Allow administrator access to VPN client 4.6 connect on PIX 506

Discussion in 'Cisco' started by Yannick DUCERF, Jun 3, 2005.

  1. HI,

    Remote users connect from home to my Company's LAN with VPN Client 4.6
    (Firewall: PIX 506)

    They can access to the servers in my LAN --> all works good

    Problem, I can't access to their PC with vnc, but.i can ping their IPs

    my conf : ( IPs and password modified :eek:f course)

    PIX Version 6.3(4)
    interface ethernet0 10baset

    interface ethernet1 10baset

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password 8Ry2YjIRR4 encrypted

    passwd 2KFQnbNIU encrypted

    hostname pix

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    access-list acl-ipsec permit ip 100.1.0.0 255.255.0.0 190.100.135.0
    255.255.255.0

    access-list acl-ipsec permit ip 100.0.0.0 255.255.0.0 190.100.135.0
    255.255.255.0

    access-list acl-inside permit ip 100.0.0.0 255.255.0.0 190.100.135.0
    255.255.255.0

    access-list acl-inside permit ip 100.1.0.0 255.255.0.0 190.100.135.0
    255.255.255.0

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq
    domain

    access-list acl-inside permit udp 100.0.0.0 255.255.0.0 gt 1023 any eq
    domain

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq www

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq ident

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq ftp

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq
    ftp-data

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq https

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq 563

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq smtp

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq pop3

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq nntp

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq
    domain

    access-list acl-inside permit udp 100.1.0.0 255.255.0.0 gt 1023 any eq
    domain

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq www

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq ident

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq ftp

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq
    ftp-data

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq https

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq 563

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq smtp

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq pop3

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq nntp

    access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq 9001

    access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq 9001

    access-list acl-inside permit icmp any any

    access-list acl-outside permit tcp any gt 1023 host 61.161.90.135 eq smtp

    access-list split permit ip 100.1.0.0 255.255.255.0 192.168.1.0
    255.255.255.0

    access-list nonat permit ip 100.1.0.0 255.255.0.0 190.100.135.0
    255.255.255.0

    access-list nonat permit ip 100.0.0.0 255.255.0.0 190.100.135.0
    255.255.255.0

    access-list nonat permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

    access-list nonat permit ip 100.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0

    pager lines 24

    logging on

    mtu outside 1500

    mtu inside 1500

    ip address outside 61.161.90.135 255.255.255.252

    ip address inside 100.1.0.254 255.255.0.0

    ip audit info action alarm

    ip audit attack action alarm

    ip local pool bigpool 192.168.1.1-192.168.1.254

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list nonat

    nat (inside) 1 100.0.0.0 255.255.0.0 0 0

    nat (inside) 1 100.1.0.0 255.255.0.0 0 0

    static (inside,outside) tcp 61.161.90.135 smtp 100.1.0.2 smtp netmask
    255.255.255.255 0 0

    access-group acl-outside in interface outside

    access-group acl-inside in interface inside

    route outside 0.0.0.0 0.0.0.0 61.161.90.138

    route inside 100.0.0.0 255.255.0.0 100.1.0.2 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-ipsec

    crypto ipsec transform-set ipsec-transf esp-des esp-md5-hmac

    crypto dynamic-map dynmap 30 set transform-set ipsec-transf

    crypto map map-ipsec 10 ipsec-isakmp

    crypto map map-ipsec 10 match address acl-ipsec

    crypto map map-ipsec 10 set peer 195.21.52.123

    crypto map map-ipsec 10 set transform-set ipsec-transf

    crypto map map-ipsec 30 ipsec-isakmp dynamic dynmap

    crypto map map-ipsec interface outside

    isakmp enable outside

    isakmp key rubinF018 address 195.20.51.123 netmask 255.255.255.255 no-xauth

    isakmp identity address

    isakmp nat-traversal 20

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption des

    isakmp policy 10 hash md5

    isakmp policy 10 group 1

    isakmp policy 10 lifetime 3600

    isakmp policy 20 authentication pre-share

    isakmp policy 20 encryption des

    isakmp policy 20 hash md5

    isakmp policy 20 group 2

    isakmp policy 20 lifetime 3600

    vpngroup vpn3000 address-pool bigpool

    vpngroup vpn3000 dns-server 100.1.0.60

    vpngroup vpn3000 wins-server 100.1.0.60

    vpngroup vpn3000 default-domain youhouhou

    vpngroup vpn3000 split-tunnel split

    vpngroup vpn3000 idle-time 1800

    vpngroup vpn3000 password ******

    telnet timeout 5

    ssh timeout 5

    management-access inside

    console timeout 0

    terminal width 80

    Cryptochecksum:13d8e4ccf1058617c8e4j1881bb23ac5

    : end

    TIA,

    Y.
     
    Yannick DUCERF, Jun 3, 2005
    #1
    1. Advertisements

  2. Which of the above lines should allow VNC access to the remote
    workstations (IP range 192.168.1.1 - 192.168.1.254)? I can see
    a line allowing ping (the last line), but I don't know what
    port number you are using with the VNC.
     
    Jyri Korhonen, Jun 3, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.