Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
360
Views
0
Helpful
1
Replies

PIX 501 VPN Issue

paddyxdoyle
Level 6
Level 6

‎11-05-2008 05:26 AM - edited ‎03-11-2019 07:08 AM

Hi there,

We have a PIX 501 which a customers uses as a VPN end-point to RDP via the Internet to their servers on the inside of the PIX. The VPN works fine and the customer can connect to their server using RDP, however when a 2nd user connects to the same PIX via the VPN and succesfully authenticates they can't connect to the same server via RDP. The customer has the required licenses on the servers for multiple RDP connections and when we bypass the VPN all users can access the same server via mutiple session. My understanding was that the PIX 501 allows 10 concurrent VPN connections which it seems to, but i'm unsure why only one source IP address can gain access to the server on the inside of the PIX, could this be a licensing issue?

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

UKG-Litmus-PIX up 123 days 17 hours

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0009.b74a.b24b, irq 9

1: ethernet1: address is 0009.b74a.b24c, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Unlimited

IKE peers: 10

This PIX has a Restricted (R) license.

Here is a snippet of the config showing the VPN setup

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

!

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

!

vpngroup Customer-VPN address-pool client

vpngroup Customer-VPN dns-server x.x.x.x

vpngroup Customer-VPN default-domain xx.net

vpngroup Customer-VPN split-tunnel 102

vpngroup Customer-VPN idle-time 1800

vpngroup Customer-VPN password ********

!

ip local pool client 192.168.2.1-192.168.2.254

!

access-list outside line 1 permit ip 192.168.2.0 255.255.255.0 any (hitcnt=1034)

!

access-list 101 permit ip any 192.168.0.0 255.255.0.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

!

nat (inside) 0 access-list 101

Any ideas would be appreciated?

Thanks

PJ

Labels:
0 Helpful
1 Reply 1

ajagadee
Cisco Employee
Cisco Employee

‎11-05-2008 11:35 AM

PJ,

Your configuration looks good and if it works only for one user and not the others over the IPSEC Tunnel, I would use the "Capture" command on the pix and do a debug on the packet and see what the pix is doing with the RDP Requests from the Second Client. This should point you in the right direction.

Also, to answer your question regarding licensing, one quick way to find this is to do clear the xlates on the Pix501 and have only VPN Clients connect to the Pix and try to access RDP.

Regards,

Arul

*Pls rate if it helps*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card