https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671613#M1026363 <HTML><HEAD></HEAD><BODY><P>I have opened port 3389 and it made no difference.</P><P></P><P>George</P></BODY></HTML> Sun, 11 Feb 2007 13:39:42 GMT gsutton45 2007-02-11T13:39:42Z https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671609#M1026358 <P>Here is the situation: </P><P></P><P>I have Windows XP SP1 machines behind a Cisco PIX 501 (version 6.3(5)) using the Cisco VPN Client v4.0.4(D). </P><P>These machines successfully connect to a VPN concentrator on another network using IPsec/UDP. </P><P>Once connected the machines launch Remote Desktop Connection but are unable to connect to the desired server (via IP address or host name). </P><P>If I remove the Cisco PIX from the network, the RDC connection is made without problems. </P><P></P><P>Does anyone know what I need to change in the PIX configuration to allow the RDC communication? </P><P></P><P>Configuration below.</P><P></P><P>Thanks, </P><P></P><P>George</P><P>******</P><P></P><P>PIX Version 6.3(3)</P><P>interface ethernet0 auto</P><P>interface ethernet1 100full</P><P>nameif ethernet0 outside security0</P><P>nameif ethernet1 inside security100</P><P>enable password encrypted</P><P>passwd encrypted</P><P>hostname </P><P>domain-name </P><P>fixup protocol dns maximum-length 512</P><P>fixup protocol ftp 21</P><P>fixup protocol h323 h225 1720</P><P>fixup protocol h323 ras 1718-1719</P><P>fixup protocol http 80</P><P>fixup protocol rsh 514</P><P>fixup protocol rtsp 554</P><P>fixup protocol sip 5060</P><P>fixup protocol sip udp 5060</P><P>fixup protocol skinny 2000</P><P>fixup protocol smtp 25</P><P>fixup protocol sqlnet 1521</P><P>fixup protocol tftp 69</P><P>names</P><P>name 172.23.24.100 iwojima</P><P>access-list outside_in permit tcp any any eq www</P><P>access-list outside_in permit tcp any any eq ssh</P><P>access-list outside_in permit tcp any any eq 6881</P><P>access-list outside_in permit tcp any any eq 6882</P><P>access-list outside_in permit tcp any any eq 1987</P><P>access-list outside_in permit udp any any eq 1987</P><P>pager lines 24</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>ip address outside dhcp setroute</P><P>ip address inside 172.23.24.240 255.255.255.0</P><P>ip audit info action alarm</P><P>ip audit attack action alarm</P><P>pdm location iwojima 255.255.255.255 inside</P><P>pdm history enable</P><P>arp timeout 14400</P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0 0 0</P><P>static (inside,outside) tcp interface www iwojima www netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 6881 iwojima 6881 netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 6882 iwojima 6882 netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp interface ssh iwojima ssh netmask 255.255.255.255 0 0</P><P>static (inside,outside) tcp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0</P><P>static (inside,outside) udp interface 1987 172.23.24.110 1987 netmask 255.255.255.255 0 0</P><P>access-group outside_in in interface outside</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00</P><P>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server LOCAL protocol local</P><P>http server enable</P><P>http 172.23.24.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community public</P><P>no snmp-server enable traps</P><P>tftp-server inside iwojima /</P><P>floodguard enable</P><P>fragment chain 1</P><P>telnet 172.23.24.0 255.255.255.0 inside</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>dhcpd address 172.23.24.51-172.23.24.69 inside</P><P>dhcpd dns 12.127.16.67 12.127.17.72</P><P>dhcpd wins iwojima</P><P>dhcpd lease 86400</P><P>dhcpd ping_timeout 750</P><P>dhcpd enable inside</P><P>terminal width 80</P><P></P> Mon, 11 Mar 2019 09:31:43 GMT https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671609#M1026358 gsutton45 2019-03-11T09:31:43Z https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671610#M1026359 <HTML><HEAD></HEAD><BODY><P>HI .. is suggest to check two things.</P><P></P><P>1.- make sure the servers on the other network know how to get back to the IP pool allocated to the remote VPN clients .. return packets should be routed to the Concentrator.</P><P></P><P>2.- Check that the remote vpn on the concentrator has NAT-Transparency enabled.</P><P></P><P>I hope it helps .. please rate it if it does !!!</P><P></P><P></P><P></P><P></P></BODY></HTML> Sun, 11 Feb 2007 01:37:02 GMT https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671610#M1026359 Fernando_Meza 2007-02-11T01:37:02Z https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671611#M1026360 <HTML><HEAD></HEAD><BODY><P>Fernando,</P><P></P><P>Unfortunately I have no control over the remote network or the servers on it. If I understand you suggestions correctly, both pertain to configuration of the remote network.</P><P></P><P>Thanks,</P><P></P><P>George</P></BODY></HTML> Sun, 11 Feb 2007 01:47:56 GMT https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671611#M1026360 gsutton45 2007-02-11T01:47:56Z https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671612#M1026361 <HTML><HEAD></HEAD><BODY><P>I think you should open the port for RDP in your ACL.</P></BODY></HTML> Sun, 11 Feb 2007 08:26:06 GMT https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671612#M1026361 jain.nitin 2007-02-11T08:26:06Z https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671613#M1026363 <HTML><HEAD></HEAD><BODY><P>I have opened port 3389 and it made no difference.</P><P></P><P>George</P></BODY></HTML> Sun, 11 Feb 2007 13:39:42 GMT https://community.cisco.com/t5/network-security/cisco-vpn-client-behind-cisco-pix-501/m-p/671613#M1026363 gsutton45 2007-02-11T13:39:42Z