinion your original configuration was correct (correct NAT and correct security policy). There was suggestion to set source NAT and I saw you have enabled source and destination - I would say this is wrong... I believe the suggestion was to configure source static nat and enable bidirectional. That way you should accomplish the same think create static NAT. But you shouldn't enable both source and destination in the same rule.

 

In the capture you can see that drop capture is filling with with the SYN, so

 

So my suggestion:

1. Put everything back as you configure it originally.

2. I saw that you are using service group RDP, can you confirm that this service group contain TCP port 3389?

3. Enable log on start for the security rule
4. Check traffic log for log matching your source address. send screenshot for this entry (you can hide the real addresses if you like)

 

 

  • 1 accepted solution
  • 13747 Views
  • 32 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks