Pix Remote Assistance Problem

Discussion in 'Cisco' started by Stuart, Apr 25, 2006.

  1. Stuart

    Stuart Guest

    Hi,

    Could anyone help with a sample configuration which will allow a remote

    desktop assistance session from within a pix 501 firewalled network to
    an outside client:

    Assistance provider --- PIX 501 --- Router --- Internet --- Router ---
    Client needing assistance

    I tried several forums and spent a good deal of time studying and
    reconfiguring the
    PIX to allow port 3389, however I could not establish a remote
    assitance session. Any help is most appreciated.

    We have been sitting in the server room with a direct connection to via

    the router, so it is definately the pix which is our issue and not the
    client end.

    The pix config is shown below:

    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name xx.xx.xx.204 server2
    name xx.xx.xx.203 server
    name xx.xx.xx.206 remoteassist
    access-list 101 permit tcp any host remoteassist eq www
    access-list 101 permit tcp any host remoteassist eq 3389
    access-list 101 permit tcp any host server2 eq www
    access-list 101 permit tcp any host server eq www
    access-list 101 permit tcp any host server eq pptp
    access-list 101 permit tcp any eq 47 host server eq 47
    access-list inside_access_in permit ip any any
    access-list acl-out permit tcp any host remoteassist eq www
    access-list acl-out permit tcp any host remoteassist eq 3389
    access-list acl-out permit tcp any host server2 eq www
    access-list acl-out permit gre any host server
    access-list acl-out permit tcp any host server eq www
    access-list acl-out permit tcp any host server eq pptp
    access-list acl-out permit tcp any host server eq 82
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside xx.xx.xx.202 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.1.11 255.255.255.255 inside
    pdm location 192.168.1.12 255.255.255.255 inside
    pdm location server 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 1 server
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) server2 192.168.1.12 netmask 255.255.255.255 0
    0
    static (inside,outside) server 192.168.1.11 netmask 255.255.255.255 0 0



    static (inside,outside) remoteassist 192.168.1.99 netmask
    255.255.255.255 0 0
    access-group acl-out in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 xx.xx.xx.201 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    isakmp enable outside
    isakmp key apple address 0.0.0.0 netmask 0.0.0.0
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username xxx password xxx
    dhcpd address 192.168.1.100-192.168.1.131 inside
    dhcpd dns 195.112.4.4 195.112.4.7
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80
    Cryptochecksum:15ce4bc67b95efdaa78abd9727380d15
    : end

    Thanks in advance,

    Stuart
     
    Stuart, Apr 25, 2006
    #1
    1. Advertising

  2. Stuart

    rave Guest

    stuart,

    the config which you have on the pix is absolutely fine. any host from
    the outside world can establish RDP session to remoteassist IP address.

    just try to go to www.whatismyip.com from the host 192.168.1.99 and see
    what is the public IP.

    probably you might wanna do clear xlate and clear local.
     
    rave, Apr 25, 2006
    #2
    1. Advertising

  3. "rave" <> wrote in message
    news:...
    > stuart,
    >
    > the config which you have on the pix is absolutely fine. any host from
    > the outside world can establish RDP session to remoteassist IP address.
    >

    Noway, Rave !
    Check the Cfg again ...

    Stuart: From what I understand, there is a mixup from what you have on your
    drawing, and the cfg.

    Given this senario:
    -The client-in-need are behind a router, connects to the Net
    -The I-can-helpout are behind the PIX and connects to the Net
    - The I-can-helpout wants to use RDP on client-in-need

    This is done via normal inside outbound config, i.e. Inside ACL, Nat and
    Global and/or Static
    But what you miss is the remote router needs to forward tcp/3389 into the
    client-in-need
    Also I am pussled over : global (outside) 1 server
    as you allready have a : global (outside) 1 interface
    The NAT says: nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    Which then would goto both globals, as the numer "1" is in both globals
    Try delete global (outside) 1 server and clear xlate
    If the I-can-helpout are the:
    static (inside,outside) remoteassist 192.168.1.99 netmask 255.255.255.255 0
    0, the remote end must accept connection from Names remoteassist. i.e. from
    x.x.x.206

    HTH
    Martin
     
    Martin Bilgrav, Apr 25, 2006
    #3
  4. Stuart

    Stuart Guest

    Thanks Martin,

    I am a complete novice when it comes to PIX, if I'm honest I dont know
    what half the stuff means in the config, which is the root of my
    problem. My illustration is correct I will explain it again. We are
    trying to provide remote desktop assistance from our site to clients in
    need. We have a network of PC's and ideally want any one of them to be
    able to establish the connection to control the clients PC. Our
    internal network is connected to a pix which in turn is connected to
    the internet, how the client connects to the internet we can not
    control and if their config stops this being possible that is out of
    our control, all we can offer it to try to help.

    The PIX config needs to support VPN clients connecting to server 1 from
    the internet, access to websites on server 1 and 2 from inside and
    outside.

