Cisco VPN Client behind Cisco PIX 501

Unanswered Question
Feb 10th, 2007

Here is the situation:

I have Windows XP SP1 machines behind a Cisco PIX 501 (version 6.3(5)) using the Cisco VPN Client v4.0.4(D).

These machines successfully connect to a VPN concentrator on another network using IPsec/UDP.

Once connected the machines launch Remote Desktop Connection but are unable to connect to the desired server (via IP address or host name).

If I remove the Cisco PIX from the network, the RDC connection is made without problems.

Does anyone know what I need to change in the PIX configuration to allow the RDC communication?

Configuration below.




PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted



fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


name iwojima

access-list outside_in permit tcp any any eq www

access-list outside_in permit tcp any any eq ssh

access-list outside_in permit tcp any any eq 6881

access-list outside_in permit tcp any any eq 6882

access-list outside_in permit tcp any any eq 1987

access-list outside_in permit udp any any eq 1987

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location iwojima inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface www iwojima www netmask 0 0

static (inside,outside) tcp interface 6881 iwojima 6881 netmask 0 0

static (inside,outside) tcp interface 6882 iwojima 6882 netmask 0 0

static (inside,outside) tcp interface ssh iwojima ssh netmask 0 0

static (inside,outside) tcp interface 1987 1987 netmask 0 0

static (inside,outside) udp interface 1987 1987 netmask 0 0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside iwojima /

floodguard enable

fragment chain 1

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd wins iwojima

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Sat, 02/10/2007 - 17:37

HI .. is suggest to check two things.

1.- make sure the servers on the other network know how to get back to the IP pool allocated to the remote VPN clients .. return packets should be routed to the Concentrator.

2.- Check that the remote vpn on the concentrator has NAT-Transparency enabled.

I hope it helps .. please rate it if it does !!!

gsutton45 Sat, 02/10/2007 - 17:47


Unfortunately I have no control over the remote network or the servers on it. If I understand you suggestions correctly, both pertain to configuration of the remote network.




This Discussion