RDP fails using Cisco VPN Client to PIX

In our office we have a Winxp machine with the Cisco VPN client running on it. If we go thru the pix, the VPN client connects up to the remote PIX just fine. However, Windows RDP does Not work thru the tunnel. If we hookup the same computer direct to the net on the other side of our PIX the VPN and RDP work just fine.

Any Ideas what to look for would be greatly appreciated.

TIA

Reply to
Curt
Loading thread data ...

Perhaps we could see some of your config? Would like to see the access-lists, your NAT statement, ISAKMP and IPSEC configs...

Reply to
Chad Mahoney

Try reducing the MTU size on the PC running the RDP client.

AFAIK RDP does not allow for packets to be fragmented

Reply to
Merv

Earlier this month I posted a problem getting RDP to work through our VPN tunnel. We have a PIX in out data center that we use the Cisco client to connect up to then we use MS RDP to connect to our servers. This works just fine when we are on the outside of our new office PIX. When we hook up a computer directly to roadrunner on the outside of our PIX, this works. When we hookup the same computer on the inside of our network, the VPN client connects just fine, but the RDP fails to see any of the servers on the other side of the tunnel. Someone ask me top post our config. I finally got it. I have hidden our company name, passwords and out external IP addresses. If our external IP was 1.2.3.10 I labeled it as Our.External.IP.10. I did this as we have multiple external IP addresses referenced within our config and it will let you see were they are referenced. Here is our config. and Thanks for any assistance.

Notes: Our.Outside.IP.xx hides our 1st 3 octets of our IP address.

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password OurPassword encrypted passwd OurPassword encrypted hostname OurCompanypix domain-name OurCompany.local clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.25.0 VPNclient name Our.Outside.IP.20 web_ftp-outside name 192.168.4.6 web_ftp-inside name Our.Outside.IP.19 email_RDP-outside name 192.168.4.5 email_RDP-inside access-list 101 permit icmp any any access-list 101 remark VPN Access Policy access-list 101 permit ip VPNclient 255.255.255.0 192.168.4.0

255.255.255.0 access-list 101 permit tcp any host email_RDP-outside eq smtp access-list 101 permit tcp any host email_RDP-outside eq pop3 access-list 101 permit tcp any host email_RDP-outside eq 3389 access-list 101 permit tcp any host web_ftp-outside eq ftp-data access-list 101 permit tcp any host web_ftp-outside eq ftp access-list 101 permit tcp any host web_ftp-outside eq www access-list 101 permit tcp any host web_ftp-outside eq https access-list outside_cryptomap_dyn_30 permit ip any VPNclient 255.255.255.0 access-list OurCompany_splitTunnelAcl permit ip 192.168.4.0 255.255.255.0 any access-list inside_outbound_nat0_acl permit ip 192.168.4.0 255.255.255.0 VPNclie nt 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside Our.Outside.IP.18 255.255.255.248 ip address inside 192.168.4.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool OurCompanyVPNpool 192.168.25.51-192.168.25.60 mask 255.255.255.0 pdm location email_RDP-outside 255.255.255.255 outside pdm location web_ftp-inside 255.255.255.255 inside pdm location email_RDP-inside 255.255.255.255 inside pdm location VPNclient 255.255.255.0 outside pdm location web_ftp-outside 255.255.255.255 outside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) email_RDP-outside email_RDP-inside netmask 255.255.255.2 55 0 0 static (inside,outside) web_ftp-outside web_ftp-inside netmask 255.255.255.255 0 0 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 Our.Outside.IP.17 1 timeout xlate 0:30:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:30:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL ntp server 192.5.41.41 source outside ntp server 192.5.41.40 source outside prefer http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-l2tp auth-prompt prompt Enter login authorization auth-prompt accept Thank you. Access granted. auth-prompt reject Either get it right or stop trying to hack your way in. crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 30 match address outside_cryptomap_dyn_30 crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup OurCompany address-pool OurCompanyVPNpool vpngroup OurCompany dns-server email_RDP-inside 65.32.1.70 vpngroup OurCompany wins-server email_RDP-inside vpngroup OurCompany default-domain OurCompany.local vpngroup OurCompany split-tunnel OurCompany_splitTunnelAcl vpngroup OurCompany split-dns OurCompany.local OurCompany.lcl vpngroup OurCompany idle-time 1800 vpngroup OurCompany password ******** telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 5 management-access inside console timeout 0 username pronetserv password AnotherPassword encrypted privilege 15 username admin password aDifferentPassword encrypted privilege 15 terminal width 80 Cryptochecksum:ee9a570fa7357d631aa572e2f65500ac : end
Reply to
Curt

add: isakmp nat-traversal 20

Reply to
Brian V

Thanks, I'll see if I can figure out how to do that. I appreciate you taking the time to answer.

Reply to
Curt

I had our 'Cisco' guy add the line you posted. It did not appear to help the situation.

Any other ideas?

Reply to
Curt

i'm looking back at your previous conversations and am not sure I got them all...

Some thoughts--dismiss if you've covered these obvious items...

when the vpn client is behind the PIX, what can it see on the target network? check to see that it can ping, browse (if windows), resolve names, blah, blah, blah.

is it only RDP that is the problem? try the obvious? RDP is fairly sensitive to MTU. since this is not site-site VPN, have the client drop the mtu, incrementally. (look at DF bit)

how is the vpn client getting through the PIX to establish the tunnel? try nat-t, udp. it works pretty well.

what version of vpn client? is it a 3000 on the other end? asa? PIX?

Reply to
notaccie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.