Re: 3005 Concentrator and port 3389

todd.kelly · ‎05-09-2006

I have a 3005 that is finally working but am having a small issue. The concentrator's private IP address is being translated to a n outside address until I can upgrade my PIX 515e to an UR license. I can authenticate to the NT Domain and receive a pool address. The default gateway for the private ip address is the inside interface of the pix. Only thing being done on the pix is a translation. I pretty sure that I need to place a rule on the concentrator but I have no clue where to start. Can someone PLEASE help me? Thanks. Oh....I forgot to mention that I need to allow port 3389 for remote desktop.

Todd

Fernando_Meza · ‎05-09-2006

mm ... let's see if I understood correctly ..

1.- you have a VPN concentrator behind a PIX. corerct ..?

2.- How many interfaces are enabled on the VPN concentrator ..?

3.- You are terminating a remote VPN on your VPN concentrator. The IP address reachable from the internet is NATed on the PIX and directed to the concentrator's private IP .. correct ..?

4.- You are able to connect using the VPN client and get an IP from the Pool .. now .. can you ping any device inside your network ..?

5.- Can you post the config on your PIX .. ro review it .. also can you tell me the static routes configured on you VPN concentrator if any.

todd.kelly · ‎05-10-2006

1. yes

2. 2 (private and public)

3. The private address is NATed to a public address.

4. Yes,No

5. Static route is the default gateway of the inside interface of my pix.

Fernando_Meza · ‎05-10-2006

2 questions ...

1.- which NAT is the one applied to the concentrator ?

static (inside,RouterNTWK) 192.168.60.0 192.168.60.0 netmask 255.255.255.0 0 0

static (inside,outside) 65.117.155.81 DDSOSMAIL netmask 255.255.255.255 0 0

static (inside,outside) 65.117.155.83 192.168.60.28 netmask 255.255.255.255 0 0

2.- Where is the Public interface of the concentrator connected to ..?

3.- what is the IP pool range allocated to the vpn users ..?

4.- You are definetly terminating the remote vpn users at the concentrator .. correct ..? The VPN group ddsvpn01 defined on your PIX has nothing to do with this issue right ..?

Fernando_Meza · ‎05-10-2006

haah ... how funny is that I said 2 questions and ended up asking 4 ... sorry to much thinking !!!

todd.kelly · ‎05-11-2006

1. static (inside,outside) 65.117.155.83 192.168.60.28 netmask 255.255.255.255 0 0

2. It was on a DMZ on the PIX except it has an R license on it. Now it is on a switch along with the private.

3. 192.168.230.1 - 254

4. Yes and Yes

I am able to obtain a pool address.

Here is one thing we found out yesterday. I was able to add a route on my workstation(the one I am trying to remote to) 192.168.230.0 mask 255.255.255.0 192.168.60.28 (60.28 is the private interface). I was able to connect then.

todd.kelly · ‎05-11-2006

Can I run the public interface to a router and do it that way? Assign 172.20.15.9 and the fa0/1 and 172.20.15.10 as the public on the concentrator?

Fernando_Meza · ‎05-11-2006

I ma a bit confused now .. you already mentioned that the issue was resolved once you added the static route to your PC for the VPn pool. the only thing you need to do is configured the VPN internal interface s the next hope for the Pool or configure any other device your VPN concentrator and your lan to point to the private interface of the concentrator.

I hope it helps !!!

todd.kelly · ‎05-24-2006

Can you clarify your last statement?