Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN Client behind Cisco PIX 501

Here is the situation:

I have Windows XP SP1 machines behind a Cisco PIX 501 (version 6.3(5)) using the Cisco VPN Client v4.0.4(D).

These machines successfully connect to a VPN concentrator on another network using IPsec/UDP.

Once connected the machines launch Remote Desktop Connection but are unable to connect to the desired server (via IP address or host name).

If I remove the Cisco PIX from the network, the RDC connection is made without problems.

Does anyone know what I need to change in the PIX configuration to allow the RDC communication?

Configuration below.

Thanks,

George

******

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname

domain-name

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.23.24.100 iwojima

access-list outside_in permit tcp any any eq www

access-list outside_in permit tcp any any eq ssh

access-list outside_in permit tcp any any eq 6881

access-list outside_in permit tcp any any eq 6882

access-list outside_in permit tcp any any eq 1987

access-list outside_in permit udp any any eq 1987

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.23.24.240 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location iwojima 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www iwojima www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 6881 iwojima 6881 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 6882 iwojima 6882 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh iwojima ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.23.24.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside iwojima /

floodguard enable

fragment chain 1

telnet 172.23.24.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.23.24.51-172.23.24.69 inside

dhcpd dns 12.127.16.67 12.127.17.72

dhcpd wins iwojima

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

4 REPLIES

Re: Cisco VPN Client behind Cisco PIX 501

HI .. is suggest to check two things.

1.- make sure the servers on the other network know how to get back to the IP pool allocated to the remote VPN clients .. return packets should be routed to the Concentrator.

2.- Check that the remote vpn on the concentrator has NAT-Transparency enabled.

I hope it helps .. please rate it if it does !!!

New Member

Re: Cisco VPN Client behind Cisco PIX 501

Fernando,

Unfortunately I have no control over the remote network or the servers on it. If I understand you suggestions correctly, both pertain to configuration of the remote network.

Thanks,

George

New Member

Re: Cisco VPN Client behind Cisco PIX 501

I think you should open the port for RDP in your ACL.

New Member

Re: Cisco VPN Client behind Cisco PIX 501

I have opened port 3389 and it made no difference.

George

215
Views
0
Helpful
4
Replies
CreatePlease login to create content