Allow administrator access to VPN client 4.6 connect on PIX 506

HI,

Remote users connect from home to my Company's LAN with VPN Client 4.6 (Firewall: PIX 506)

They can access to the servers in my LAN --> all works good

Problem, I can't access to their PC with vnc, but.i can ping their IPs

my conf : ( IPs and password modified :of course)

PIX Version 6.3(4) interface ethernet0 10baset

interface ethernet1 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIRR4 encrypted

passwd 2KFQnbNIU encrypted

hostname pix

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl-ipsec permit ip 100.1.0.0 255.255.0.0 190.100.135.0

255.255.255.0

access-list acl-ipsec permit ip 100.0.0.0 255.255.0.0 190.100.135.0

255.255.255.0

access-list acl-inside permit ip 100.0.0.0 255.255.0.0 190.100.135.0

255.255.255.0

access-list acl-inside permit ip 100.1.0.0 255.255.0.0 190.100.135.0

255.255.255.0

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq domain

access-list acl-inside permit udp 100.0.0.0 255.255.0.0 gt 1023 any eq domain

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq www

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq ident

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq ftp

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq ftp-data

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq https

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq 563

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq smtp

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq pop3

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq nntp

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq domain

access-list acl-inside permit udp 100.1.0.0 255.255.0.0 gt 1023 any eq domain

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq www

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq ident

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq ftp

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq ftp-data

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq https

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq 563

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq smtp

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq pop3

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq nntp

access-list acl-inside permit tcp 100.0.0.0 255.255.0.0 gt 1023 any eq 9001

access-list acl-inside permit tcp 100.1.0.0 255.255.0.0 gt 1023 any eq 9001

access-list acl-inside permit icmp any any

access-list acl-outside permit tcp any gt 1023 host 61.161.90.135 eq smtp

access-list split permit ip 100.1.0.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list nonat permit ip 100.1.0.0 255.255.0.0 190.100.135.0

255.255.255.0

access-list nonat permit ip 100.0.0.0 255.255.0.0 190.100.135.0

255.255.255.0

access-list nonat permit ip 100.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 100.0.0.0 255.255.0.0 192.168.1.0 255.255.255.0

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

ip address outside 61.161.90.135 255.255.255.252

ip address inside 100.1.0.254 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool bigpool 192.168.1.1-192.168.1.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 100.0.0.0 255.255.0.0 0 0

nat (inside) 1 100.1.0.0 255.255.0.0 0 0

static (inside,outside) tcp 61.161.90.135 smtp 100.1.0.2 smtp netmask

255.255.255.255 0 0

access-group acl-outside in interface outside

access-group acl-inside in interface inside

route outside 0.0.0.0 0.0.0.0 61.161.90.138

route inside 100.0.0.0 255.255.0.0 100.1.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ipsec-transf esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set ipsec-transf

crypto map map-ipsec 10 ipsec-isakmp

crypto map map-ipsec 10 match address acl-ipsec

crypto map map-ipsec 10 set peer 195.21.52.123

crypto map map-ipsec 10 set transform-set ipsec-transf

crypto map map-ipsec 30 ipsec-isakmp dynamic dynmap

crypto map map-ipsec interface outside

isakmp enable outside

isakmp key rubinF018 address 195.20.51.123 netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 3600

vpngroup vpn3000 address-pool bigpool

vpngroup vpn3000 dns-server 100.1.0.60

vpngroup vpn3000 wins-server 100.1.0.60

vpngroup vpn3000 default-domain youhouhou

vpngroup vpn3000 split-tunnel split

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ******

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

terminal width 80

Cryptochecksum:13d8e4ccf1058617c8e4j1881bb23ac5

: end

TIA,

Y.

Reply to
Yannick DUCERF
Loading thread data ...

Which of the above lines should allow VNC access to the remote workstations (IP range 192.168.1.1 - 192.168.1.254)? I can see a line allowing ping (the last line), but I don't know what port number you are using with the VNC.

Reply to
Jyri Korhonen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.