RDP over VPN nonfunctional after installing 2wire router.
Results 1 to 10 of 10

Thread: RDP over VPN nonfunctional after installing 2wire router.

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    224

    RDP over VPN nonfunctional after installing 2wire router.

    SBC called the other day to 'sell' me something, and being that it was a saturday morning, and I was doing nothing but having coffee and watching the birds at the feeder, I decided to listen instead of giving them the "i'm too busy" routine.

    They offered the new high speed 3mbs dsl connection for $24.95 a month. And would upgrade me from my 700k connection that I was paying $35 a month for and throw in a wireless router for only $45..
    I accepted the offer...

    Well, I installed the new 2wire 2701HG-b and everything setup fine except for my remote desktop connection from home to work....

    I use Ipsec over cisco vpn to connect to the network (which does connect), but when I try to open Remote desktop to my computer, (xp pro on both ends) I get the "computer not accepting connections" error....

    I switched everything back to my regulard DSL modem and things work ok.
    So, I know it has to be something to do with the router.

    I did go into the firewall in the router and enable port forwarding for the vpn ports, but that didnt work..
    I also tried DMZ mode, and it wouldnt let my vpn connection connect.
    I made sure the defalut ports for remote desktop were added.

    As far as the other end, we're using a pix 515E firewall with vpn set to group authentication. Everything is default.

    I have read other users on the web requesting help with the same issue, but everyone reccomends setting up port forwarding for port 3389. But that doesnt seem to help my situation.

    I also ran across an article on how to edit the regsitry entryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
    to change the setting to decimal and then add the remote desktop listening port, but I didn't think this would help, so I didnt attempt it...

    Can anyone make a reccomendation?
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  2. #2
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Is there any access lists on you router that might be blocking port 3389?
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  3. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    224
    I haven't found a place in the router config for setting up access lists.
    on the router at work, we do have access lists setup,
    I'm scanning the remote ip with nmap right now to see if I can find a service tied to port 3389
    There are many rewarding oppurtunities awaiting composure from like minds and great ideas. It in my objective to interconnect great things.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    What wan ip are you getting on your router? Is it a private ip?

    If so, then your modem is also a router and has a firewall on it. I think they're calling them "residential gateways" now. It is then assigning you a private ip via DHCP. You will have to log into the modem and disable that firewall and do a static NAT to your router.

    http://www.2wire.com/pages/pdfs/8.pdf

    They do this so people don't have to buy additional hardware (routers/firewalls) and to help protect their network's hosts of being a victim of the next big worm. It's actually pretty smart of them. Just wish they would document it better.

    I've had that problem a couple of times already with the new "modems" that verizon are giving out around us.
    Last edited by phishphreek; October 21st, 2006 at 09:13 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    A simple test would be to telnet to port 3389 from your PC and hit enter a few times to see if you're even making it to the remote host. To me, this sounds like you've missed something in the path like an ACL on their hardware. RDC is a simple TCP shot so it should be relatively easy to spot the issue.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    One thought, are you able to connect to anything else internal while using your VPNClient and IPSEC? I have seen cases where it would connect but you wouldn't be able to do anything (for different reasons, but I have seen it, you can tell be looking at your tx/rx packets, they'll usually be zero)...Have you tried tunnelling over a tcp/udp port rather than using IPSEC? I've gotten around restrictions on IPSEC before by doing that...

    I haven't used that model before, but many of the ones I have used in the past will have specific options in there (and treat differently) IPSEC and GRE tunnels...but will be completely disregard sessions over tcp/udp (and go back to just the default ACL rules)...so you might look around for that (or try the tunneling over tcp/udp).

    Regardless, once the tunnel is established, it should not be necessary to enable any port forwarding for specific protocols (since they are being transported over the tunnel), outside of your PIX that is...(ie, I am specifically referencing your local router).

    /neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    DSL Path MTU

    Did you say DSL? Do they use PPPoE?

    I'll bet you 10 antipoints your problem is with the Path MTU.

    My coworker had the same issue a couple weeks back: dsl line, cisco vpn, cheap router.

    Cisco's vpn client runs it's own ip stack, and tries to do path mtu discovery. The mtu is configurable in the vpn client. Set it to something like 1492.

    I guess diagnosed/debugged this when my coworker explaied his situation to me; I asked him to do some packet captures to be able put the finger on the precise culprit, but he hasn't had time to run those yet. Still, setting the MTU of the vpn client worked.

    Give it a try.

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Senior Member
    Join Date
    Aug 2002
    Posts
    123
    make sure your 2wire router ip address is on a different subnet from your work computer.

  9. #9
    Junior Member
    Join Date
    Mar 2007
    Posts
    2
    Quote Originally Posted by fraggin
    SBC called the other day to 'sell' me something, and being that it was a saturday morning, and I was doing nothing but having coffee and watching the birds at the feeder, I decided to listen instead of giving them the "i'm too busy" routine.

    They offered the new high speed 3mbs dsl connection for $24.95 a month. And would upgrade me from my 700k connection that I was paying $35 a month for and throw in a wireless router for only $45..
    I accepted the offer...

    Well, I installed the new 2wire 2701HG-b and everything setup fine except for my remote desktop connection from home to work....

    I use Ipsec over cisco vpn to connect to the network (which does connect), but when I try to open Remote desktop to my computer, (xp pro on both ends) I get the "computer not accepting connections" error....

    I switched everything back to my regulard DSL modem and things work ok.
    So, I know it has to be something to do with the router.

    I did go into the firewall in the router and enable port forwarding for the vpn ports, but that didnt work..
    I also tried DMZ mode, and it wouldnt let my vpn connection connect.
    I made sure the defalut ports for remote desktop were added.

    As far as the other end, we're using a pix 515E firewall with vpn set to group authentication. Everything is default.

    I have read other users on the web requesting help with the same issue, but everyone reccomends setting up port forwarding for port 3389. But that doesnt seem to help my situation.

    I also ran across an article on how to edit the regsitry entryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
    to change the setting to decimal and then add the remote desktop listening port, but I didn't think this would help, so I didnt attempt it...

    Can anyone make a reccomendation?
    I know that this is an old thread but I had an older 2wire 1800 series modem and had no problems connecting with Cisco client software. I had to switch to the 2701 series and can no longer connect. Were you able to come up with a solution?
    Thanks

  10. #10
    Junior Member nvzsc's Avatar
    Join Date
    Mar 2007
    Posts
    12
    2Wire is gay like that, call them back and tell them you want a Versalink. :P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides