PIX 501 and Terminal Services

Discussion in 'Cisco' started by Nathan, Sep 18, 2004.

  1. Nathan

    Nathan Guest

    I have been messing around with this for too long and it just won't work. I
    would like to just get the remote desktop working and then I can worry about
    the rest later. I restored the firewall to factory default and it's built
    with the config below. Our ISP has forwarded a bunch of ports (one of them
    3389 for RDP) to our firewall. I was trying to get the firewall to forward
    all this traffic to the server so I can get in remotely but it isn't
    working. RDP is setup because I can get to the server from any computer in
    the office, just not from the outside.

    It goes INTERNET --> ROUTER --> FIREWALL --> SERVER

    IP's
    Internal IP on router: 10.226.1.13
    External IP on PIX: 10.226.1.12
    Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    IP on the server: 192.168.10.23

    Here is the config for the firewall. What am I missing?

    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list acl_out permit tcp any any eq 3389
    access-list acl_out permit tcp any any eq 9715
    access-list acl_out permit tcp any any eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 10.226.1.12 255.255.0.0
    ip address inside 192.168.10.250 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    255.255.25
    5.255 0 0
    static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    255.255.25
    5.255 0 0
    static (inside,outside) tcp interface www 192.168.10.23 www netmask
    255.255.255.
    255 0 0
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.10.200-192.168.10.201 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:e04c52259f4f403f9c2063bf34c6a1f3
    : end
    pixfirewall(config)# write mem
    Building configuration...
    Cryptochecksum: e04c5225 9f4f403f 9c2063bf 34c6a1f3
    [OK]
    pixfirewall(config)#
     
    Nathan, Sep 18, 2004
    #1
    1. Advertising

  2. Nathan

    PES Guest

    Your config looks ok to me. You have the lines that should make it work. I
    would want to make sure that you done clear xlate after any change, or a pix
    reboot. The following lines (taken from your config) should allow remote
    desktop to connect.

    static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    255.255.255.255 0 0
    access-list acl_out permit tcp any any eq 3389
    access-group acl_out in interface outside

    Do your other applications work? Can you put a hub between the pix and the
    router to make sure the isp is in fact forwarding the traffic to you? Also,
    make sure you aren't trying to connect to your external address from the
    inside (this wont work with the pix).

    Also, I must comment that it sort of sucks that the isp is giving you a
    nat'd address if this is really the case. You can disregard this if you
    were changing the ip address (to protect the innocent). Also, I would
    recommend changing your passwords after disclosing them, even though they
    are encrypted.

    "Nathan" <> wrote in message
    news:fc23d.4106$...
    > I have been messing around with this for too long and it just won't work.
    > I
    > would like to just get the remote desktop working and then I can worry
    > about
    > the rest later. I restored the firewall to factory default and it's built
    > with the config below. Our ISP has forwarded a bunch of ports (one of them
    > 3389 for RDP) to our firewall. I was trying to get the firewall to forward
    > all this traffic to the server so I can get in remotely but it isn't
    > working. RDP is setup because I can get to the server from any computer in
    > the office, just not from the outside.
    >
    > It goes INTERNET --> ROUTER --> FIREWALL --> SERVER
    >
    > IP's
    > Internal IP on router: 10.226.1.13
    > External IP on PIX: 10.226.1.12
    > Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    > IP on the server: 192.168.10.23
    >
    > Here is the config for the firewall. What am I missing?
    >
    > :
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 8Ry2YjIyt7RRXU24 encrypted
    > passwd 2KFQnbNIdI.2KYOU encrypted
    > hostname pixfirewall
    > domain-name ciscopix.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list acl_out permit tcp any any eq 3389
    > access-list acl_out permit tcp any any eq 9715
    > access-list acl_out permit tcp any any eq www
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > ip address outside 10.226.1.12 255.255.0.0
    > ip address inside 192.168.10.250 255.255.0.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > 255.255.25
    > 5.255 0 0
    > static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    > 255.255.25
    > 5.255 0 0
    > static (inside,outside) tcp interface www 192.168.10.23 www netmask
    > 255.255.255.
    > 255 0 0
    > access-group acl_out in interface outside
    > route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > dhcpd address 192.168.10.200-192.168.10.201 inside
    > dhcpd lease 3600
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:e04c52259f4f403f9c2063bf34c6a1f3
    > : end
    > pixfirewall(config)# write mem
    > Building configuration...
    > Cryptochecksum: e04c5225 9f4f403f 9c2063bf 34c6a1f3
    > [OK]
    > pixfirewall(config)#
    >
    >
     
    PES, Sep 19, 2004
    #2
    1. Advertising

  3. Nathan

    Nathan Guest

    I am not a major cisco guy, so I don't know what you mean by "clear xlate".
    Do I just type in the command in the CLI and write mem? Also, I haven't
    rebooted the PIX after this initial config. I will try these two things
    tomorrow. Just for future reference, if those two things don't work, do I
    have any other options since the way my ISP setup the router? (yes you were
    right, The internal IP on the router is a NAT'd IP, kind of setup like the
    cisco pix. And it does suck.)

    I did realize I posted the the password encryption. Changed it right after
    this post. :)


    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:414cc3f9$...
    > Your config looks ok to me. You have the lines that should make it work.

    I
    > would want to make sure that you done clear xlate after any change, or a

    pix
    > reboot. The following lines (taken from your config) should allow remote
    > desktop to connect.
    >
    > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > 255.255.255.255 0 0
    > access-list acl_out permit tcp any any eq 3389
    > access-group acl_out in interface outside
    >
    > Do your other applications work? Can you put a hub between the pix and

    the
    > router to make sure the isp is in fact forwarding the traffic to you?

    Also,
    > make sure you aren't trying to connect to your external address from the
    > inside (this wont work with the pix).
    >
    > Also, I must comment that it sort of sucks that the isp is giving you a
    > nat'd address if this is really the case. You can disregard this if you
    > were changing the ip address (to protect the innocent). Also, I would
    > recommend changing your passwords after disclosing them, even though they
    > are encrypted.
    >
    > "Nathan" <> wrote in message
    > news:fc23d.4106$...
    > > I have been messing around with this for too long and it just won't

    work.
    > > I
    > > would like to just get the remote desktop working and then I can worry
    > > about
    > > the rest later. I restored the firewall to factory default and it's

    built
    > > with the config below. Our ISP has forwarded a bunch of ports (one of

    them
    > > 3389 for RDP) to our firewall. I was trying to get the firewall to

    forward
    > > all this traffic to the server so I can get in remotely but it isn't
    > > working. RDP is setup because I can get to the server from any computer

    in
    > > the office, just not from the outside.
    > >
    > > It goes INTERNET --> ROUTER --> FIREWALL --> SERVER
    > >
    > > IP's
    > > Internal IP on router: 10.226.1.13
    > > External IP on PIX: 10.226.1.12
    > > Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    > > IP on the server: 192.168.10.23
    > >
    > > Here is the config for the firewall. What am I missing?
    > >
    > > :
    > > PIX Version 6.3(3)
    > > interface ethernet0 auto
    > > interface ethernet1 100full
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password 8Ry2YjIyt7RRXU24 encrypted
    > > passwd 2KFQnbNIdI.2KYOU encrypted
    > > hostname pixfirewall
    > > domain-name ciscopix.com
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > access-list acl_out permit tcp any any eq 3389
    > > access-list acl_out permit tcp any any eq 9715
    > > access-list acl_out permit tcp any any eq www
    > > pager lines 24
    > > mtu outside 1500
    > > mtu inside 1500
    > > ip address outside 10.226.1.12 255.255.0.0
    > > ip address inside 192.168.10.250 255.255.0.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > > 255.255.25
    > > 5.255 0 0
    > > static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    > > 255.255.25
    > > 5.255 0 0
    > > static (inside,outside) tcp interface www 192.168.10.23 www netmask
    > > 255.255.255.
    > > 255 0 0
    > > access-group acl_out in interface outside
    > > route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > telnet timeout 5
    > > ssh timeout 5
    > > console timeout 0
    > > dhcpd address 192.168.10.200-192.168.10.201 inside
    > > dhcpd lease 3600
    > > dhcpd ping_timeout 750
    > > dhcpd auto_config outside
    > > dhcpd enable inside
    > > terminal width 80
    > > Cryptochecksum:e04c52259f4f403f9c2063bf34c6a1f3
    > > : end
    > > pixfirewall(config)# write mem
    > > Building configuration...
    > > Cryptochecksum: e04c5225 9f4f403f 9c2063bf 34c6a1f3
    > > [OK]
    > > pixfirewall(config)#
    > >
    > >

    >
    >
     
    Nathan, Sep 19, 2004
    #3
  4. "Nathan" <> wrote in message
    news:fc23d.4106$...
    > I have been messing around with this for too long and it just won't work.
    > I
    > would like to just get the remote desktop working and then I can worry
    > about
    > the rest later. I restored the firewall to factory default and it's built
    > with the config below. Our ISP has forwarded a bunch of ports (one of them
    > 3389 for RDP) to our firewall. I was trying to get the firewall to forward
    > all this traffic to the server so I can get in remotely but it isn't
    > working. RDP is setup because I can get to the server from any computer in
    > the office, just not from the outside.
    >



    I just set this up (as a pix newbie as well.) Here is my conifg.

    I have placed >>> in front of the relevant lines.



    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname pixfirewall
    domain-name xxx.xxx
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    >>> name 192.168.1.3 TSServer

    name 192.168.1.2 VPNServer
    access-list outside_access_in permit tcp any interface outside eq pptp
    >>> access-list outside_access_in permit tcp any interface outside eq 3389

    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside ###.###.###.### 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location VPNServer 255.255.255.255 inside
    >>> pdm location TSServer 255.255.255.255 inside

    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface pptp VPNServer pptp netmask
    255.255.255.255 0 0
    >>> static (inside,outside) tcp interface 3389 TSServer 3389 netmask
    >>> 255.255.255.255 0 0

    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 ###.###.###.### 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    ntp authenticate
    ntp server VPNServer source inside prefer
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside VPNServer /test.txt
    floodguard enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address VPNServer-192.168.1.33 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    terminal width 80
    Cryptochecksum:xxx
    : end
    [OK]

    --

    Rob
     
    Robert R Kircher, Jr., Sep 19, 2004
    #4
  5. Nathan

    briandesu Guest

    > I have been messing around with this for too long and it just won't work. I
    > would like to just get the remote desktop working and then I can worry about
    > the rest later. I restored the firewall to factory default and it's built
    > with the config below. Our ISP has forwarded a bunch of ports (one of them
    > 3389 for RDP) to our firewall. I was trying to get the firewall to forward
    > all this traffic to the server so I can get in remotely but it isn't
    > working. RDP is setup because I can get to the server from any computer in
    > the office, just not from the outside.
    >
    > It goes INTERNET --> ROUTER --> FIREWALL --> SERVER
    >
    > IP's
    > Internal IP on router: 10.226.1.13
    > External IP on PIX: 10.226.1.12
    > Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    > IP on the server: 192.168.10.23
    >
    > Here is the config for the firewall. What am I missing?
    > :
    > PIX Version 6.3(3)
    > interface ethernet0 auto
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > hostname pixfirewall
    > domain-name ciscopix.com
    > access-list acl_out permit tcp any any eq 3389
    > access-list acl_out permit tcp any any eq 9715
    > access-list acl_out permit tcp any any eq www
    > ip address outside 10.226.1.12 255.255.0.0
    > ip address inside 192.168.10.250 255.255.0.0
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > 255.255.25
    > 5.255 0 0
    > static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    > 255.255.25
    > 5.255 0 0
    > static (inside,outside) tcp interface www 192.168.10.23 www netmask
    > 255.255.255.
    > 255 0 0
    > access-group acl_out in interface outside
    > route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    > dhcpd auto_config outside


    PLEASE NOTE THAT I HAVE REMOVED INFORMATION NOT RELEVANT TO THE
    PROBLEM.

    Red Flags:

    1. Your external interface is using a private IP address. Is your
    router performing NAT, or is this a lab environment, or are you using
    bogus addresses for your example?

    2. You are using a static NAT on the interface that you are using PAT
    on, which is not recommended.

    3. You may have a routing issue. Your default route on the router
    most likely is directed towards the ISP, so do you have a route
    pointed to your internal network on your router "ip route 192.168.0.0
    255.255.0.0 10.226.1.12 1"

    4. Can you telnet to one of the other ports you have opened
    "telnet 10.226.1.13 80" to determine if you are able to connect to the
    server at all.

    I have recently set up a PIX to allow ICA (Citrix) traffic and web
    traffic (HTTP) through the firewall, so there should be absolutely no
    issue regarding RDP.

    Regards,

    briandesu
     
    briandesu, Sep 19, 2004
    #5
  6. Nathan

    PES Guest

    "Nathan" <> wrote in message
    news:T%43d.1357$...
    >I am not a major cisco guy, so I don't know what you mean by "clear xlate".
    > Do I just type in the command in the CLI and write mem? Also, I haven't
    > rebooted the PIX after this initial config. I will try these two things
    > tomorrow. Just for future reference, if those two things don't work, do I
    > have any other options since the way my ISP setup the router? (yes you
    > were
    > right, The internal IP on the router is a NAT'd IP, kind of setup like the
    > cisco pix. And it does suck.)
    >
    > I did realize I posted the the password encryption. Changed it right after
    > this post. :)
    >


    The clear xlate command simply clears the nat translation table and forces
    it to reread static entries from the configuration. You do not need to save
    the config after typing this command. There are other posts showing you
    how to do this using names, and maybe option groups. You are doing it the
    simple way, assuming cli. I would plug a hub up between the router and the
    pix, plug in a pc, fire up ethereal and capture tcp port 3389 | icmp . That
    should tell you if the isp is doing its job. My assumption is that if your
    inbound www is working that the isp screwed something up.

    >
    > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    > message
    > news:414cc3f9$...
    >> Your config looks ok to me. You have the lines that should make it work.

    > I
    >> would want to make sure that you done clear xlate after any change, or a

    > pix
    >> reboot. The following lines (taken from your config) should allow remote
    >> desktop to connect.
    >>
    >> static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    >> 255.255.255.255 0 0
    >> access-list acl_out permit tcp any any eq 3389
    >> access-group acl_out in interface outside
    >>
    >> Do your other applications work? Can you put a hub between the pix and

    > the
    >> router to make sure the isp is in fact forwarding the traffic to you?

    > Also,
    >> make sure you aren't trying to connect to your external address from the
    >> inside (this wont work with the pix).
    >>
    >> Also, I must comment that it sort of sucks that the isp is giving you a
    >> nat'd address if this is really the case. You can disregard this if you
    >> were changing the ip address (to protect the innocent). Also, I would
    >> recommend changing your passwords after disclosing them, even though they
    >> are encrypted.
    >>
    >> "Nathan" <> wrote in message
    >> news:fc23d.4106$...
    >> > I have been messing around with this for too long and it just won't

    > work.
    >> > I
    >> > would like to just get the remote desktop working and then I can worry
    >> > about
    >> > the rest later. I restored the firewall to factory default and it's

    > built
    >> > with the config below. Our ISP has forwarded a bunch of ports (one of

    > them
    >> > 3389 for RDP) to our firewall. I was trying to get the firewall to

    > forward
    >> > all this traffic to the server so I can get in remotely but it isn't
    >> > working. RDP is setup because I can get to the server from any computer

    > in
    >> > the office, just not from the outside.
    >> >
    >> > It goes INTERNET --> ROUTER --> FIREWALL --> SERVER
    >> >
    >> > IP's
    >> > Internal IP on router: 10.226.1.13
    >> > External IP on PIX: 10.226.1.12
    >> > Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    >> > IP on the server: 192.168.10.23
    >> >
    >> > Here is the config for the firewall. What am I missing?
    >> >
    >> > :
    >> > PIX Version 6.3(3)
    >> > interface ethernet0 auto
    >> > interface ethernet1 100full
    >> > nameif ethernet0 outside security0
    >> > nameif ethernet1 inside security100
    >> > enable password 8Ry2YjIyt7RRXU24 encrypted
    >> > passwd 2KFQnbNIdI.2KYOU encrypted
    >> > hostname pixfirewall
    >> > domain-name ciscopix.com
    >> > fixup protocol dns maximum-length 512
    >> > fixup protocol ftp 21
    >> > fixup protocol h323 h225 1720
    >> > fixup protocol h323 ras 1718-1719
    >> > fixup protocol http 80
    >> > fixup protocol rsh 514
    >> > fixup protocol rtsp 554
    >> > fixup protocol sip 5060
    >> > fixup protocol sip udp 5060
    >> > fixup protocol skinny 2000
    >> > fixup protocol smtp 25
    >> > fixup protocol sqlnet 1521
    >> > fixup protocol tftp 69
    >> > names
    >> > access-list acl_out permit tcp any any eq 3389
    >> > access-list acl_out permit tcp any any eq 9715
    >> > access-list acl_out permit tcp any any eq www
    >> > pager lines 24
    >> > mtu outside 1500
    >> > mtu inside 1500
    >> > ip address outside 10.226.1.12 255.255.0.0
    >> > ip address inside 192.168.10.250 255.255.0.0
    >> > ip audit info action alarm
    >> > ip audit attack action alarm
    >> > pdm logging informational 100
    >> > pdm history enable
    >> > arp timeout 14400
    >> > global (outside) 1 interface
    >> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >> > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    >> > 255.255.25
    >> > 5.255 0 0
    >> > static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    >> > 255.255.25
    >> > 5.255 0 0
    >> > static (inside,outside) tcp interface www 192.168.10.23 www netmask
    >> > 255.255.255.
    >> > 255 0 0
    >> > access-group acl_out in interface outside
    >> > route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    >> > timeout xlate 0:05:00
    >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    >> > 1:00:00
    >> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    >> > timeout uauth 0:05:00 absolute
    >> > aaa-server TACACS+ protocol tacacs+
    >> > aaa-server RADIUS protocol radius
    >> > aaa-server LOCAL protocol local
    >> > http server enable
    >> > http 192.168.1.0 255.255.255.0 inside
    >> > no snmp-server location
    >> > no snmp-server contact
    >> > snmp-server community public
    >> > no snmp-server enable traps
    >> > floodguard enable
    >> > telnet timeout 5
    >> > ssh timeout 5
    >> > console timeout 0
    >> > dhcpd address 192.168.10.200-192.168.10.201 inside
    >> > dhcpd lease 3600
    >> > dhcpd ping_timeout 750
    >> > dhcpd auto_config outside
    >> > dhcpd enable inside
    >> > terminal width 80
    >> > Cryptochecksum:e04c52259f4f403f9c2063bf34c6a1f3
    >> > : end
    >> > pixfirewall(config)# write mem
    >> > Building configuration...
    >> > Cryptochecksum: e04c5225 9f4f403f 9c2063bf 34c6a1f3
    >> > [OK]
    >> > pixfirewall(config)#
    >> >
    >> >

    >>
    >>

    >
    >
     
    PES, Sep 19, 2004
    #6
  7. Nathan

    Nathan Guest

    "briandesu" <> wrote in message
    news:...
    > > I have been messing around with this for too long and it just won't

    work. I
    > > would like to just get the remote desktop working and then I can worry

    about
    > > the rest later. I restored the firewall to factory default and it's

    built
    > > with the config below. Our ISP has forwarded a bunch of ports (one of

    them
    > > 3389 for RDP) to our firewall. I was trying to get the firewall to

    forward
    > > all this traffic to the server so I can get in remotely but it isn't
    > > working. RDP is setup because I can get to the server from any computer

    in
    > > the office, just not from the outside.
    > >
    > > It goes INTERNET --> ROUTER --> FIREWALL --> SERVER
    > >
    > > IP's
    > > Internal IP on router: 10.226.1.13
    > > External IP on PIX: 10.226.1.12
    > > Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    > > IP on the server: 192.168.10.23
    > >
    > > Here is the config for the firewall. What am I missing?
    > > :
    > > PIX Version 6.3(3)
    > > interface ethernet0 auto
    > > interface ethernet1 100full
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > hostname pixfirewall
    > > domain-name ciscopix.com
    > > access-list acl_out permit tcp any any eq 3389
    > > access-list acl_out permit tcp any any eq 9715
    > > access-list acl_out permit tcp any any eq www
    > > ip address outside 10.226.1.12 255.255.0.0
    > > ip address inside 192.168.10.250 255.255.0.0
    > > global (outside) 1 interface
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > > 255.255.25
    > > 5.255 0 0
    > > static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    > > 255.255.25
    > > 5.255 0 0
    > > static (inside,outside) tcp interface www 192.168.10.23 www netmask
    > > 255.255.255.
    > > 255 0 0
    > > access-group acl_out in interface outside
    > > route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    > > dhcpd auto_config outside

    >
    > PLEASE NOTE THAT I HAVE REMOVED INFORMATION NOT RELEVANT TO THE
    > PROBLEM.
    >
    > Red Flags:
    >
    > 1. Your external interface is using a private IP address. Is your
    > router performing NAT, or is this a lab environment, or are you using
    > bogus addresses for your example?


    No that external IP i gave was the interal IP on the router. Let's say the
    external IP of the router is X.X.X.X.
    >
    > 2. You are using a static NAT on the interface that you are using PAT
    > on, which is not recommended.

    I kept getting errors when I put it in as NAT, so I went to PAT and
    everything worked. I will try again in this case.

    >
    > 3. You may have a routing issue. Your default route on the router
    > most likely is directed towards the ISP, so do you have a route
    > pointed to your internal network on your router "ip route 192.168.0.0
    > 255.255.0.0 10.226.1.12 1"


    I think it is a routing issue as well. I have almost this exact setup on a
    PIX in our own office and it works golden for RDP.
    >
    > 4. Can you telnet to one of the other ports you have opened
    > "telnet 10.226.1.13 80" to determine if you are able to connect to the
    > server at all.


    Locally? Dumb as I am, I didn't try that. I tried to telnet locally to the
    ports I opened and it worked, but when I had a partner try it remotely, it
    couldn't make the connection. I am going to try the hub in the middle as NES
    suggested.
    >
    > I have recently set up a PIX to allow ICA (Citrix) traffic and web
    > traffic (HTTP) through the firewall, so there should be absolutely no
    > issue regarding RDP.


    No their shouldn't. I got this thing setup in more than one location. I am
    starting to believe it's a small change i need to make, as well as the ISP
    dropping the ball. Thanks for your help guys. I hope to get this resolved
    tomorrow.
    >
    > Regards,
    >
    > briandesu
     
    Nathan, Sep 20, 2004
    #7
  8. Nathan

    Nathan Guest

    Well it turned out it was my ISP. They forwarded ports on the router by
    company name, and there was a company with a similar name to my clients.
    Asked them to check by IP, and it fixed it. I can RDP & telnet to 3389 now.
    (yes!) But those other ports 80 & 9715 I have in the configure are NOT
    working. I can't telnet to them. It's a start, but confusing still
    nontheless. I will triple check and make sure they see all those forwarded
    and reboot the router.


    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:414d74e4$...
    >
    > "Nathan" <> wrote in message
    > news:T%43d.1357$...
    > >I am not a major cisco guy, so I don't know what you mean by "clear

    xlate".
    > > Do I just type in the command in the CLI and write mem? Also, I haven't
    > > rebooted the PIX after this initial config. I will try these two things
    > > tomorrow. Just for future reference, if those two things don't work, do

    I
    > > have any other options since the way my ISP setup the router? (yes you
    > > were
    > > right, The internal IP on the router is a NAT'd IP, kind of setup like

    the
    > > cisco pix. And it does suck.)
    > >
    > > I did realize I posted the the password encryption. Changed it right

    after
    > > this post. :)
    > >

    >
    > The clear xlate command simply clears the nat translation table and forces
    > it to reread static entries from the configuration. You do not need to

    save
    > the config after typing this command. There are other posts showing you
    > how to do this using names, and maybe option groups. You are doing it the
    > simple way, assuming cli. I would plug a hub up between the router and

    the
    > pix, plug in a pc, fire up ethereal and capture tcp port 3389 | icmp .

    That
    > should tell you if the isp is doing its job. My assumption is that if

    your
    > inbound www is working that the isp screwed something up.
    >
    > >
    > > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in
    > > message
    > > news:414cc3f9$...
    > >> Your config looks ok to me. You have the lines that should make it

    work.
    > > I
    > >> would want to make sure that you done clear xlate after any change, or

    a
    > > pix
    > >> reboot. The following lines (taken from your config) should allow

    remote
    > >> desktop to connect.
    > >>
    > >> static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > >> 255.255.255.255 0 0
    > >> access-list acl_out permit tcp any any eq 3389
    > >> access-group acl_out in interface outside
    > >>
    > >> Do your other applications work? Can you put a hub between the pix and

    > > the
    > >> router to make sure the isp is in fact forwarding the traffic to you?

    > > Also,
    > >> make sure you aren't trying to connect to your external address from

    the
    > >> inside (this wont work with the pix).
    > >>
    > >> Also, I must comment that it sort of sucks that the isp is giving you a
    > >> nat'd address if this is really the case. You can disregard this if

    you
    > >> were changing the ip address (to protect the innocent). Also, I would
    > >> recommend changing your passwords after disclosing them, even though

    they
    > >> are encrypted.
    > >>
    > >> "Nathan" <> wrote in message
    > >> news:fc23d.4106$...
    > >> > I have been messing around with this for too long and it just won't

    > > work.
    > >> > I
    > >> > would like to just get the remote desktop working and then I can

    worry
    > >> > about
    > >> > the rest later. I restored the firewall to factory default and it's

    > > built
    > >> > with the config below. Our ISP has forwarded a bunch of ports (one of

    > > them
    > >> > 3389 for RDP) to our firewall. I was trying to get the firewall to

    > > forward
    > >> > all this traffic to the server so I can get in remotely but it isn't
    > >> > working. RDP is setup because I can get to the server from any

