Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Remote Access VPN - issue

HI all

im trying to set up a Remote Access VPN on pix 6.3 (where once connected you are assigned only 1 IP and that IP can only RDP to one server and although i connect to the the vpn ok, i cant RDP to that server. on the vpn client, the sent bytes are going up but the recvd bytes are 0.

on the remote server I have added a static route as follows:

route add mask interface of pix) its on same segment

below are the VPN configs:

access-list split-tunnel permit ip

ip local pool RA_VPN_SUPPORT mask

nat (inside) 0 access-list NONAT

crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET

crypto map CRYPTO_VPN 99 ipsec-isakmp dynamic DYN_MAP

crypto map CRYPTO_VPN client configuration address initiate

crypto map CRYPTO_VPN client authentication RA_VPN_AAA

crypto map CRYPTO_VPN interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server

vpngroup RA_VPN_SUPPORT default-domain

vpngroup RA_VPN_SUPPORT split-tunnel NONAT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********

Community Member

Re: Remote Access VPN - issue

Do you have the access list "NONAT" specified in your config?

Do you have other working tunnels on the device?

Have you used the command "sysopt connection permit-ipsec" or allowed access to the LAN address on the outside access list of the PIX?

Community Member

Re: Remote Access VPN - issue

yes i have the access list NONAT configured

yes there is a site to site working ok

yes i have used the sysopt connection permit-ipsec command

Community Member

Re: Remote Access VPN - issue

Does the server have an appropriate return route?

Can you ping the inside of the PIX from the VPN client if you specify "management-interface inside" ?

Community Member

Re: Remote Access VPN - issue

yes the server has a static route to via inside interface of pix as on same segment

no i cant.

CreatePlease to create content