Remote Access VPN - issue

Unanswered Question
Oct 2nd, 2008

HI all

im trying to set up a Remote Access VPN on pix 6.3 (where once connected you are assigned only 1 IP and that IP can only RDP to one server and although i connect to the the vpn ok, i cant RDP to that server. on the vpn client, the sent bytes are going up but the recvd bytes are 0.

on the remote server I have added a static route as follows:

route add mask interface of pix) its on same segment

below are the VPN configs:

access-list split-tunnel permit ip

ip local pool RA_VPN_SUPPORT mask

nat (inside) 0 access-list NONAT

crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET

crypto map CRYPTO_VPN 99 ipsec-isakmp dynamic DYN_MAP

crypto map CRYPTO_VPN client configuration address initiate

crypto map CRYPTO_VPN client authentication RA_VPN_AAA

crypto map CRYPTO_VPN interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server

vpngroup RA_VPN_SUPPORT default-domain

vpngroup RA_VPN_SUPPORT split-tunnel NONAT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lmather Thu, 10/02/2008 - 02:29

Do you have the access list "NONAT" specified in your config?

Do you have other working tunnels on the device?

Have you used the command "sysopt connection permit-ipsec" or allowed access to the LAN address on the outside access list of the PIX?

solpandor Thu, 10/02/2008 - 02:41

yes i have the access list NONAT configured

yes there is a site to site working ok

yes i have used the sysopt connection permit-ipsec command

lmather Thu, 10/02/2008 - 03:34

Does the server have an appropriate return route?

Can you ping the inside of the PIX from the VPN client if you specify "management-interface inside" ?

solpandor Thu, 10/02/2008 - 03:36

yes the server has a static route to via inside interface of pix as on same segment

no i cant.


This Discussion