    computer
    > > in
    > >> > the office, just not from the outside.
    > >> >
    > >> > It goes INTERNET --> ROUTER --> FIREWALL --> SERVER
    > >> >
    > >> > IP's
    > >> > Internal IP on router: 10.226.1.13
    > >> > External IP on PIX: 10.226.1.12
    > >> > Internal IP on PIX: 192.168.10.250 (Also server's gateway)
    > >> > IP on the server: 192.168.10.23
    > >> >
    > >> > Here is the config for the firewall. What am I missing?
    > >> >
    > >> > :
    > >> > PIX Version 6.3(3)
    > >> > interface ethernet0 auto
    > >> > interface ethernet1 100full
    > >> > nameif ethernet0 outside security0
    > >> > nameif ethernet1 inside security100
    > >> > enable password 8Ry2YjIyt7RRXU24 encrypted
    > >> > passwd 2KFQnbNIdI.2KYOU encrypted
    > >> > hostname pixfirewall
    > >> > domain-name ciscopix.com
    > >> > fixup protocol dns maximum-length 512
    > >> > fixup protocol ftp 21
    > >> > fixup protocol h323 h225 1720
    > >> > fixup protocol h323 ras 1718-1719
    > >> > fixup protocol http 80
    > >> > fixup protocol rsh 514
    > >> > fixup protocol rtsp 554
    > >> > fixup protocol sip 5060
    > >> > fixup protocol sip udp 5060
    > >> > fixup protocol skinny 2000
    > >> > fixup protocol smtp 25
    > >> > fixup protocol sqlnet 1521
    > >> > fixup protocol tftp 69
    > >> > names
    > >> > access-list acl_out permit tcp any any eq 3389
    > >> > access-list acl_out permit tcp any any eq 9715
    > >> > access-list acl_out permit tcp any any eq www
    > >> > pager lines 24
    > >> > mtu outside 1500
    > >> > mtu inside 1500
    > >> > ip address outside 10.226.1.12 255.255.0.0
    > >> > ip address inside 192.168.10.250 255.255.0.0
    > >> > ip audit info action alarm
    > >> > ip audit attack action alarm
    > >> > pdm logging informational 100
    > >> > pdm history enable
    > >> > arp timeout 14400
    > >> > global (outside) 1 interface
    > >> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > >> > static (inside,outside) tcp interface 3389 192.168.10.23 3389 netmask
    > >> > 255.255.25
    > >> > 5.255 0 0
    > >> > static (inside,outside) tcp interface 9715 192.168.10.23 9715 netmask
    > >> > 255.255.25
    > >> > 5.255 0 0
    > >> > static (inside,outside) tcp interface www 192.168.10.23 www netmask
    > >> > 255.255.255.
    > >> > 255 0 0
    > >> > access-group acl_out in interface outside
    > >> > route outside 0.0.0.0 0.0.0.0 10.226.1.13 1
    > >> > timeout xlate 0:05:00
    > >> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > >> > 1:00:00
    > >> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > >> > timeout uauth 0:05:00 absolute
    > >> > aaa-server TACACS+ protocol tacacs+
    > >> > aaa-server RADIUS protocol radius
    > >> > aaa-server LOCAL protocol local
    > >> > http server enable
    > >> > http 192.168.1.0 255.255.255.0 inside
    > >> > no snmp-server location
    > >> > no snmp-server contact
    > >> > snmp-server community public
    > >> > no snmp-server enable traps
    > >> > floodguard enable
    > >> > telnet timeout 5
    > >> > ssh timeout 5
    > >> > console timeout 0
    > >> > dhcpd address 192.168.10.200-192.168.10.201 inside
    > >> > dhcpd lease 3600
    > >> > dhcpd ping_timeout 750
    > >> > dhcpd auto_config outside
    > >> > dhcpd enable inside
    > >> > terminal width 80
    > >> > Cryptochecksum:e04c52259f4f403f9c2063bf34c6a1f3
    > >> > : end
    > >> > pixfirewall(config)# write mem
    > >> > Building configuration...
    > >> > Cryptochecksum: e04c5225 9f4f403f 9c2063bf 34c6a1f3
    > >> > [OK]
    > >> > pixfirewall(config)#
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
     
    Nathan, Sep 20, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl

    Terminal services and VNC

    =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl, Jan 13, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    7,463
    =?Utf-8?B?U3RldmU=?=
    Feb 3, 2005
  2. =?Utf-8?B?ZGF2ZWc=?=

    MS Clustering and Terminal services

    =?Utf-8?B?ZGF2ZWc=?=, Apr 27, 2004, in forum: MCSE
    Replies:
    5
    Views:
    1,510
    LnkWizard
    Apr 28, 2004
  3. Lisa
    Replies:
    6
    Views:
    605
  4. Replies:
    2
    Views:
    2,099
    Liza Smorgaborgsson
    Jan 30, 2006
  5. =?Utf-8?B?VVdSRlJFUE9SVEVSMDQ=?=

    terminal services and 70-290

    =?Utf-8?B?VVdSRlJFUE9SVEVSMDQ=?=, Sep 10, 2007, in forum: MCSE
    Replies:
    4
    Views:
    582
    =?Utf-8?B?VVdSRlJFUE9SVEVSMDQ=?=
    Sep 11, 2007
Loading...

Share This Page