We have a PIX 501 which a customers uses as a VPN end-point to RDP via the Internet to their servers on the inside of the PIX. The VPN works fine and the customer can connect to their server using RDP, however when a 2nd user connects to the same PIX via the VPN and succesfully authenticates they can't connect to the same server via RDP. The customer has the required licenses on the servers for multiple RDP connections and when we bypass the VPN all users can access the same server via mutiple session. My understanding was that the PIX 501 allows 10 concurrent VPN connections which it seems to, but i'm unsure why only one source IP address can gain access to the server on the inside of the PIX, could this be a licensing issue?
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
UKG-Litmus-PIX up 123 days 17 hours
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 0009.b74a.b24b, irq 9
1: ethernet1: address is 0009.b74a.b24c, irq 10
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Inside Hosts: 10
IKE peers: 10
This PIX has a Restricted (R) license.
Here is a snippet of the config showing the VPN setup
Your configuration looks good and if it works only for one user and not the others over the IPSEC Tunnel, I would use the "Capture" command on the pix and do a debug on the packet and see what the pix is doing with the RDP Requests from the Second Client. This should point you in the right direction.
Also, to answer your question regarding licensing, one quick way to find this is to do clear the xlates on the Pix501 and have only VPN Clients connect to the Pix and try to access RDP.
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...