Best method to connect to an XP computer behind a PIX 506E using Cisco VPN client and RDP?

I need to be able to connect a distant XP computer via DSL over the internet to an XP computer setting on a single subnet domain behind a PIX 506E.  This is for a local law enforcement agency so it needs to be fairly secure.  I was thinking about using CVPN client to establish a tunnel and then simply use RDP to connect to the desktop.  OK or better way to do it?  Just follow the Cisco config documents?  Any tips or gotchas?  There are already PIX to PIX tunnels running from this PIX to another.  Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You're on the right track.
Yes, use the documents, but there are a couple of "gotchas"..
This doc shows a LAN-LAN tunnel + the VPN client:

Gotcha #1 - be sure to use a separate IP subnet for the VPN clients than the local lan
Gotcha #2 - in the link above, PIX2 config show them using the same acl (100) for both the nat 0 and for the crypto map. Not recommended practice. Use two identical acls as show in the PIX1 config.
Gotcha #3 - If using XP SP2, highly recommend using client 4.05 or 4.6 only

Suggestion: if security is prime, then do not allow split-tunneling while connected. This means that once the client connects to the VPN, they no longer have regular Internet connectivity, but they have full connectivity to your LAN (or fully restrict to just RDP if you want)
kishvetAuthor Commented:

I am connecting to the PIX with the CVPN client just fine (I think).  It is giving me a correct IP address from the ip pool.  It is a different IP subnet than the one protected behind the PIX.  I have it set to give me the domain name of the network behind the PIX and to use the dns server on the network (which is also the DC).

For now, I fill forgo split-tunneling.  

I cannot get any traffic to pass.  The CVPN client (latest version downloaded today)  is showing outbound traffic but no inbound traffic.  It is encrypting but is not decrypting.  It shows that transparent tunneling is inactive.  I have it set to enable transparent tunneling and ipsec over udp.

Since the tunnel is "dumping" me onto the inside interface of the PIX, does the PIX automatically "route" the traffic between the two subnets?

I tried to emulate the setup from Pix1 in your example above but obviously screwed up somewhere.  Keep in mind that there is already a functioning tunnel to another remote PIX on the PIX in question.  I had it setup by one of the best!  It should sound familiar.

There is only one acl for the inside_outbound_nat0.  I added the VPN clients subnet to the list of the other subnets that bypass NAT.

For the acl that deals with what subnets get encrypted, I have the VPN client subnet on a different list.

I used the "crypto map outside_map 20" for the PIX to PIX.
I used the "crypto map outside_map 30 ipsec-isakmp dynamic dynmap" for the VPN client .

I only used one "isakmp policy 20" for both.

What did I forget?  What did I do wrong?  What else do you need to know to set me in the right direction?  

>does the PIX automatically "route" the traffic between the two subnets?
This could be part of the problem if the PIX interface is not the normal default gateway of all the hosts. If it isn't, then the router that is should have a static route to that client subnet..

Try enabling nat traversal on the pix:
   isakmp nat-traversal 30

>It should sound familiar.
I thought so!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kishvetAuthor Commented:
>Try enabling nat traversal on the pix:
   isakmp nat-traversal 30

That seems to have fixed it.  I can ping the hosts that are turned on.

>This could be part of the problem if the PIX interface is not the normal default gateway of all the hosts. If it isn't, then the router that is should have a static route to that client subnet..

The Pix inside interface IS the default gateway for the protected network.  I am assuming that since the VPN client uses the PIX as its endpoint that it becomes the default gateway automatically.

There is a DC on the network that obviously is providing dns for the network.  If I want to connect to one of the domain hosts running XP via RDP I should be able to do this correct?

Do I need to open the RDP port or will it be open by virtue of the authentication process for the VPN client?

Should I be able to set the host machine up to accept RDP from the machine while logged in as a domain administrator or is there somewhere else I need to set this?

The end user connecting via the CVPN client wants to be able to access his office computer from home.  I am assuming he would use his normal domain logon and password, or should he be issued a separate one for this purpose?

Thanks as always.  I will award points tomorrow.


Could you please post the copy of your PIX config here.

Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.