VPN on a PIX 501

Unanswered Question
Nov 6th, 2007
User Badges:

I am trying to set up a VPN connection for some auditors to one of my clients, and can't seem to get RDP to work. It appears that the Cisco VPN client is connected, but when I try to connect to a specific machine, I;m told that the machine can't be found.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Tue, 11/06/2007 - 11:29
User Badges:
  • Green, 3000 points or more

Is the problem only related to rdp? Can they ping etc? Care to post a sanitized config?

JeremyAustin Tue, 11/06/2007 - 11:38
User Badges:

Ping doesn't respond either. When I launch the VPN client, it group authenticates fine, then radius works fine, and the lock icon closes. After that, however, nothing else seems to work. What do I need to do to sanitize a config. I'm a first-timer.

acomiskey Tue, 11/06/2007 - 11:44
User Badges:
  • Green, 3000 points or more

Sanitizing means cleaning out any public ip addresses/passwords etc. Anything you wouldn't want anyone else to know.


Sounds like your problem is related to nat-traversal. Check to see if the following command is in your pix. If it isn't, add it in.


isakmp nat-traversal

acomiskey Tue, 11/06/2007 - 12:01
User Badges:
  • Green, 3000 points or more

Which group is in question here? 5*vend0rs? If so, take a look at your VENDOR-SPLIT-TUNNEL acl.


access-list VENDOR-SPLIT-TUNNEL permit ip host 70.168.67.x 192.168.201.0 255.255.255.0

access-list VENDOR-SPLIT-TUNNEL permit ip host 70.168.67.x 192.168.200.0 255.255.255.0


This means that only traffic from the vpn clients to 70.168.67.x would be tunneled over the vpn. The second statement wouldn't really do anything. I think it should look more like your other split tunnel acl.


access-list VENDOR-SPLIT-TUNNEL permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

Actions

This Discussion