cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
531
Views
0
Helpful
5
Replies

PIX 506 VPN to use RDP

dirkmelvin
Level 1
Level 1

Hello all.

I have a PIX506 that I am connecting to via Cisco VPN client. I can connect to the PIX no issue (now), but at this one location I can't get RDP or PING to work to the network inside the PIX.

As in I had to have the customer open up the VPN ports on their firewall to allow me to connect to the VPN first, but now that I can connect to the VPN I can't ping or use RDP to connect to any machine on the inside of the PIX.

All my other sites work fine just this one is being a bother.

My idea of VPN is once the tunnel is established all things destined for that network no matter what it is use the VPN ports as far as the local third party firewall/router is concerned. Is this not correct? Will I still need to open RDP port for this to work even through the VPN?

2 Accepted Solutions

Accepted Solutions

The config seems to be fine, a bit puzzled as I did not find relevant flaws that would prevent RA client connectivity to inside, we have to dig a litle more.

when the client connect can you post the output of :

show ipsec sa , or show crypto ipsec sa <-- it should encrypts/decryps as well as client given vpn pool IP of connected client

show isakmp <-- shoudl show active sa and ike peer (the vpn client)

from behind pix see if you can ping the client IP address

you may want to do a low level icmp debug when sending pings either way

Jorge Rodriguez

View solution in original post

singhsaju
Level 4
Level 4

Hello,

Can you check with ISP for that location if they are not blocking ESP or UDP 4500? ESP/ udp 4500 (if NAT-T) is actual payload. ISAKMP udp 500 is control protocol that builds tunnel.

Just some thoughts

HTH

Saju

Please rate if it helps

View solution in original post

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

Couple of things you may want to check on firewall, ensure NAT-T is enabled

isakmp nat-traversal 20

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution1

Also ensure in nonat acl that the vpn pool network is allowed towards the inside network, and that rdp is also active in the erver in question.Posting a sanatized pix config would help.

Rgds

Jorge

Jorge Rodriguez

I have other sites that are working correctly though. So wouldn't that mean that I have it enabled?

Let me check. Thx.

Yes indeed I do have it enabled.

BTW...different subject...why do I get prompted for login and password when using windows VPN, but not when I use Cisco VPN?

I know I'll start a different thread for that one, but just curious.

The config seems to be fine, a bit puzzled as I did not find relevant flaws that would prevent RA client connectivity to inside, we have to dig a litle more.

when the client connect can you post the output of :

show ipsec sa , or show crypto ipsec sa <-- it should encrypts/decryps as well as client given vpn pool IP of connected client

show isakmp <-- shoudl show active sa and ike peer (the vpn client)

from behind pix see if you can ping the client IP address

you may want to do a low level icmp debug when sending pings either way

Jorge Rodriguez

singhsaju
Level 4
Level 4

Hello,

Can you check with ISP for that location if they are not blocking ESP or UDP 4500? ESP/ udp 4500 (if NAT-T) is actual payload. ISAKMP udp 500 is control protocol that builds tunnel.

Just some thoughts

HTH

Saju

Please rate if it helps

Review Cisco Networking for a $25 gift card