Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
4
Helpful
6
Replies

VPN on a PIX 501

JeremyAustin
Level 1
Level 1

‎11-06-2007 11:25 AM - edited ‎02-21-2020 03:21 PM

I am trying to set up a VPN connection for some auditors to one of my clients, and can't seem to get RDP to work. It appears that the Cisco VPN client is connected, but when I try to connect to a specific machine, I;m told that the machine can't be found.

Labels:
0 Helpful
6 Replies 6

acomiskey
Level 10
Level 10

‎11-06-2007 11:29 AM

Is the problem only related to rdp? Can they ping etc? Care to post a sanitized config?

0 Helpful

JeremyAustin
Level 1
Level 1
In response to acomiskey

‎11-06-2007 11:38 AM

Ping doesn't respond either. When I launch the VPN client, it group authenticates fine, then radius works fine, and the lock icon closes. After that, however, nothing else seems to work. What do I need to do to sanitize a config. I'm a first-timer.

0 Helpful

acomiskey
Level 10
Level 10
In response to JeremyAustin

‎11-06-2007 11:44 AM

Sanitizing means cleaning out any public ip addresses/passwords etc. Anything you wouldn't want anyone else to know.

Sounds like your problem is related to nat-traversal. Check to see if the following command is in your pix. If it isn't, add it in.

isakmp nat-traversal

0 Helpful

JeremyAustin
Level 1
Level 1
In response to acomiskey

‎11-06-2007 11:53 AM

The nat-traversal line is in there.

Preview file
7 KB
0 Helpful

acomiskey
Level 10
Level 10
In response to JeremyAustin

‎11-06-2007 12:01 PM

Which group is in question here? 5*vend0rs? If so, take a look at your VENDOR-SPLIT-TUNNEL acl.

access-list VENDOR-SPLIT-TUNNEL permit ip host 70.168.67.x 192.168.201.0 255.255.255.0

access-list VENDOR-SPLIT-TUNNEL permit ip host 70.168.67.x 192.168.200.0 255.255.255.0

This means that only traffic from the vpn clients to 70.168.67.x would be tunneled over the vpn. The second statement wouldn't really do anything. I think it should look more like your other split tunnel acl.

access-list VENDOR-SPLIT-TUNNEL permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

JeremyAustin
Level 1
Level 1
In response to acomiskey

‎11-06-2007 01:12 PM

That appears to have fixed it. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents