I have a PIX506 that I am connecting to via Cisco VPN client. I can connect to the PIX no issue (now), but at this one location I can't get RDP or PING to work to the network inside the PIX.
As in I had to have the customer open up the VPN ports on their firewall to allow me to connect to the VPN first, but now that I can connect to the VPN I can't ping or use RDP to connect to any machine on the inside of the PIX.
All my other sites work fine just this one is being a bother.
My idea of VPN is once the tunnel is established all things destined for that network no matter what it is use the VPN ports as far as the local third party firewall/router is concerned. Is this not correct? Will I still need to open RDP port for this to work even through the VPN?
Can you check with ISP for that location if they are not blocking ESP or UDP 4500? ESP/ udp 4500 (if NAT-T) is actual payload. ISAKMP udp 500 is control protocol that builds tunnel.
Just some thoughts
Please rate if it helps
The config seems to be fine, a bit puzzled as I did not find relevant flaws that would prevent RA client connectivity to inside, we have to dig a litle more.
when the client connect can you post the output of :
show ipsec sa , or show crypto ipsec sa <-- it should encrypts/decryps as well as client given vpn pool IP of connected client
show isakmp <-- shoudl show active sa and ike peer (the vpn client)
from behind pix see if you can ping the client IP address
you may want to do a low level icmp debug when sending pings either way