    I assume we can currently establish remote desktop connections from
    outside in and vice versa because they are passed through the VPN
    tunnel?

    Thanks for you help guys, I am going to the Cisco site to learn about
    PIX configing now!

    Look forward to your replys.

    Stuart
     
    Stuart, Apr 26, 2006
    #4
  5. "Stuart" <> wrote in message
    news:...
    > Thanks Martin,
    >
    > My illustration is correct I will explain it again. We are
    > trying to provide remote desktop assistance from our site to clients in
    > need.

    Ok, so the senario is normal inside outbound access from your end towards
    client on the Net.
    and the port 3389 needs to be forwarded in the remote end, if they are
    behind NAT/router/firewall etc

    > We have a network of PC's and ideally want any one of them to be
    > able to establish the connection to control the clients PC. Our
    > internal network is connected to a pix which in turn is connected to
    > the internet, how the client connects to the internet we can not
    > control and if their config stops this being possible that is out of
    > our control, all we can offer it to try to help.
    >

    fair enough ...

    > The PIX config needs to support VPN clients connecting to server 1 from
    > the internet, access to websites on server 1 and 2 from inside and
    > outside.

    VPN you say ...
    The determent point is WHERE the VPN terminates.
    Your present config imply that no VPN clients terminates on the PIX.
    If you need help, you need to clarify this alot more.
    From what I can read of your config you have "SERVER" = 192.168.1.11
    (xx.xx.xx.203) where GRE and PPTP are forwarded.
    But what the tunnels are used for I can not tell.

    Outside Access to websites are done via outside inbound ACL and Statics
    Inside Access to websites are done locally, i guess.
    You may have DNS problems or you may not. But the PIX can remedy that if you
    have.

    >
    > I assume we can currently establish remote desktop connections from
    > outside in and vice versa because they are passed through the VPN
    > tunnel?

    I normally say, Assume notthing.
    8)

    Does not quite make sense to me ...
    Your config has port 3389 forwarded into a server, hence no VPN needed (this
    could be wrong)
    Still you need to clarify your VPN senario.
    Fx a senario could be that Clients-In-Need makes a VPN connection to you and
    you then RDP the remote clients.
    In your given senario the server holds the tunnels and all access then needs
    to pass this server into the PPTP tunnel and onto the remote clients.

    But I am still unsure of what you want to do ...

    regards
    Martin



    >
    > Thanks for you help guys, I am going to the Cisco site to learn about
    > PIX configing now!
    >
    > Look forward to your replys.
    >
    > Stuart
    >
     
    Martin Bilgrav, Apr 26, 2006
    #5
  6. Stuart

    Stuart Guest

    OK the VPN terminates at Server 1, so I think you are right and we are
    forwarding all traffic to for VPN to server 1.

    I setup remoteassistant so that I could configure a specfic internal
    machine with the 192.168.1.99 internal IP to static to xx.xx.xx.206 and
    test to see if I could remote desktop to it.

    I dont want to give the client VPN access I simply want a method of
    passing a remote assistance session through the firewall so we dont
    freeze to death in the server room bypassing the pix!

    I hope this makes sense.

    Thanks again, bear with me guys!
     
    Stuart, Apr 27, 2006
    #6
  7. Stuart

    Stuart Guest

    OK the VPN terminates at Server 1, so I think you are right and we are
    forwarding all traffic to for VPN to server 1.

    I setup remoteassistant so that I could configure a specfic internal
    machine with the 192.168.1.99 internal IP to static to xx.xx.xx.206 and
    test to see if I could remote desktop to it.

    I dont want to give the client VPN access I simply want a method of
    passing a remote assistance session through the firewall so we dont
    freeze to death in the server room bypassing the pix!

    I hope this makes sense.

    Thanks again, bear with me guys!
     
    Stuart, Apr 27, 2006
    #7
  8. Stuart

    Stuart Guest

    OK I can establish a remote desktop connection to a client machine but
    when I try to do remote assistance the client machine says it cant find
    the host. Is this because my machine behind the firewall and it is
    publishing its internal IP address for the remote session & the client
    is trying to connect using my internal IP address? If so how do I
    force it to use the external IP address?

    Thanks,

    Stuart
     
    Stuart, Apr 27, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Sale
    Replies:
    1
    Views:
    12,069
    Robin Walker
    Dec 11, 2004
  2. Stuart
    Replies:
    5
    Views:
    4,660
    Stuart
    Apr 27, 2006
  3. Rusty Shackleford

    Problem with eMachines notebook after Remote Assistance

    Rusty Shackleford, Oct 20, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    960
  4. eddy

    re: remote assistance and remote desktop

    eddy, Sep 20, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    1,132
    Evan Platt
    Sep 20, 2005
  5. louscannon

    remote assistance v remote desktop...

    louscannon, Mar 9, 2006, in forum: MCDST
    Replies:
    1
    Views:
    1,101
    MitchS
    Mar 9, 2006
Loading...

Share This Page