RDP thru Cisco VPN client and thru 501 Failure

Discussion in 'Cisco' started by curttampa@gmail.com, Aug 5, 2008.

  1. Guest

    From home, we use plain old home Netgear routers to connect up to the
    net. We use our laptops and the Cisco VPN client to connect up to a
    Cisco VPN Appliance in a data center and MS’s RDP to connect up to our
    servers. This setup works perfectly. We use a PIX 501 from our office
    to connect to the net. The VPN Client connects up to the applicance
    just fine. However, RDP will not connect up to our servers. We are
    using a 172.16.1.x sub net within the data center. In the office, we
    just a 192.168.4.x subnet. Anyone have any other ideas that might
    explain this failure?

    Thanks in advance. (Our ‘expert’ who setup all these is unable to
    explain it)
    , Aug 5, 2008
    #1
    1. Advertising

  2. Merv Guest

    On Aug 5, 4:11 pm, Artie Lange <> wrote:
    > wrote:
    > > From home, we use plain old home Netgear routers to connect up to the
    > > net. We use our laptops and the Cisco VPN client to connect up to a
    > > Cisco VPN Appliance in a data center and MS’s RDP to connect up to our
    > > servers. This setup works perfectly. We use a PIX 501 from our office
    > > to connect to the net. The VPN Client connects up to the applicance
    > > just fine. However, RDP will not connect up to our servers. We are
    > > using a 172.16.1.x sub net within the data center. In the office, we
    > > just a 192.168.4.x subnet. Anyone have any other ideas that might
    > > explain this failure?

    >
    > > Thanks in advance. (Our ‘expert’ who setup all these is unable to
    > > explain it)

    >
    > What is the DHCP pool you use for your clients?
    > Do your clients receive an IP from a differnet pool depending where they
    > connect from or who the user is?
    > Do you have any ACL's defining RDP traffic?
    > Can you browse the servers file systems?
    > Do you have firewall enable on the server?



    RDP packets cannot be fragmented. RDP sets the do-not-fragment bit in
    its TCP packet
    so do a path MTU discovery manually using ping.

    Start with a ping packet length of 1500 and reduce until you have
    successful ping.

    ping -l 1500 -f <IP address>

    Can the VPN clients ping the servers in question - i.e confirm there
    are not other connectivity issues

    If they can ping sucessfully then determine the largest MTU that the
    client can use with no-fragment set


    Adjust you NIC to use the discovered maximum path MTU size



    Then set that MTU size on the VPN client and see if RDP connectivity
    is possilbe
    Merv, Aug 5, 2008
    #2
    1. Advertising

  3. Guest

    On Aug 5, 4:39 pm, Merv <> wrote:
    > On Aug 5, 4:11 pm, Artie Lange <> wrote:
    >
    >
    >
    >
    >
    > > wrote:
    > > > From home, we use plain old home Netgear routers to connect up to the
    > > > net. We use our laptops and the Cisco VPN client to connect up to a
    > > > Cisco VPN Appliance in a data center and MS’s RDP to connect up to our
    > > > servers. This setup works perfectly. We use a PIX 501 from our office
    > > > to connect to the net. The VPN Client connects up to the applicance
    > > > just fine. However, RDP will not connect up to our servers. We are
    > > > using a 172.16.1.x sub net within the data center. In the office, we
    > > > just a 192.168.4.x subnet. Anyone have any other ideas that might
    > > > explain this failure?

    >
    > > > Thanks in advance. (Our ‘expert’ who setup all these is unable to
    > > > explain it)

    >
    > > What is the DHCP pool you use for your clients?
    > > Do your clients receive an IP from a differnet pool depending where they
    > > connect from or who the user is?
    > > Do you have any ACL's defining RDP traffic?
    > > Can you browse the servers file systems?
    > > Do you have firewall enable on the server?

    >
    > RDP packets cannot be fragmented. RDP sets the do-not-fragment bit in
    > its TCP packet
    > so do a path MTU discovery manually using ping.
    >
    > Start with a ping packet length of 1500 and reduce until you have
    > successful ping.
    >
    > ping -l 1500 -f <IP address>
    >
    > Can the VPN clients ping the servers in question - i.e confirm there
    > are not other connectivity issues
    >
    > If they can ping sucessfully then determine the largest MTU that the
    > client can use with no-fragment set
    >
    > Adjust you NIC to use the discovered maximum path MTU size
    >
    > Then set that MTU size on the VPN client and see if RDP connectivity
    > is possilbe- Hide quoted text -
    >
    > - Show quoted text -


    Isn't there an easier way. This seams real complicated. Maybe we
    should just dump this fancy firewall that prevents us from working.
    , Aug 6, 2008
    #3
  4. Merv Guest

    The Cisco VPN client comes with a program SetMTU.exe that can be used
    to set the MTU size on the NIC on the PC's in question.

    If you want to skip the manual path MTU exercise then just set MTO to
    say 1300 temporarily on one PC to see if RDP connectivity is then
    possible.
    Merv, Aug 6, 2008
    #4
  5. CurtTampa Guest

    On Aug 6, 7:35 am, Artie Lange <> wrote:
    > wrote:
    > > Isn't there an easier way. This seams real complicated. Maybe we
    > > should just dump this fancy firewall that prevents us from working.

    >
    > Well if it works from one location, it most likely is not an issue with
    > the firewall. The connection at youroffice, as Merv pointed out, may
    > use a MTU that is different than the other location you are connecting
    > from. If your idea is to dump the firewall for another solution, that is
    > completely up to you, *BUT* for an hour of diagnosis time you could
    > probably have an engineer look at and fix the issue.


    When I do it from home, I get a packet size of 1273 is the largest
    that pings ok. Remember, my RDP works all the time
    When the person in the office trys to ping at a 1500 size, he gets
    packet needs to be fragmented,at any size < 1273, he gets request
    timed out.
    Sounds like he is not getting thru the Cisco Client at all.
    Next idea please?
    CurtTampa, Aug 8, 2008
    #5
  6. CurtTampa Guest

    One more thing, here is the ROUTE PRINT Output from both machines
    I Don't know if this will point out anything or not, if not, sorry to
    waste your time.

    ===========================================================================
    Home Route PRINT (Cisco Client Connected and RDP Working)
    ===========================================================================
    C:\Documents and Settings\Curt>route PRINT

    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...00 c0 a8 86 b0 45 ...... Realtek RTL8139 Family PCI Fast
    Ethernet NIC
    - Deterministic Network Enhancer Miniport
    0x20004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet
    Scheduler
    Miniport
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 192.168.69.1
    192.168.69.22 20
    66.71.50.254 255.255.255.255 192.168.69.1
    192.168.69.22 1
    127.0.0.0 255.0.0.0 127.0.0.1
    127.0.0.1 1
    172.16.1.0 255.255.255.0 172.16.1.182
    172.16.1.182 10
    172.16.1.182 255.255.255.255 127.0.0.1
    127.0.0.1 10
    172.16.1.240 255.255.255.255 172.16.1.182
    172.16.1.182 1
    172.16.1.247 255.255.255.255 172.16.1.182
    172.16.1.182 1
    172.16.1.249 255.255.255.255 172.16.1.182
    172.16.1.182 1
    172.16.255.255 255.255.255.255 172.16.1.182
    172.16.1.182 10
    192.168.69.0 255.255.255.0 192.168.69.22
    192.168.69.22 20
    192.168.69.22 255.255.255.255 127.0.0.1
    127.0.0.1 20
    192.168.69.255 255.255.255.255 192.168.69.22
    192.168.69.22 20
    224.0.0.0 240.0.0.0 172.16.1.182
    172.16.1.182 10
    224.0.0.0 240.0.0.0 192.168.69.22
    192.168.69.22 20
    255.255.255.255 255.255.255.255 172.16.1.182
    172.16.1.182 1
    255.255.255.255 255.255.255.255 192.168.69.22
    192.168.69.22 1
    Default Gateway: 192.168.69.1

    Persistent Routes:

    C:\Documents and Settings\Curt>

    ===========================================================================
    This is in the office where it FAILS
    ===========================================================================

    C:\Documents and Settings\Chuck>route PRINT

    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 06 5b ac 67 43 ...... 3Com 3C920 Integrated Fast Ethernet
    Controller (
    3C905C-TX Compatible) - Packet Scheduler Miniport
    0x3 ...00 0e 2e 52 91 62 ...... Realtek RTL8139 Family PCI Fast
    Ethernet NIC - P
    acket Scheduler Miniport
    0x10005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet
    Scheduler
    Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface
    Metric
    0.0.0.0 0.0.0.0 192.168.4.1
    192.168.4.36 20
    66.71.50.254 255.255.255.255 192.168.4.1
    192.168.4.36 1
    127.0.0.0 255.0.0.0 127.0.0.1
    127.0.0.1 1
    172.16.1.0 255.255.255.0 172.16.1.181
    172.16.1.181 20
    172.16.1.181 255.255.255.255 127.0.0.1
    127.0.0.1 20
    172.16.1.240 255.255.255.255 172.16.1.181
    172.16.1.181 1
    172.16.1.247 255.255.255.255 172.16.1.181
    172.16.1.181 1
    172.16.1.249 255.255.255.255 172.16.1.181
    172.16.1.181 1
    172.16.255.255 255.255.255.255 172.16.1.181
    172.16.1.181 20
    192.168.4.0 255.255.255.0 192.168.4.36
    192.168.4.36 20
    192.168.4.36 255.255.255.255 127.0.0.1
    127.0.0.1 20
    192.168.4.255 255.255.255.255 192.168.4.36
    192.168.4.36 20
    224.0.0.0 240.0.0.0 172.16.1.181
    172.16.1.181 20
    224.0.0.0 240.0.0.0 192.168.4.36
    192.168.4.36 20
    255.255.255.255 255.255.255.255 172.16.1.181
    172.16.1.181 1
    255.255.255.255 255.255.255.255 192.168.4.36
    2 1
    255.255.255.255 255.255.255.255 192.168.4.36
    192.168.4.36 1
    Default Gateway: 192.168.4.1
    ===========================================================================
    Persistent Routes:
    None

    C:\Documents and Settings\Chuck>
    None
    CurtTampa, Aug 8, 2008
    #6
  7. Merv Guest

    Can you please provide some clarifications

    Do you have a separate PC at home and at work or it it a laptop that
    you take to and from the office ?

    You say your RDP works all the time - does this mean at home and at
    office ?

    How many PC in the office can use RDP and connect successfully ?

    You have indicated that at least cannot connect using RDP in the
    office - is there more than one that cannot use RDP ?

    What is the device that interconnect the office 192.168.4.x subnet.to
    the datacenter's 172.16.1.x subbnet
    Merv, Aug 9, 2008
    #7
  8. CurtTampa Guest

    Chuck has a Desktop in the office that fails. He has a Laptop that fails
    in the office network, but if he plugs it directly into the back of the
    cable modem it works perfectly.
    I on the other hand do not have an office pc, I work from home and Mine
    works perfectly always.

    There are only two of use who attempt to use the VPN. Only 1 in the
    office ever. No pc's going thru the office PIX work ever.

    I have no clue what the device that interconnect the office 192.168.4.x
    subnet.to the datacenter's 172.16.1.x subbnet is at all. I know our
    'expert' has a 506E in his rack. He just calls it a 'Cisco VPN
    Appliance' If that is critical I will attempt to contact him. That
    usually takes a month of so for him to get back to us on anything where
    we are not totally down.

    (Know any good Cisco people in Tampa Florida?)
    CurtTampa, Aug 10, 2008
    #8
  9. Merv Guest

    On Aug 10, 7:46 am, CurtTampa <> wrote:
    > Chuck has a Desktop in the office that fails. He has a Laptop that fails
    > in the office network, but if he plugs it directly into the back of the
    > cable modem it works perfectly.
    > I on the other hand do not have an office pc, I work from home and Mine
    > works perfectly always.
    >
    > There are only two of use who attempt to use the VPN. Only 1 in the
    > office ever. No pc's going thru the office PIX work ever.
    >
    > I have no clue what the device that interconnect the office 192.168.4.x
    > subnet.to the datacenter's 172.16.1.x subbnet is at all. I know our
    > 'expert' has a 506E in his rack. He just calls it a 'Cisco VPN
    > Appliance' If that is critical I will attempt to contact him. That
    > usually takes a month of so for him to get back to us on anything where
    > we are not totally down.
    >
    > (Know any good Cisco people in Tampa Florida?)



    So the datacenter and the office at at two different sites ?

    Clearly if Chuck can connect his PC directly to the office DSL modem
    and is then able to successfully use RDP to datacenter, then this
    would tend to indicate that whatever the device is between Chuck's PC
    and the DSL modem is the source of the problem. If it is a firewall,
    then normally outbound TCP connections are automatically permitted and
    the return TCP traffic is allowed thru the firewall. However the
    firewall may be only permitting certain TCP ports thru and if that is
    the case then RDP could certainly be impacted.

