Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
4
Replies

Remote Access VPN - issue

SOL10
Level 1
Level 1

‎10-02-2008 02:15 AM - edited ‎03-11-2019 06:52 AM

HI all

im trying to set up a Remote Access VPN on pix 6.3 (where once connected you are assigned only 1 IP and that IP can only RDP to one server 192.168.1.17) and although i connect to the the vpn ok, i cant RDP to that server. on the vpn client, the sent bytes are going up but the recvd bytes are 0.

on the remote server I have added a static route as follows:

route add 192.168.10.0 mask 255.255.255.0 192.168.1.245(inside interface of pix) its on same segment

below are the VPN configs:

access-list split-tunnel permit ip 192.168.1.0 255.255.255.0

ip local pool RA_VPN_SUPPORT 192.168.10.11 mask 255.255.255.0

nat (inside) 0 access-list NONAT

crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac

crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET

crypto map CRYPTO_VPN 99 ipsec-isakmp dynamic DYN_MAP

crypto map CRYPTO_VPN client configuration address initiate

crypto map CRYPTO_VPN client authentication RA_VPN_AAA

crypto map CRYPTO_VPN interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT

vpngroup RA_VPN_SUPPORT dns-server 192.168.1.1

vpngroup RA_VPN_SUPPORT default-domain test.com

vpngroup RA_VPN_SUPPORT split-tunnel NONAT

vpngroup RA_VPN_SUPPORT idle-time 1800

vpngroup RA_VPN_SUPPORT password ********

Labels:
0 Helpful
4 Replies 4

_Luke_
Level 1
Level 1

‎10-02-2008 02:29 AM

Do you have the access list "NONAT" specified in your config?

Do you have other working tunnels on the device?

Have you used the command "sysopt connection permit-ipsec" or allowed access to the LAN address on the outside access list of the PIX?

0 Helpful

SOL10
Level 1
Level 1
In response to _Luke_

‎10-02-2008 02:41 AM

yes i have the access list NONAT configured

yes there is a site to site working ok

yes i have used the sysopt connection permit-ipsec command

0 Helpful

_Luke_
Level 1
Level 1
In response to SOL10

‎10-02-2008 03:34 AM

Does the server have an appropriate return route?

Can you ping the inside of the PIX from the VPN client if you specify "management-interface inside" ?

0 Helpful

SOL10
Level 1
Level 1
In response to _Luke_

‎10-02-2008 03:36 AM

yes the server has a static route to 192.168.10.0 via inside interface of pix as on same segment

no i cant.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card