Showing results for 
Search instead for 
Did you mean: 

PIX 501 VPN Issue

Frequent Contributor
Frequent Contributor

Hi there,

We have a PIX 501 which a customers uses as a VPN end-point to RDP via the Internet to their servers on the inside of the PIX. The VPN works fine and the customer can connect to their server using RDP, however when a 2nd user connects to the same PIX via the VPN and succesfully authenticates they can't connect to the same server via RDP. The customer has the required licenses on the servers for multiple RDP connections and when we bypass the VPN all users can access the same server via mutiple session. My understanding was that the PIX 501 allows 10 concurrent VPN connections which it seems to, but i'm unsure why only one source IP address can gain access to the server on the inside of the PIX, could this be a licensing issue?

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

UKG-Litmus-PIX up 123 days 17 hours

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0009.b74a.b24b, irq 9

1: ethernet1: address is 0009.b74a.b24c, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 2

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Unlimited

IKE peers: 10

This PIX has a Restricted (R) license.

Here is a snippet of the config showing the VPN setup

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside


isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400


vpngroup Customer-VPN address-pool client

vpngroup Customer-VPN dns-server x.x.x.x

vpngroup Customer-VPN default-domain

vpngroup Customer-VPN split-tunnel 102

vpngroup Customer-VPN idle-time 1800

vpngroup Customer-VPN password ********


ip local pool client


access-list outside line 1 permit ip any (hitcnt=1034)


access-list 101 permit ip any

access-list 102 permit ip


nat (inside) 0 access-list 101

Any ideas would be appreciated?



1 Reply 1

Cisco Employee
Cisco Employee


Your configuration looks good and if it works only for one user and not the others over the IPSEC Tunnel, I would use the "Capture" command on the pix and do a debug on the packet and see what the pix is doing with the RDP Requests from the Second Client. This should point you in the right direction.

Also, to answer your question regarding licensing, one quick way to find this is to do clear the xlates on the Pix501 and have only VPN Clients connect to the Pix and try to access RDP.



*Pls rate if it helps*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers