PIX 501 and port 3389

Discussion in 'Cisco' started by mc@pc-docs.co.uk, Sep 21, 2006.

  1. Guest

    Hello,
    I know this topic goes on and on but I'm really struggling with the
    problem.
    This is my setup:
    Netgear router operating on a static IP - 81.82.83.84
    Its LAN IP - 192.168.0.1
    PIX outside - 192.168.0.2
    PIX inside - 192.168.16.1
    target server - 192.168.16.254

    PIX is now restored to factory settings, except the IP addresses and
    the DHCP which is switched off - the rest is clean.
    So far I've tried:

    access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    access-group acl_inbound in interface outside
    static (inside,outside) 192.168.0.2 192.168.16.254 netmask
    255.255.255.255
    cl xlate
    // this did not work

    static (inside,outside) tcp 192.168.0.2 3389 192.168.16.254 3389
    access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    access-group acl_inbound in interface outside
    cl xlate
    // this did not work as well

    Can someone please post a set of commands that will work ?
    PIX 6.3(5)
    If some other information are needed I can post everything.

    Thanks in advance
     
    , Sep 21, 2006
    #1
    1. Advertising

  2. AM Guest

    wrote:

    > Hello,
    > I know this topic goes on and on but I'm really struggling with the
    > problem.
    > This is my setup:
    > Netgear router operating on a static IP - 81.82.83.84
    > Its LAN IP - 192.168.0.1
    > PIX outside - 192.168.0.2
    > PIX inside - 192.168.16.1
    > target server - 192.168.16.254


    Have you write the rules that forward packets from the public IP to the PIX?

    The PIX configs seem to be OK.

    Alex.
     
    AM, Sep 21, 2006
    #2
    1. Advertising

  3. Guest


    >
    > Have you write the rules that forward packets from the public IP to the PIX?
    >
    > The PIX configs seem to be OK.
    >
    > Alex.


    I don't think so...
    Some more details ?
    Once I type everything I listed earlier it's all visible in rules
    (ACCESS RULES and TRANSLATION RULES) when using PDM.
     
    , Sep 21, 2006
    #3
  4. In article <>,
    <> wrote:
    >I know this topic goes on and on but I'm really struggling with the
    >problem.
    >This is my setup:
    >Netgear router operating on a static IP - 81.82.83.84
    >Its LAN IP - 192.168.0.1
    >PIX outside - 192.168.0.2


    Does the Netgear do Network Address Translation (NAT) ?

    >PIX inside - 192.168.16.1
    >target server - 192.168.16.254


    >access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    >access-group acl_inbound in interface outside
    >static (inside,outside) 192.168.0.2 192.168.16.254 netmask 255.255.255.255
    >cl xlate


    That would be fine if the Netgear is translating the
    destination address 81.82.83.84 to 192.168.0.2 and forwarding them
    on to the PIX.

    What kind of Netgear router is it, and what address translations
    have you set up on it? If it is one of their consumer "cable modem"
    type devices (typically goes inbetween a home network and a residential
    connection) then you would specifically have to set up forwarding on
    it, as by default such devices block inbound connections.
     
    Walter Roberson, Sep 21, 2006
    #4
  5. mcaissie Guest

    <> wrote in message
    news:...
    > Hello,
    > I know this topic goes on and on but I'm really struggling with the
    > problem.
    > This is my setup:
    > Netgear router operating on a static IP - 81.82.83.84
    > Its LAN IP - 192.168.0.1
    > PIX outside - 192.168.0.2
    > PIX inside - 192.168.16.1
    > target server - 192.168.16.254
    >
    > PIX is now restored to factory settings, except the IP addresses and
    > the DHCP which is switched off - the rest is clean.
    > So far I've tried:
    >
    > access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    > access-group acl_inbound in interface outside
    > static (inside,outside) 192.168.0.2 192.168.16.254 netmask
    > 255.255.255.255
    > cl xlate
    > // this did not work
    >
    > static (inside,outside) tcp 192.168.0.2 3389 192.168.16.254 3389
    > access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    > access-group acl_inbound in interface outside
    > cl xlate
    > // this did not work as well
    >
    > Can someone please post a set of commands that will work ?
    > PIX 6.3(5)
    > If some other information are needed I can post everything.
    >
    > Thanks in advance
    >


    Can you first do a sh xlate to confirm that translation occurs when you
    try to Remote Terminal

    And can you activate the logs

    logging on
    logging buffered warnings

    then "sh log" will show if you have translation errors or access denied.

    I assume that you have no filtering in the Netgear box...
     
    mcaissie, Sep 21, 2006
    #5
  6. Guest

    Walter Roberson wrote:

    > In article <>,
    > <> wrote:
    > >I know this topic goes on and on but I'm really struggling with the
    > >problem.
    > >This is my setup:
    > >Netgear router operating on a static IP - 81.82.83.84
    > >Its LAN IP - 192.168.0.1
    > >PIX outside - 192.168.0.2

    >
    > Does the Netgear do Network Address Translation (NAT) ?
    >
    > >PIX inside - 192.168.16.1
    > >target server - 192.168.16.254

    >
    > >access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    > >access-group acl_inbound in interface outside
    > >static (inside,outside) 192.168.0.2 192.168.16.254 netmask 255.255.255.255
    > >cl xlate

    >
    > That would be fine if the Netgear is translating the
    > destination address 81.82.83.84 to 192.168.0.2 and forwarding them
    > on to the PIX.
    >
    > What kind of Netgear router is it, and what address translations
    > have you set up on it? If it is one of their consumer "cable modem"
    > type devices (typically goes inbetween a home network and a residential
    > connection) then you would specifically have to set up forwarding on
    > it, as by default such devices block inbound connections.


    Yes, Netgear does NAT - checked using different connection and
    different PC - I could access this PC from a remote location elsewhere.
     
    , Sep 21, 2006
    #6
  7. Guest

    mcaissie wrote:
    > Can you first do a sh xlate to confirm that translation occurs when you
    > try to Remote Terminal
    >
    > And can you activate the logs
    >
    > logging on
    > logging buffered warnings
    >
    > then "sh log" will show if you have translation errors or access denied.
    >
    > I assume that you have no filtering in the Netgear box...


    Don't really get that:
    Should I allow logging and then try to connect and after that (doesn't
    matter worked or not) see the log ?
    No, Netgear does not filter.
     
    , Sep 21, 2006
    #7
  8. Guest

    Walter Roberson wrote:

    > In article <>,
    > <> wrote:
    > >I know this topic goes on and on but I'm really struggling with the
    > >problem.
    > >This is my setup:
    > >Netgear router operating on a static IP - 81.82.83.84
    > >Its LAN IP - 192.168.0.1
    > >PIX outside - 192.168.0.2

    >
    > Does the Netgear do Network Address Translation (NAT) ?
    >
    > >PIX inside - 192.168.16.1
    > >target server - 192.168.16.254

    >
    > >access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    > >access-group acl_inbound in interface outside
    > >static (inside,outside) 192.168.0.2 192.168.16.254 netmask 255.255.255.255
    > >cl xlate

    >
    > That would be fine if the Netgear is translating the
    > destination address 81.82.83.84 to 192.168.0.2 and forwarding them
    > on to the PIX.
    >
    > What kind of Netgear router is it, and what address translations
    > have you set up on it? If it is one of their consumer "cable modem"
    > type devices (typically goes inbetween a home network and a residential
    > connection) then you would specifically have to set up forwarding on
    > it, as by default such devices block inbound connections.


    Yes, Netgear does NAT - checked using different connection and
    different PC - I could access this PC from a remote location elsewhere.
     
    , Sep 21, 2006
    #8
  9. mcaissie Guest

    <> wrote in message
    news:...
    >
    > mcaissie wrote:
    >> Can you first do a sh xlate to confirm that translation occurs when you
    >> try to Remote Terminal
    >>
    >> And can you activate the logs
    >>
    >> logging on
    >> logging buffered warnings
    >>
    >> then "sh log" will show if you have translation errors or access
    >> denied.
    >>
    >> I assume that you have no filtering in the Netgear box...

    >
    > Don't really get that:
    > Should I allow logging and then try to connect and after that (doesn't
    > matter worked or not) see the log ?


    Exactly ,

    1-Activate logs
    >> logging on
    >> logging buffered warnings


    2-Try to establish a connection

    3- do a "sh xlate" to validate the translation

    4- do a "sh log" to see if there is any warnings related to translations
    or denied access
     
    mcaissie, Sep 21, 2006
    #9
  10. Guest

    Maybe this will help - current config, after once again restored to
    factory settings.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512

    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.16.1 255.255.255.0

    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout sip-disconnect 0:02:00 sip-invite 0:03:00

    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.16.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.16.2-192.168.16.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:c63ffd4b562d3e711ee0db19337ae6ef
    : end
    [OK]
    pixfirewall(config)#
    --------------------------------------------------------------------------------------------------
    --------------------------------------------------------------------------------------------------

    If I type this:

    access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    access-group acl_inbound in interface outside
    static (inside,outside) 192.168.0.2 192.168.16.254 netmask
    255.255.255.255
    cl xlate

    // or this:

    static (inside,outside) tcp 192.168.0.2 3389 192.168.16.254 3389
    access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389
    access-group acl_inbound in interface outside
    cl xlate

    should it be working already ? Or I simply miss something out ?

    Thanks,
     
    , Sep 21, 2006
    #10
  11. In article <>,
    <> wrote:

    >Walter Roberson wrote:


    >> What kind of Netgear router is it, and what address translations
    >> have you set up on it? If it is one of their consumer "cable modem"
    >> type devices (typically goes inbetween a home network and a residential
    >> connection) then you would specifically have to set up forwarding on
    >> it, as by default such devices block inbound connections.


    >Yes, Netgear does NAT - checked using different connection and
    >different PC - I could access this PC from a remote location elsewhere.


    I would prefer more technical details as to how the NAT is set up
    on the Netgear, as I suspect that to be the problem.
     
    Walter Roberson, Sep 21, 2006
    #11
  12. Guest

    Thanks for any help guys.
    I just managed to get ir t working using this:

    access-list acl_inbound permit tcp any interface outside eq 3389
    static (inside, outside) tcp interface 3389 192.168.16.254 3389 netmask
    255.255.255.255 0 0
    access-group acl_inbound in interface outside
    clear xlate
     
    , Sep 21, 2006
    #12
  13. ikendo Guest

    Dam, I have same Netgear router as you got. I was about to connect my
    Netgear and bridge to my 501. I was lazy I didnt do it.

    BTTT, if you use only 501 can you remote to your desktop/server?


    "mcaissie" <> wrote in message
    news:Q5yQg.19811$KA6.6659@clgrps12...
    >
    > <> wrote in message
    > news:...
    >>
    >> mcaissie wrote:
    >>> Can you first do a sh xlate to confirm that translation occurs when
    >>> you
    >>> try to Remote Terminal
    >>>
    >>> And can you activate the logs
    >>>
    >>> logging on
    >>> logging buffered warnings
    >>>
    >>> then "sh log" will show if you have translation errors or access
    >>> denied.
    >>>
    >>> I assume that you have no filtering in the Netgear box...

    >>
    >> Don't really get that:
    >> Should I allow logging and then try to connect and after that (doesn't
    >> matter worked or not) see the log ?

    >
    > Exactly ,
    >
    > 1-Activate logs
    >>> logging on
    >>> logging buffered warnings

    >
    > 2-Try to establish a connection
    >
    > 3- do a "sh xlate" to validate the translation
    >
    > 4- do a "sh log" to see if there is any warnings related to translations
    > or denied access
    >
    >
    >
     
    ikendo, Sep 22, 2006
    #13
  14. In article <bHHQg.834$zi.110@trnddc01>, ikendo <> wrote:
    > Dam, I have same Netgear router as you got. I was about to connect my
    >Netgear and bridge to my 501. I was lazy I didnt do it.


    I rechecked the thread but I couldn't find any information about
    which model of Netgear router it was ?
     
    Walter Roberson, Sep 22, 2006
    #14
  15. Rohan Guest

    This works for now, but you have put yourself in a position where you will
    not be able add another address for terminal services.



    <> wrote in message
    news:...
    > Thanks for any help guys.
    > I just managed to get ir t working using this:
    >
    > access-list acl_inbound permit tcp any interface outside eq 3389
    > static (inside, outside) tcp interface 3389 192.168.16.254 3389 netmask
    > 255.255.255.255 0 0
    > access-group acl_inbound in interface outside
    > clear xlate
    >
    >
     
    Rohan, Sep 27, 2006
    #15
  16. In article <umwSg.17576$>,
    Rohan <NO SPAM PLEASE> top-posted, now corrected:

    Please do not top-post: it is harder to read, and it means that
    when someone wants to reply to you, they have to go through the
    trouble of editting the conversation so that the entire sequence
    makes sense in context.

    ><> wrote in message
    >news:...


    >> I just managed to get ir t working using this:


    >> access-list acl_inbound permit tcp any interface outside eq 3389
    >> static (inside, outside) tcp interface 3389 192.168.16.254 3389 netmask 255.255.255.255 0 0
    >> access-group acl_inbound in interface outside


    >This works for now, but you have put yourself in a position where you will
    >not be able add another address for terminal services.


    In the context of the original posting, this does not matter because
    the original poster only has a single public IP address at the
    netgear.

    Besides, when you are making a "remote assist" or "rdesktop" connection,
    the client has the option of specifying the remote port. The
    scheme used by 'mc' can easily be extended to handle additional ports,
    including possibly ones that terminate on other machines. For example,

    access-list acl_inbound permit tcp any interface outside eq 3389
    access-list acl_inbound permit tcp any interface outside eq 33891
    static (inside, outside) tcp interface 3389 192.168.16.254 3389 netmask 255.255.255.255 0 0
    static (inside, outside) tcp interface 33891 192.168.16.219 3389 netmask 255.255.255.255 0 0
    access-group acl_inbound in interface outside

    The server on 192.168.16.219 does not even need to know that the
    remote system is addressing it by an an unusual port: the PIX will
    redirect the 33891 packets to 3389 on the internal machine if that
    is what is configured.
     
    Walter Roberson, Sep 27, 2006
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. swsw
    Replies:
    3
    Views:
    1,463
    Walter Roberson
    Jul 28, 2005
  2. jsandlin0803

    open up port 3389 on PIX 7.0?

    jsandlin0803, Dec 13, 2005, in forum: Cisco
    Replies:
    2
    Views:
    652
    jsandlin0803
    Dec 15, 2005
  3. John R. Baker

    ZoneAlarm - Don't Know How to Allow Port 3389

    John R. Baker, Sep 28, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    11,951
    Sunny
    Sep 30, 2004
  4. serge

    port 3389 not inbound open

    serge, Nov 29, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    4,863
    Duane Arnold
    Nov 30, 2004
  5. Replies:
    1
    Views:
    1,742
    Walter Roberson
    Aug 24, 2006
Loading...

Share This Page