02-10-2007 04:44 PM - edited 03-11-2019 02:31 AM
Here is the situation:
I have Windows XP SP1 machines behind a Cisco PIX 501 (version 6.3(5)) using the Cisco VPN Client v4.0.4(D).
These machines successfully connect to a VPN concentrator on another network using IPsec/UDP.
Once connected the machines launch Remote Desktop Connection but are unable to connect to the desired server (via IP address or host name).
If I remove the Cisco PIX from the network, the RDC connection is made without problems.
Does anyone know what I need to change in the PIX configuration to allow the RDC communication?
Configuration below.
Thanks,
George
******
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.23.24.100 iwojima
access-list outside_in permit tcp any any eq www
access-list outside_in permit tcp any any eq ssh
access-list outside_in permit tcp any any eq 6881
access-list outside_in permit tcp any any eq 6882
access-list outside_in permit tcp any any eq 1987
access-list outside_in permit udp any any eq 1987
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.23.24.240 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location iwojima 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www iwojima www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6881 iwojima 6881 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 6882 iwojima 6882 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh iwojima ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.23.24.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside iwojima /
floodguard enable
fragment chain 1
telnet 172.23.24.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.23.24.51-172.23.24.69 inside
dhcpd dns 12.127.16.67 12.127.17.72
dhcpd wins iwojima
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
02-10-2007 05:37 PM
HI .. is suggest to check two things.
1.- make sure the servers on the other network know how to get back to the IP pool allocated to the remote VPN clients .. return packets should be routed to the Concentrator.
2.- Check that the remote vpn on the concentrator has NAT-Transparency enabled.
I hope it helps .. please rate it if it does !!!
02-10-2007 05:47 PM
Fernando,
Unfortunately I have no control over the remote network or the servers on it. If I understand you suggestions correctly, both pertain to configuration of the remote network.
Thanks,
George
02-11-2007 12:26 AM
I think you should open the port for RDP in your ACL.
02-11-2007 05:39 AM
I have opened port 3389 and it made no difference.
George
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: