cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
643
Views
0
Helpful
4
Replies

Cisco VPN Client behind Cisco PIX 501

gsutton45
Level 1
Level 1

Here is the situation:

I have Windows XP SP1 machines behind a Cisco PIX 501 (version 6.3(5)) using the Cisco VPN Client v4.0.4(D).

These machines successfully connect to a VPN concentrator on another network using IPsec/UDP.

Once connected the machines launch Remote Desktop Connection but are unable to connect to the desired server (via IP address or host name).

If I remove the Cisco PIX from the network, the RDC connection is made without problems.

Does anyone know what I need to change in the PIX configuration to allow the RDC communication?

Configuration below.

Thanks,

George

******

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname

domain-name

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.23.24.100 iwojima

access-list outside_in permit tcp any any eq www

access-list outside_in permit tcp any any eq ssh

access-list outside_in permit tcp any any eq 6881

access-list outside_in permit tcp any any eq 6882

access-list outside_in permit tcp any any eq 1987

access-list outside_in permit udp any any eq 1987

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.23.24.240 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location iwojima 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www iwojima www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 6881 iwojima 6881 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 6882 iwojima 6882 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh iwojima ssh netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0

static (inside,outside) udp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.23.24.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside iwojima /

floodguard enable

fragment chain 1

telnet 172.23.24.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.23.24.51-172.23.24.69 inside

dhcpd dns 12.127.16.67 12.127.17.72

dhcpd wins iwojima

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

4 Replies 4

Fernando_Meza
Level 7
Level 7

HI .. is suggest to check two things.

1.- make sure the servers on the other network know how to get back to the IP pool allocated to the remote VPN clients .. return packets should be routed to the Concentrator.

2.- Check that the remote vpn on the concentrator has NAT-Transparency enabled.

I hope it helps .. please rate it if it does !!!

Fernando,

Unfortunately I have no control over the remote network or the servers on it. If I understand you suggestions correctly, both pertain to configuration of the remote network.

Thanks,

George

jain.nitin
Level 3
Level 3

I think you should open the port for RDP in your ACL.

I have opened port 3389 and it made no difference.

George

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: