09-04-2008 09:10 AM - edited 03-11-2019 06:39 AM
Hello all.
I have a PIX506 that I am connecting to via Cisco VPN client. I can connect to the PIX no issue (now), but at this one location I can't get RDP or PING to work to the network inside the PIX.
As in I had to have the customer open up the VPN ports on their firewall to allow me to connect to the VPN first, but now that I can connect to the VPN I can't ping or use RDP to connect to any machine on the inside of the PIX.
All my other sites work fine just this one is being a bother.
My idea of VPN is once the tunnel is established all things destined for that network no matter what it is use the VPN ports as far as the local third party firewall/router is concerned. Is this not correct? Will I still need to open RDP port for this to work even through the VPN?
Solved! Go to Solution.
09-04-2008 06:04 PM
The config seems to be fine, a bit puzzled as I did not find relevant flaws that would prevent RA client connectivity to inside, we have to dig a litle more.
when the client connect can you post the output of :
show ipsec sa , or show crypto ipsec sa <-- it should encrypts/decryps as well as client given vpn pool IP of connected client
show isakmp <-- shoudl show active sa and ike peer (the vpn client)
from behind pix see if you can ping the client IP address
you may want to do a low level icmp debug when sending pings either way
09-05-2008 06:27 AM
Hello,
Can you check with ISP for that location if they are not blocking ESP or UDP 4500? ESP/ udp 4500 (if NAT-T) is actual payload. ISAKMP udp 500 is control protocol that builds tunnel.
Just some thoughts
HTH
Saju
Please rate if it helps
09-04-2008 09:56 AM
Couple of things you may want to check on firewall, ensure NAT-T is enabled
isakmp nat-traversal 20
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1
Also ensure in nonat acl that the vpn pool network is allowed towards the inside network, and that rdp is also active in the erver in question.Posting a sanatized pix config would help.
Rgds
Jorge
09-04-2008 10:21 AM
I have other sites that are working correctly though. So wouldn't that mean that I have it enabled?
Let me check. Thx.
09-04-2008 10:55 AM
09-04-2008 06:04 PM
The config seems to be fine, a bit puzzled as I did not find relevant flaws that would prevent RA client connectivity to inside, we have to dig a litle more.
when the client connect can you post the output of :
show ipsec sa , or show crypto ipsec sa <-- it should encrypts/decryps as well as client given vpn pool IP of connected client
show isakmp <-- shoudl show active sa and ike peer (the vpn client)
from behind pix see if you can ping the client IP address
you may want to do a low level icmp debug when sending pings either way
09-05-2008 06:27 AM
Hello,
Can you check with ISP for that location if they are not blocking ESP or UDP 4500? ESP/ udp 4500 (if NAT-T) is actual payload. ISAKMP udp 500 is control protocol that builds tunnel.
Just some thoughts
HTH
Saju
Please rate if it helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide