PIX 501 VPN Issue

Unanswered Question
Nov 5th, 2008
User Badges:
  • Silver, 250 points or more

Hi there,


We have a PIX 501 which a customers uses as a VPN end-point to RDP via the Internet to their servers on the inside of the PIX. The VPN works fine and the customer can connect to their server using RDP, however when a 2nd user connects to the same PIX via the VPN and succesfully authenticates they can't connect to the same server via RDP. The customer has the required licenses on the servers for multiple RDP connections and when we bypass the VPN all users can access the same server via mutiple session. My understanding was that the PIX 501 allows 10 concurrent VPN connections which it seems to, but i'm unsure why only one source IP address can gain access to the server on the inside of the PIX, could this be a licensing issue?



Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)


Compiled on Wed 13-Aug-03 13:55 by morlee


UKG-Litmus-PIX up 123 days 17 hours


Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB


0: ethernet0: address is 0009.b74a.b24b, irq 9

1: ethernet1: address is 0009.b74a.b24c, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Unlimited

IKE peers: 10


This PIX has a Restricted (R) license.


Here is a snippet of the config showing the VPN setup


crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

!

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

!

vpngroup Customer-VPN address-pool client

vpngroup Customer-VPN dns-server x.x.x.x

vpngroup Customer-VPN default-domain xx.net

vpngroup Customer-VPN split-tunnel 102

vpngroup Customer-VPN idle-time 1800

vpngroup Customer-VPN password ********

!

ip local pool client 192.168.2.1-192.168.2.254

!

access-list outside line 1 permit ip 192.168.2.0 255.255.255.0 any (hitcnt=1034)

!

access-list 101 permit ip any 192.168.0.0 255.255.0.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

!

nat (inside) 0 access-list 101


Any ideas would be appreciated?


Thanks

PJ


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Wed, 11/05/2008 - 11:35
User Badges:
  • Cisco Employee,

PJ,


Your configuration looks good and if it works only for one user and not the others over the IPSEC Tunnel, I would use the "Capture" command on the pix and do a debug on the packet and see what the pix is doing with the RDP Requests from the Second Client. This should point you in the right direction.


Also, to answer your question regarding licensing, one quick way to find this is to do clear the xlates on the Pix501 and have only VPN Clients connect to the Pix and try to access RDP.


Regards,

Arul


*Pls rate if it helps*

Actions

This Discussion