Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Remote Access VPN - issue

HI all

im trying to set up a Remote Access VPN on pix 6.3 (where once connected you are assigned only 1 IP and that IP can only RDP to one server 192.168.1.17) and although i connect to the the vpn ok, i cant RDP to that server. on the vpn client, the sent bytes are going up but the recvd bytes are 0.

on the remote server I have added a static route as follows:

route add 192.168.10.0 mask 255.255.255.0 192.168.1.245(inside interface of pix) its on same segment

below are the VPN configs:

access-list split-tunnel permit ip 192.168.1.0 255.255.255.0

ip local pool RA_VPN_SUPPORT 192.168.10.11 mask 255.255.255.0

nat (inside) 0 access-list NONAT

crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET

crypto map CRYPTO_VPN 99 ipsec-isakmp dynamic DYN_MAP

crypto map CRYPTO_VPN client configuration address initiate

crypto map CRYPTO_VPN client authentication RA_VPN_AAA

crypto map CRYPTO_VPN interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server 192.168.1.1

vpngroup RA_VPN_SUPPORT default-domain test.com

vpngroup RA_VPN_SUPPORT split-tunnel NONAT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********

4 REPLIES
Community Member

Re: Remote Access VPN - issue

Do you have the access list "NONAT" specified in your config?

Do you have other working tunnels on the device?

Have you used the command "sysopt connection permit-ipsec" or allowed access to the LAN address on the outside access list of the PIX?

Community Member

Re: Remote Access VPN - issue

yes i have the access list NONAT configured

yes there is a site to site working ok

yes i have used the sysopt connection permit-ipsec command

Community Member

Re: Remote Access VPN - issue

Does the server have an appropriate return route?

Can you ping the inside of the PIX from the VPN client if you specify "management-interface inside" ?

Community Member

Re: Remote Access VPN - issue

yes the server has a static route to 192.168.10.0 via inside interface of pix as on same segment

no i cant.

127
Views
0
Helpful
4
Replies
CreatePlease to create content