RDP through Pix 515 (TAC no help)

[Rookcr]

This will be a long post. I had asked a similar question and was directed to this forum.

I have a Cisco Pix 515 Firewall. It has been configured with 3DES encryption pak for VPN. That is all installed. I am able to authenticate and log into my network from a remote site. (Home) Here is the problem. I would like to use RDP since I have limited access to PC anywhere licences. My home machine is XPPro and the rest of my group that would utilize this access run XPPro on their remote machines.

At the business the workstations are XPPro with RDP enabled and users set. Internally I can RDP to my machine. Externally through the Cisco VPN client I am unable to connect to my XPPro Workstation. I get an unable to connect to workstation, client not configured, or not any available connections. Yet at the same time internall I can connect to the machine.

Well here is where the post really becomes strange. Externally through my Cisco VPN client I can RDP to a windows 2003 server, and then from that server, RDP to my workstation. this makes no sense to me. I want to be able to go directly to my machine.

I have tested with PC anywhere and If I have PC Anywhere encryption on I am unable to connect to a workstation but if I turn off encryption I am then able to use PC anywhere to connect to my desktop. Anyone have any ideas. I am completly stumped. Any help would be appreciated. I have been working with Cisco TAC and they have been of no assitance thus far. My config is below:


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password x4Cj.sdd2llD9o4L encrypted
passwd WeYXKHA8al0.kaJl encrypted
hostname GBPIX
domain-name xyz.com
clock timezone cst -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.16.1.0 vpnclient
name 192.xxx.xxx.xxx guaranty-net
access-list acl_in permit tcp any host 216.xxx.xxx.xxx eq pop3
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ftp
access-list acl_in permit tcp any host 216.xxx.xxx.xxx eq smtp
access-list acl_in permit tcp any host 216.xxx.xxx.xxx eq www
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ssh
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ssh
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ssh
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ssh
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ssh
access-list acl_in permit tcp host 216.xxx.xxx.xxx host 216.xxx.xxx.xxx eq ssh
access-list acl_in permit tcp any host 216.xxx.xxx.xxx eq https
access-list acl_in permit tcp any host 216.xxx.xxx.xxx eq https
access-list inside_nat0_outbound remark VPN Client
access-list inside_nat0_outbound permit ip guaranty-net 255.255.255.0 vpnclient 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.4.0 255.255.255.0 vpnclient 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.6.0 255.255.255.0 vpnclient 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.8.0 255.255.255.0 vpnclient 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 vpnclient 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.12.0 255.255.255.0 vpnclient 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.14.0 255.255.255.0 vpnclient 255.255.255.0
access-list outside_cryptomap_dyn_10 remark VPN Client
access-list outside_cryptomap_dyn_10 permit ip guaranty-net 255.255.255.0 vpnclient 255.255.255.0
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
access-list is_splitTunnelAcl permit ip 192.xxx.xxx.xxx 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap informational
logging history errors
logging device-id hostname
logging host inside 192.xxx.xxx.xxx
mtu outside 1500
mtu inside 1500
ip address outside 216.xxx.xxx.xxx 255.255.255.0
ip address inside 192.xxx.xxx.xxx 255.255.255.248
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 172.16.1.1-172.16.1.254
pdm history enable
arp timeout 14400
global (outside) 1 216.xxx.xxx.xxx
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 216.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) 216.xxx.xxx.xxx 192.xxx.xxx.xxx netmask 255.255.255.255 0 0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.xxx 1
route inside guaranty-net 255.255.255.0 192. xxx.xxx.xxx 1
route inside 192.xxx.xxx.xxx 255.255.255.0 192. xxx.xxx.xxx 1
route inside 192. xxx.xxx.xxx 255.255.255.0 192. xxx.xxx.xxx 1
route inside 192. xxx.xxx.xxx 255.255.255.0 192. xxx.xxx.xxx 1
route inside 192. xxx.xxx.xxx 255.255.255.0 192. xxx.xxx.xxx 1
route inside 192. xxx.xxx.xxx 255.255.255.0 192. xxx.xxx.xxx 1
route inside 192. xxx.xxx.xxx 255.255.255.0 192. xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 192.xxx.xxx.xxx gbtpix timeout 5
aaa-server partnerauth (inside) host 192.xxx.xxx.xxx gbtpix timeout 5
aaa authentication enable console partnerauth
aaa authentication http console partnerauth
aaa authentication telnet console partnerauth
aaa authentication ssh console partnerauth
aaa authorization command LOCAL
ntp server 192.5.41.41 source outside prefer
ntp server 192.5.41.40 source outside
http server enable
http guaranty-net 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.xxx.xxx.xxx /Cisco/config.pix
floodguard enable
sysopt connection tcpmss 1500
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup xx address-pool vpnclient
vpngroup xx dns-server 192. xxx.xxx.xxx 192. xxx.xxx.xxx
vpngroup xx default-domain xyz.local
vpngroup xx split-tunnel is_splitTunnelAcl
vpngroup xx idle-time 1800
vpngroup xx password ********
vpngroup xxx address-pool vpnclient
vpngroup xxx dns-server 192. xxx.xxx.xxx
vpngroup xxx default-domain xyz.local
vpngroup xxx idle-time 1800
vpngroup xxx password ********
telnet guaranty-net 255.255.255.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.0 255.255.255.0 outside
ssh xxx.xxx.xxx.0 255.255.255.255 outside
ssh guaranty-net 255.255.255.0 inside
ssh timeout 5
console timeout 0
username xxx password rZgv0HyoyeCeNcvV encrypted privilege 15
username xxx password b5CMBJzOhvLvDBuk encrypted privilege 15
terminal width 80

 

[dopehead]

When you go directly to the RDP ws are you using an ip adress or the name, if you are using the name does it resolve to an ip if you ping it ? and do you get a reply on your ping ? Do you have any personal firewalls running ? ms or other ?

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec

 

[blackrabbit]

Are you first connecting over the vpn then trying to RDP to the workstation? or are you trying to RDP through the pix without the vpn?

 

[Rookcr]

I first connect thru the Cisco VPN. Then I connect via remote desktop (attempt to) If I am on my network at my business I am able to connect. Once I come in through the VPN client I am unable to.

 

[308win]

Are your XP machines firewalled with the SP2 firewall, thus denying access from the address given to your VPN connection. Saying that you can access a 2003 host and from there your machine leads me to think so.

 

[Rookcr]

They are XP SP 2 but the firewall is off by domain policy. I can RDP to thenm while on the LAN but through the VPN I am unable to connect. My guess is it in the dual encryption or NAT transversal.

 

[RyanLindfield]

Rookcr, I assume you are behind a NAT device at home, then launching your VPN client from a desktop. IPSec can have issues with NAT, try adding the following line to your PIX.

isakmp nat-traversal 20

Best Regards,
Ryan Lindfield

 

[Rookcr]

Well I think I found out my problem. So far for an entire day this has worked so I am going to post. I have an appliance that does web filter for our instititution. Each workstation is forced to login before they can make a connection to the outside world for web traffic. I only monitor the standard http,ftp, other big brother stuff. Anyhow it would not allow the connection because a user was not logged in. So through all of the effort of everyone I have it working now. Thanks to all for all of your assistance.....

Rook