[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Best method to connect to an XP computer behind a PIX 506E using Cisco VPN client and RDP?

Posted on 2004-11-04
5
Medium Priority
?
950 Views
Last Modified: 2008-03-10
I need to be able to connect a distant XP computer via DSL over the internet to an XP computer setting on a single subnet domain behind a PIX 506E.  This is for a local law enforcement agency so it needs to be fairly secure.  I was thinking about using CVPN client to establish a tunnel and then simply use RDP to connect to the desktop.  OK or better way to do it?  Just follow the Cisco config documents?  Any tips or gotchas?  There are already PIX to PIX tunnels running from this PIX to another.  Thanks.
0
Comment
Question by:kishvet
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12499446
You're on the right track.
Yes, use the documents, but there are a couple of "gotchas"..
This doc shows a LAN-LAN tunnel + the VPN client:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

Gotcha #1 - be sure to use a separate IP subnet for the VPN clients than the local lan
Gotcha #2 - in the link above, PIX2 config show them using the same acl (100) for both the nat 0 and for the crypto map. Not recommended practice. Use two identical acls as show in the PIX1 config.
Gotcha #3 - If using XP SP2, highly recommend using client 4.05 or 4.6 only

Suggestion: if security is prime, then do not allow split-tunneling while connected. This means that once the client connects to the VPN, they no longer have regular Internet connectivity, but they have full connectivity to your LAN (or fully restrict to just RDP if you want)
0
 

Author Comment

by:kishvet
ID: 12501108
lrmoore:

I am connecting to the PIX with the CVPN client just fine (I think).  It is giving me a correct IP address from the ip pool.  It is a different IP subnet than the one protected behind the PIX.  I have it set to give me the domain name of the network behind the PIX and to use the dns server on the network (which is also the DC).

For now, I fill forgo split-tunneling.  

I cannot get any traffic to pass.  The CVPN client (latest version downloaded today)  is showing outbound traffic but no inbound traffic.  It is encrypting but is not decrypting.  It shows that transparent tunneling is inactive.  I have it set to enable transparent tunneling and ipsec over udp.

Since the tunnel is "dumping" me onto the inside interface of the PIX, does the PIX automatically "route" the traffic between the two subnets?

I tried to emulate the setup from Pix1 in your example above but obviously screwed up somewhere.  Keep in mind that there is already a functioning tunnel to another remote PIX on the PIX in question.  I had it setup by one of the best!  It should sound familiar.

There is only one acl for the inside_outbound_nat0.  I added the VPN clients subnet to the list of the other subnets that bypass NAT.

For the acl that deals with what subnets get encrypted, I have the VPN client subnet on a different list.

I used the "crypto map outside_map 20" for the PIX to PIX.
I used the "crypto map outside_map 30 ipsec-isakmp dynamic dynmap" for the VPN client .

I only used one "isakmp policy 20" for both.



What did I forget?  What did I do wrong?  What else do you need to know to set me in the right direction?  

Thanks.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12501234
>does the PIX automatically "route" the traffic between the two subnets?
This could be part of the problem if the PIX interface is not the normal default gateway of all the hosts. If it isn't, then the router that is should have a static route to that client subnet..

Try enabling nat traversal on the pix:
   isakmp nat-traversal 30

>It should sound familiar.
I thought so!
<8-}
0
 

Author Comment

by:kishvet
ID: 12501328
>Try enabling nat traversal on the pix:
   isakmp nat-traversal 30

That seems to have fixed it.  I can ping the hosts that are turned on.

>This could be part of the problem if the PIX interface is not the normal default gateway of all the hosts. If it isn't, then the router that is should have a static route to that client subnet..

The Pix inside interface IS the default gateway for the protected network.  I am assuming that since the VPN client uses the PIX as its endpoint that it becomes the default gateway automatically.

There is a DC on the network that obviously is providing dns for the network.  If I want to connect to one of the domain hosts running XP via RDP I should be able to do this correct?

Do I need to open the RDP port or will it be open by virtue of the authentication process for the VPN client?

Should I be able to set the host machine up to accept RDP from the machine while logged in as a domain administrator or is there somewhere else I need to set this?

The end user connecting via the CVPN client wants to be able to access his office computer from home.  I am assuming he would use his normal domain logon and password, or should he be issued a separate one for this purpose?

Thanks as always.  I will award points tomorrow.


0
 

Expert Comment

by:mitra_am
ID: 12743326
Kishvet:

Could you please post the copy of your PIX config here.

Thanks !
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question