Pix VPN and RDP Problem Follow up

Earlier this month I posted a problem getting RDP to work through our VPN tunnel. We have a PIX in out data center that we use the Cisco client to connect up to then we use MS RDP to connect to our servers. This works just fine when we are on the outside of our new office PIX. When we hook up a computer directly to roadrunner on the outside of our PIX, this works. When we hookup the same computer on the inside of our network, the VPN client connects just fine, but the RDP fails to see any of the servers on the other side of the tunnel. Someone ask me top post our config. I finally got it. I have hidden our company name, passwords and out external IP addresses. If our external IP was I labeled it as Our.External.IP.10. I did this as we have multiple external IP addresses referenced within our config and it will let you see were they are referenced. Here is our config. and Thanks for any assistance.

Notes: Our.Outside.IP.xx hides our 1st 3 octets of our IP address.

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password OurPassword encrypted passwd OurPassword encrypted hostname OurCompanypix domain-name OurCompany.local clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name VPNclient name Our.Outside.IP.20 web_ftp-outside name web_ftp-inside name Our.Outside.IP.19 email_RDP-outside name email_RDP-inside access-list 101 permit icmp any any access-list 101 remark VPN Access Policy access-list 101 permit ip VPNclient access-list 101 permit tcp any host email_RDP-outside eq smtp access-list 101 permit tcp any host email_RDP-outside eq pop3 access-list 101 permit tcp any host email_RDP-outside eq 3389 access-list 101 permit tcp any host web_ftp-outside eq ftp-data access-list 101 permit tcp any host web_ftp-outside eq ftp access-list 101 permit tcp any host web_ftp-outside eq www access-list 101 permit tcp any host web_ftp-outside eq https access-list outside_cryptomap_dyn_30 permit ip any VPNclient access-list OurCompany_splitTunnelAcl permit ip any access-list inside_outbound_nat0_acl permit ip VPNclie nt pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside Our.Outside.IP.18 ip address inside ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool OurCompanyVPNpool mask pdm location email_RDP-outside outside pdm location web_ftp-inside inside pdm location email_RDP-inside inside pdm location VPNclient outside pdm location web_ftp-outside outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0 0 static (inside,outside) email_RDP-outside email_RDP-inside netmask 55 0 0 static (inside,outside) web_ftp-outside web_ftp-inside netmask 0 0 access-group 101 in interface outside route outside Our.Outside.IP.17 1 timeout xlate 0:30:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:30:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL ntp server source outside ntp server source outside prefer http server enable http outside http inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-l2tp auth-prompt prompt Enter login authorization auth-prompt accept Thank you. Access granted. auth-prompt reject Either get it right or stop trying to hack your way in. crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_30 crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup OurCompany address-pool OurCompanyVPNpool vpngroup OurCompany dns-server email_RDP-inside vpngroup OurCompany wins-server email_RDP-inside vpngroup OurCompany default-domain OurCompany.local vpngroup OurCompany split-tunnel OurCompany_splitTunnelAcl vpngroup OurCompany split-dns OurCompany.local OurCompany.lcl vpngroup OurCompany idle-time 1800 vpngroup OurCompany password ******** telnet inside telnet timeout 5 ssh outside ssh inside ssh timeout 5 management-access inside console timeout 0 username pronetserv password AnotherPassword encrypted privilege 15 username admin password aDifferentPassword encrypted privilege 15 terminal width 80 Cryptochecksum:ee9a570fa7357d631aa572e2f65500ac : end
Reply to
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.