    Call the Cisco sales office in Tampa and ask for the names of a couple
    of good Cisco distributor in Tampa and ring them up and see if they
    provide consulting service so you can get your issue resolved.
    Merv, Aug 10, 2008
    #9
  10. CurtTampa Guest

    That's the whole point of this posting and why I included the ROUTE
    Print. We have been told that there are no outgoing ports blocked in
    the office PIX. And since the Cisco VPN Client successfully connects
    to the data center thru the PIX clearly that is not the issue. Traffic
    to the remote network is apparently not being routed thru the VPN
    client. I got there due to the fact that all pings to the remote
    network fail no matter what the packet size is.
    What is weird about this is, we replaced the PIX with a home netgear
    for one day and it works just fine with no changes to any of the PCs
    in the office. So it Must be the PIX somehow, even though it appears
    to be a routing issue.
    CurtTampa, Aug 10, 2008
    #10
  11. Merv Guest

    On Aug 10, 11:04 am, CurtTampa <> wrote:
    > That's the whole point of this posting and why I included the ROUTE
    > Print. We have been told that there are no outgoing ports blocked in
    > the office PIX. And since the Cisco VPN Client successfully connects
    > to the data center thru the PIX clearly that is not the issue. Traffic
    > to the remote network is apparently not being routed thru the VPN
    > client. I got there due to the fact that all pings to the remote
    > network fail no matter what the packet size is.
    > What is weird about this is, we replaced the PIX with a home netgear
    > for one day and it works just fine with no changes to any of the PCs
    > in the office. So it Must be the PIX somehow, even though it appears
    > to be a routing issue.



    A wild stab would be that NAT traversal is not configured on the PIX
    and is required for client VPN pass-thru

    The NetGear will do that automatically
    Merv, Aug 10, 2008
    #11
  12. Merv Guest

    OBTW if Chuck's PC is always at the office, then the office PIX could
    been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    datacenter PIX and then he would not need the Cisco VPN client to
    access the datacenter.
    Merv, Aug 10, 2008
    #12
  13. CurtTampa Guest

    On Aug 10, 12:53 pm, Merv <> wrote:
    > OBTW if Chuck's PC is always at theoffice, then theofficePIX could
    > been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    > datacenter PIX and then he would not need the Cisco VPN client to
    > access the datacenter.


    Correct, but our 'cisco' dude wants to charge us extra for an 'always
    on' connection.
    CurtTampa, Aug 11, 2008
    #13
  14. Merv Guest

    On Aug 10, 8:03 pm, CurtTampa <> wrote:
    > On Aug 10, 12:53 pm, Merv <> wrote:
    >
    > > OBTW if Chuck's PC is always at theoffice, then theofficePIX could
    > > been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    > > datacenter PIX and then he would not need the Cisco VPN client to
    > > access the datacenter.

    >
    > Correct, but our 'cisco' dude wants to charge us extra for an 'always
    > on' connection.


    Do you own the Cisco 501 and the Cisco 506E and the datacenter

    Do you own the server at the datacenter
    Merv, Aug 11, 2008
    #14
  15. CurtTampa Guest

    In article <07246b6a-ad2a-416a-ac3a-
    >,
    says...
    > On Aug 10, 8:03 pm, CurtTampa <> wrote:
    > > On Aug 10, 12:53 pm, Merv <> wrote:
    > >
    > > > OBTW if Chuck's PC is always at theoffice, then theofficePIX could
    > > > been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    > > > datacenter PIX and then he would not need the Cisco VPN client to
    > > > access the datacenter.

    > >
    > > Correct, but our 'cisco' dude wants to charge us extra for an 'always
    > > on' connection.

    >
    > Do you own the Cisco 501 and the Cisco 506E and the datacenter
    >
    > Do you own the server at the datacenter
    >

    We own our servers, We rent the 1/2 rack they sit in. I Only speculated
    that our connection is thru his 506E, I am not sure of that. We are
    patch cable linked to his rack because he still handles our backups. Due
    to the fact we are linked, he insists (with good reason) that we come
    thru his VPN connection so he can limit our connection to our machines.
    I understand his security concerns for the protection of his other
    customers. Once we can afford a rack mount NAS, we will be breaking that
    link. Once we do and I understand we can do a connection using the
    standard M$ connection (not requiring Cisco client) to our 501. When
    that is complete we should no longer have an issue.
    CurtTampa, Aug 11, 2008
    #15
  16. Merv Guest

    On Aug 11, 6:30 am, CurtTampa <> wrote:
    > In article <07246b6a-ad2a-416a-ac3a-
    > >,
    > says...> On Aug 10, 8:03 pm, CurtTampa <> wrote:
    > > > On Aug 10, 12:53 pm, Merv <> wrote:

    >
    > > > > OBTW if Chuck's PC is always at theoffice, then theofficePIX could
    > > > > been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    > > > > datacenter PIX and then he would not need the Cisco VPN client to
    > > > > access the datacenter.

    >
    > > > Correct, but our 'cisco' dude wants to charge us extra for an 'always
    > > > on' connection.

    >
    > > Do you own the Cisco 501 and the Cisco 506E and the datacenter

    >
    > > Do you own the server at the datacenter

    >
    > We own our servers, We rent the 1/2 rack they sit in. I Only speculated
    > that our connection is thru his 506E, I am not sure of that. We are
    > patch cable linked to his rack because he still handles our backups. Due
    > to the fact we are linked, he insists (with good reason) that we come
    > thru his VPN connection so he can limit our connection to our machines.
    > I understand his security concerns for the protection of his other
    > customers. Once we can afford a rack mount NAS, we will be breaking that
    > link. Once we do and I understand we can do a connection using the
    > standard M$ connection (not requiring Cisco client) to our 501. When
    > that is complete we should no longer have an issue.


    So sounds like you have plans to deal with several of the technical
    and business issue and your "Cisco guy" long term.

    Do you have access to the office PIX 501 and can you post the PIX 501
    config - sanitized of course - no passwords and no external IP
    addresses.

    There are several very good PIX wizards on this newsgroup and
    hopefully they would respond if they see issues with your office PIX
    501 config.
    Merv, Aug 11, 2008
    #16
  17. CurtTampa Guest

    On Aug 11, 6:50 am, Merv <> wrote:
    > On Aug 11, 6:30 am, CurtTampa <> wrote:
    >
    >
    >
    >
    >
    > > In article <07246b6a-ad2a-416a-ac3a-
    > > >,
    > > says...> On Aug 10, 8:03 pm, CurtTampa <> wrote:
    > > > > On Aug 10, 12:53 pm, Merv <> wrote:

    >
    > > > > > OBTW if Chuck's PC is always at theoffice, then theofficePIX could
    > > > > > been configured to establish a site-to-site VPN (IPSEC tunnel) to the
    > > > > > datacenter PIX and then he would not need the Cisco VPN client to
    > > > > > access the datacenter.

    >
    > > > > Correct, but our 'cisco' dude wants to charge us extra for an 'always
    > > > > on' connection.

    >
    > > > Do you own the Cisco 501 and the Cisco 506E and the datacenter

    >
    > > > Do you own the server at the datacenter

    >
    > > We own our servers, We rent the 1/2 rack they sit in. I Only speculated
    > > that our connection is thru his 506E, I am not sure of that.  We are
    > > patch cable linked to his rack because he still handles our backups. Due
    > > to the fact we are linked, he insists (with good reason) that we come
    > > thru his VPN connection so he can limit our connection to our machines.
    > > I understand his security concerns for the protection of his other
    > > customers. Once we can afford a rack mount NAS, we will be breaking that
    > > link. Once we do and I understand we can do a connection using the
    > > standard M$ connection (not requiring Cisco client) to our 501. When
    > > that is complete we should no longer have an issue.

    >
    > So sounds like you have plans to deal with several of the technical
    > and business issue  and your "Cisco guy" long term.
    >
    > Do  you have access to theofficePIX 501 and can you post the PIX 501
    > config - sanitized of course - no passwords and no external IP
    > addresses.
    >
    > There are several very good PIX wizards on this newsgroup and
    > hopefully they would respond if they see issues with yourofficePIX
    > 501 config.- Hide quoted text -
    >
    > - Show quoted text -


    1st: you are correct. Our Cisco/Network dude have got to go, all we
    need is enough money to get rid of him and a replacement we can trust.
    2nd: I will try. I'm not sure that Chuck or I actually know the
    password to get into the office 501. I will have to do some reading on
    this as I have heard the password is not required if you have the
    Serial cable (which we do). So I will investigate getting that config.
    Thanks for all your assistance.
    CurtTampa, Aug 11, 2008
    #17
  18. CurtTampa Guest

    Re: RDP thru Cisco VPN client and thru 501 Failure CONFIG

    Here is the config from our OFFICE PIX.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password PASSWPRD encrypted
    passwd PASSWORD
    hostname HOSTNAME
    domain-name HOSTNAME.local
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.25.0 VPNclient
    name XXX.XXX.XXX.XX web_ftp-outside
    name 192.168.4.6 web_ftp-inside
    name XXX.XXX.XXX.XXX email_RDP-outside
    name 192.168.4.5 email_RDP-inside
    access-list 101 permit icmp any any
    access-list 101 remark VPN Access Policy
    access-list 101 permit ip VPNclient 255.255.255.0 192.168.4.0
    255.255.255.0
    access-list 101 permit tcp any host email_RDP-outside eq smtp
    access-list 101 permit tcp any host email_RDP-outside eq pop3
    access-list 101 permit tcp any host email_RDP-outside eq 3389
    access-list 101 permit tcp any host web_ftp-outside eq ftp-data
    access-list 101 permit tcp any host web_ftp-outside eq ftp
    access-list 101 permit tcp any host web_ftp-outside eq www
    access-list 101 permit tcp any host web_ftp-outside eq https
    access-list outside_cryptomap_dyn_30 permit ip any VPNclient
    255.255.255.0
    access-list HOSTNAME_splitTunnelAcl permit ip 192.168.4.0 255.255.255.0
    any
    access-list inside_outbound_nat0_acl permit ip 192.168.4.0 255.255.255.0
    VPNclie
    nt 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside XXX.XXX.XXX.XXX 255.255.255.248
    ip address inside 192.168.4.1 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool HOSTNAMEVPNpool 192.168.25.51-192.168.25.60 mask
    255.255.255.0
    pdm location email_RDP-outside 255.255.255.255 outside
    pdm location web_ftp-inside 255.255.255.255 inside
    pdm location email_RDP-inside 255.255.255.255 inside
    pdm location VPNclient 255.255.255.0 outside
    pdm location web_ftp-outside 255.255.255.255 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) email_RDP-outside email_RDP-inside netmask
    255.255.255.2
    55 0 0
    static (inside,outside) web_ftp-outside web_ftp-inside netmask
    255.255.255.255 0
    0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
    timeout xlate 0:30:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:30:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    ntp server 192.5.41.41 source outside
    ntp server 192.5.41.40 source outside prefer
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-l2tp
    auth-prompt prompt Enter login authorization
    auth-prompt accept Thank you. Access granted.
    auth-prompt reject Either get it right or stop trying to hack your way
    in.
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 30 match address
    outside_cryptomap_dyn_30
    crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup HOSTNAME address-pool HOSTNAMEVPNpool
    vpngroup HOSTNAME dns-server email_RDP-inside 65.32.1.70
    vpngroup HOSTNAME wins-server email_RDP-inside
    vpngroup HOSTNAME default-domain HOSTNAME.local
    vpngroup HOSTNAME split-tunnel HOSTNAME_splitTunnelAcl
    vpngroup HOSTNAME split-dns HOSTNAME.local HOSTNAME.lcl
    vpngroup HOSTNAME idle-time 1800
    vpngroup HOSTNAME password ********
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    isakmp nat-traversal 20
    management-access inside
    console timeout 0
    username pronetserv password PASSWPRD encrypted privilege 15
    username admin password PASSWORD encrypted privilege 15
    terminal width 80
    Cryptochecksum:CHECKSUM
    : end
    CurtTampa, Aug 11, 2008
    #18
  19. CurtTampa Guest

    Re: RDP thru Cisco VPN Merv, you there?

    Did you abandon me?
    CurtTampa, Aug 14, 2008
    #19
  20. Merv Guest

    Re: RDP thru Cisco VPN Merv, you there?

    On Aug 14, 6:37 am, CurtTampa <> wrote:
    > Did you abandon me?



    I see the config has nat traversal configured

    Hopefully some of the PIX experts on this group will see the posting
    of your PIX config

    You might want to reposting the PIX config if you do not get any
    feedback on it.
    Merv, Aug 14, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,028
    Martin Nowles
    Nov 10, 2003
  2. Nick
    Replies:
    2
    Views:
    2,394
  3. W Abucewicz

    RDP to Win2003 server thru PIX

    W Abucewicz, Aug 25, 2006, in forum: Cisco
    Replies:
    8
    Views:
    910
    W Abucewicz
    Aug 31, 2006
  4. Curt
    Replies:
    7
    Views:
    664
    notaccie
    Jul 6, 2007
  5. andypatterson24
    Replies:
    2
    Views:
    2,872
    andypatterson24
    Apr 25, 2008
Loading...

Share This Page