cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1106
Views
0
Helpful
12
Replies

PIX 501 Blocking Remote Desktop

TXLombardi
Level 1
Level 1

I have a client who has a PIX 501 in his office. He has a server at a co-location facility, which also has a PIX. When the client wants to access his server, he creates a Cisco client VPN connection (not a PIX to PIX VPN). However, once the VPN is up, he can't access the server. If any other router is put in place of his local office PIX, he can then create the client VPN and access his server using RDP with no problem.

Does anyone have any idea how he can access his server at the co-location facility without removing his office PIX?

Tony

12 Replies 12

acomiskey
Level 10
Level 10

Does he have any access to the remote network when the pix is in place? Or is it specifically rdp?

>>Does he have any access to the remote network when the pix is in place?

No, he has no access. We tried to ping the server and do a tracert. Nothing. If the client removes his local PIX and installs a simple router like Linksys, everything works fine.

Any chance of getting the config from the remote pix? Seems more like a nat-traversal issue than a blocking issue on the local pix.

>>Any chance of getting the config from the remote pix?

No, but I have the local PIX from where the RDP connection is attempting to be made. Outside and inside IP's have been changed.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.25.0 VPNclient

name 1.1.1.10 web_ftp-outside

name 192.168.23.6 web_ftp-inside

name 1.1.1.115 email_RDP-outside

name 192.168.23.5 email_RDP-inside

access-list 101 permit icmp any any

access-list 101 remark VPN Access Policy

access-list 101 permit ip VPNclient 255.255.255.0 192.168.23.0 255.255.255.0

access-list 101 permit tcp any host email_RDP-outside eq smtp

access-list 101 permit tcp any host email_RDP-outside eq pop3

access-list 101 permit tcp any host email_RDP-outside eq 3389

access-list 101 permit tcp any host web_ftp-outside eq ftp-data

access-list 101 permit tcp any host web_ftp-outside eq ftp

access-list 101 permit tcp any host web_ftp-outside eq www

access-list 101 permit tcp any host web_ftp-outside eq https

access-list outside_cryptomap_dyn_30 permit ip any VPNclient 255.255.255.0

access-list sasco_splitTunnelAcl permit ip 192.168.23.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.23.0 255.255.255.0 VPNclient 255.255.255.0

pager lines 24

ip address outside 1.1.1.20 255.255.255.248

ip address inside 192.168.23.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool sascoVPNpool 192.168.25.51-192.168.25.60 mask 255.255.255.0

pdm location email_RDP-outside 255.255.255.255 outside

pdm location web_ftp-inside 255.255.255.255 inside

pdm location email_RDP-inside 255.255.255.255 inside

pdm location VPNclient 255.255.255.0 outside

pdm location web_ftp-outside 255.255.255.255 outside

pdm history enable

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) email_RDP-outside email_RDP-inside netmask 255.255.255.255 0 0

static (inside,outside) web_ftp-outside web_ftp-inside netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.17 1

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-l2tp

auth-prompt prompt Enter login authorization

auth-prompt accept Thank you. Access granted.

auth-prompt reject Either get it right or stop trying to hack your way in.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_30

crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup sasco address-pool sascoVPNpool

vpngroup sasco dns-server email_RDP-inside 65.32.1.70

vpngroup sasco wins-server email_RDP-inside

vpngroup sasco default-domain sasco.local

vpngroup sasco split-tunnel sasco_splitTunnelAcl

vpngroup sasco split-dns sasco.local sasco.lcl

Where is the tunnel connection to? Your 501? Have your friend enabl logging on his PIX if he hast already

logging buffe 6

logging on

Have him try to connect and get a sh log from the PIX.

The remote end point for the Cisco client to PIX VPN is the remote PIX not the local. The local PIX is in a passive role here. There is no PIX to PIX VPN. The owner of the remote PIX will not allow a PIX to PIX VPN.

I will get the log and post it late Tuesday.

Thank you for your help.

Check that the remote pix has "isakmp nat-traversal" in the config.

Dont think "isakmp nat-traversal" is relevant here since the tunnel is not terminating on the remote PIX.

You could also have him do a capture:

http://firewalls.ath.cx/viewtopic.php?t=13

JBDanford2002, I think you are mistaken.

From a few posts above-

"The remote end point for the Cisco client to PIX VPN is the remote PIX not the local."

>>I think you are mistaken

That is always a possiblity. Mistaken about what? The client VPN end point?

TXLombardi, I was referring to JBDanford2002's comment above.

He said your vpn client was not terminating on the remote pix.

Ah, ok. I re-read the first post. I think you are possibly right acomiskey. The option would be to enable "fixup protocol esp-ike". The downer is that you wont be able to terminate any VPNs on your PIX. NAT-T is definitely the way to go. Definitly take a look at the logs to see if you are dropping on IP 50.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: