MX64 VPN and RDP access

Jentech
New here

MX64 VPN and RDP access

Sorry if this has been covered before. To start, I'm no expert at this. I have a new MX64 that was installed by my internet provider, connected to a simple LAN with 1 server and 5 PCs. I can connect to the box through VPN, however I cannot ping or RDP to any computer behind the firewall. Outbound rule allows source 192.168.60.0/24 (VPN) access to 192.168.1.0/24 (LAN), however I cannot ping or RDP to the server or any computer behind the firewall. RDP through the old router worked fine before the box was installed. I have been through my IP tech support numerous times over the past week with no help. Can someone with some expertise please provide me with the correct setup information to allow me to RDP to any of the computers on the local LAN through the VPN. Thanks.

7 Replies 7
GIdenJoe
Kind of a big deal
Kind of a big deal

First the basics:

So the LAN behind the MX is 192.168.1.0/24.  Do the PC's and server point to the LAN IP of the MX as default gateway?
Second when you connect using L2TP/IPsec to the MX from a remote location do you have a full tunnel config or a split tunnel?  If you have split tunnel then you need to add a route in windows for the network 192.168.1.0/24.
Thirdly also very important since you're using a very common subnet of 192.168.1.0/24 behind the MX you'll have to make sure the subnet where you're in at the remote location should not also be 192.168.1.0 or the connection will definitely fail.

Jentech
New here

Thanks for the quick reply.

Yes, the LAN behind the MX is 192.168.1.0/24.

Yes, the PC's and the server point to the MX as the default gateway.

It's full tunnel.

The subnet I'm in before I connect to VPN is 192.168.0.0/23.

If I add a port forward, I can RDP without VPN no problem, but that's not the solution I want.

 

GIdenJoe
Kind of a big deal
Kind of a big deal

"The subnet I'm in before I connect to VPN is 192.168.0.0/23."

That's the problem:  The subnet you're in before connecting to the VPN overlaps in address space with 192.168.1.0/24.
Your client will be arping for the destination on his own adapter, not the virtual adapter created by the L2TP.

Jentech
New here

Ok, so I'm not sure how to fix that. I can't change the subnet of the network I'm currently in. My address is 192.168.0.175 at the moment. Again, my apologies if I sound out of my depth.

GIdenJoe
Kind of a big deal
Kind of a big deal

You only have a few options.

You could try to change the subnet you're on.
You could change the subnet where the pc's and server are at.
You could put yourself behind a NAT in that subnet you're on and try to build your VPN from there.  For example if you're on an AP SSID that does NAT instead of bridge mode.

Finally there's another more expensive option to buy a Z3 appliance and do Site2site VPN instead.

Jentech
New here

Thanks for the info. I'll have to think on what to do.

 

Cheers.

PhilipDAth
Kind of a big deal
Kind of a big deal

I bet the old router was giving out a different DNS domain name than the new MX in DHCP.  As a result I bet Windows firewall has decided it is in a different location and turned on, blocking remote RDP.

 

I suspect if you turn off Windows firewall it will start worlking.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels