RDP to Win2003 server thru PIX

Discussion in 'Cisco' started by W Abucewicz, Aug 25, 2006.

  1. W Abucewicz

    W Abucewicz Guest

    Help..
    I've been reading thru these groups, google-ing and reading anything I
    can.

    I cannot get RDP to work theu a PIX

    Can someone help?

    please send strings.. xxx.xxx.xxx.xxx = Outside IP
    yyy.yyy.yyy.yyy- Inside IP
     
    W Abucewicz, Aug 25, 2006
    #1
    1. Advertising

  2. In article <>,
    W Abucewicz <> wrote:
    >I've been reading thru these groups, google-ing and reading anything I
    >can.


    >I cannot get RDP to work theu a PIX


    >Can someone help?


    >please send strings.. xxx.xxx.xxx.xxx = Outside IP
    > yyy.yyy.yyy.yyy- Inside IP



    If xxx.xxx.xxx.xxx is the interface IP, then:

    static (inside,outside) tcp interface 3389 yyy.yyy.yyy.yyy 3389 netmask 255.255.255.255
    access-list out2in permit tcp any interface outside eq 3389
    access-group out2in in interface outside


    If xxx.xxx.xxx.xxx is a distinct IP that is not the interface IP, then:

    static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 yyy.yyy.yyy.yyy 3389 netmask 255.255.255.255
    access-list out2in permit tcp any host xxx.xxx.xxx.xxx eq 3389
    access-group out2in in interface outside
     
    Walter Roberson, Aug 25, 2006
    #2
    1. Advertising

  3. W Abucewicz

    W Abucewicz Guest

    Walter Roberson wrote:
    > In article <>,
    > W Abucewicz <> wrote:
    > >I've been reading thru these groups, google-ing and reading anything I
    > >can.

    >
    > >I cannot get RDP to work theu a PIX

    >
    > >Can someone help?

    >
    > >please send strings.. xxx.xxx.xxx.xxx = Outside IP
    > > yyy.yyy.yyy.yyy- Inside IP

    >
    >
    > If xxx.xxx.xxx.xxx is the interface IP, then:
    >
    > static (inside,outside) tcp interface 3389 yyy.yyy.yyy.yyy 3389 netmask 255.255.255.255
    > access-list out2in permit tcp any interface outside eq 3389
    > access-group out2in in interface outside
    >
    >
    > If xxx.xxx.xxx.xxx is a distinct IP that is not the interface IP, then:
    >
    > static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 yyy.yyy.yyy.yyy 3389 netmask 255.255.255.255
    > access-list out2in permit tcp any host xxx.xxx.xxx.xxx eq 3389
    > access-group out2in in interface outside


    I've seen this string in another post..
    When I'm in "configure terminal"..
    The first line .. Static (....._) comes back with "invalid global IP"
    lines 2 and 3 seem OK...
    What am I missing?

    -Walter
     
    W Abucewicz, Aug 25, 2006
    #3
  4. In article <>,
    W Abucewicz <> wrote:

    >Walter Roberson wrote:
    >> In article <>,
    >> W Abucewicz <> wrote:


    >> >I cannot get RDP to work theu a PIX


    >> If xxx.xxx.xxx.xxx is the interface IP, then:


    >> static (inside,outside) tcp interface 3389 yyy.yyy.yyy.yyy 3389

    >netmask 255.255.255.255


    >> If xxx.xxx.xxx.xxx is a distinct IP that is not the interface IP, then:
    >>
    >> static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 yyy.yyy.yyy.yyy 3389

    >netmask 255.255.255.255



    >When I'm in "configure terminal"..
    >The first line .. Static (....._) comes back with "invalid global IP"
    >lines 2 and 3 seem OK...
    >What am I missing?


    You have not been clear as to which of the two static that you have
    tried. Also, you have not indicated which PIX version you are using.
    You have not indicated the model number either.

    The outside IP that you give, xxx.xxx.xxx.xxx, must not be in the
    same subnet as the inside IP, yyy.yyy.yyy.yyy, unless the inside
    IP yyy.yyy.yyy.yyy is not in the same subnet as the IP address of the
    inside interface.
     
    Walter Roberson, Aug 25, 2006
    #4
  5. W Abucewicz

    W Abucewicz Guest

    Here's the config..

    pixfirewall> enable
    Password: ******
    pixfirewall# write terminal
    Building configuration...
    : Saved
    :
    PIX Version 5.2(6)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password .9NISgLcqbbWP1BP encrypted
    passwd Pt3628SS/TRnciSO encrypted
    hostname pixfirewall
    domain-name metalcraftersinc.com
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    names
    name 10.100.0.248 mcgrobbins
    name 10.100.0.252 mcatucker
    name 10.100.0.251 mcbtucker
    name 10.100.0.250 mcmtucker
    name 10.100.0.247 mcsherburne
    name 10.100.0.246 mcjmckeon
    name 10.100.0.245 mcmcollins
    name 10.100.0.244 mcjberglund
    name 10.100.0.243 mcbclement
    name 10.100.0.242 mcelorenz
    name 10.100.0.241 mcrdurand
    name 10.100.0.240 mcjgagnon
    name 10.100.0.239 aironet1
    name 10.100.0.238 aironet2
    name 10.100.0.235 xerox8830
    name 10.100.0.234 recept
    name 10.100.0.233 mcmjones
    name 10.100.0.231 mci2
    name 10.100.0.237 mci
    name 10.100.0.230 mcsciuffetti
    name 10.100.0.229 mcjmarshall
    name 10.100.0.225 mcmhouston
    name 10.100.0.253 mcmcooper
    name 10.100.0.249 mcrbecker
    name 10.100.0.236 mcplustwerk
    name 10.100.0.232 mcwvachon
    name 10.100.0.226 mcbsmith
    name 10.100.0.224 jortega
    access-list acl_out permit tcp host mcmjones any eq pop3
    access-list acl_out permit udp host mci host 4.2.49.2 eq ntp
    access-list acl_out permit udp host mci host 4.2.49.3 eq ntp
    access-list acl_out permit udp host mci host 4.2.49.4 eq ntp
    access-list acl_out permit tcp host mcmjones any eq ftp
    access-list acl_out permit tcp host mcmjones any eq smtp
    access-list acl_out permit tcp host mcmjones any eq domain
    access-list acl_out permit udp host mcmjones any eq domain
    access-list acl_out permit tcp host mcmjones any eq www
    access-list acl_out permit tcp host mcmjones any eq 443
    access-list acl_out permit udp host mcmjones any eq 443
    access-list acl_out permit tcp host mcmjones any eq 1270
    access-list acl_out permit tcp host mcmjones any eq 5190
    access-list acl_out permit tcp host mcmjones any eq 9012
    access-list acl_out permit tcp host mcmjones any eq 9013
    access-list acl_out permit tcp host mcjgagnon any eq ftp
    access-list acl_out permit tcp host mcjgagnon any eq pop3
    access-list acl_out permit tcp host mcjgagnon any eq smtp
    access-list acl_out permit tcp host mcjgagnon any eq domain
    access-list acl_out permit udp host mcjgagnon any eq domain
    access-list acl_out permit tcp host mcjgagnon any eq www
    access-list acl_out permit tcp host mcjgagnon any eq 443
    access-list acl_out permit udp host mcjgagnon any eq 443



    access-list acl_out permit tcp host mcjgagnon any eq 1270
    access-list acl_out permit tcp host mcjgagnon any eq 5190
    access-list acl_out permit tcp host mcrdurand any eq ftp
    access-list acl_out permit tcp host mcrdurand any eq pop3
    access-list acl_out permit tcp host mcrdurand any eq smtp
    access-list acl_out permit tcp host mcrdurand any eq domain
    access-list acl_out permit udp host mcrdurand any eq domain
    access-list acl_out permit tcp host mcrdurand any eq www
    access-list acl_out permit tcp host mcrdurand any eq 443
    access-list acl_out permit udp host mcrdurand any eq 443
    access-list acl_out permit tcp host mcrdurand any eq 1270
    access-list acl_out permit tcp host mcrdurand any eq 5190
    access-list acl_out permit tcp host mcelorenz any eq ftp
    access-list acl_out permit tcp host mcelorenz any eq pop3
    access-list acl_out permit tcp host mcelorenz any eq smtp
    access-list acl_out permit tcp host mcelorenz any eq domain
    access-list acl_out permit udp host mcelorenz any eq domain
    access-list acl_out permit tcp host mcelorenz any eq www
    access-list acl_out permit tcp host mcelorenz any eq 443
    access-list acl_out permit udp host mcelorenz any eq 443
    access-list acl_out permit tcp host mcelorenz any eq 1270
    access-list acl_out permit tcp host mcelorenz any eq 5190
    access-list acl_out permit tcp host mcbclement any eq ftp
    access-list acl_out permit tcp host mcbclement any eq pop3
    access-list acl_out permit tcp host mcbclement any eq smtp
    access-list acl_out permit tcp host mcbclement any eq domain
    access-list acl_out permit udp host mcbclement any eq domain
    access-list acl_out permit tcp host mcbclement any eq www
    access-list acl_out permit tcp host mcbclement any eq 443
    access-list acl_out permit udp host mcbclement any eq 443
    access-list acl_out permit tcp host mcbclement any eq 1270
    access-list acl_out permit tcp host mcbclement any eq 5190
    access-list acl_out permit tcp host mcjberglund any eq ftp
    access-list acl_out permit tcp host mcjberglund any eq pop3
    access-list acl_out permit tcp host mcjberglund any eq smtp
    access-list acl_out permit tcp host mcjberglund any eq domain
    access-list acl_out permit udp host mcjberglund any eq domain
    access-list acl_out permit tcp host mcjberglund any eq www
    access-list acl_out permit tcp host mcjberglund any eq 443
    access-list acl_out permit udp host mcjberglund any eq 443
    access-list acl_out permit tcp host mcjberglund any eq 1270
    access-list acl_out permit tcp host mcjberglund any eq 5190
    access-list acl_out permit tcp host mcmcollins any eq ftp
    access-list acl_out permit tcp host mcmcollins any eq pop3
    access-list acl_out permit tcp host mcmcollins any eq smtp
    access-list acl_out permit tcp host mcmcollins any eq domain
    access-list acl_out permit udp host mcmcollins any eq domain
    access-list acl_out permit tcp host mcmcollins any eq www
    access-list acl_out permit tcp host mcmcollins any eq 443
    access-list acl_out permit udp host mcmcollins any eq 443
    access-list acl_out permit tcp host mcmcollins any eq 1270
    access-list acl_out permit tcp host mcmcollins any eq 5190
    access-list acl_out permit tcp host mcjmckeon any eq ftp
    access-list acl_out permit tcp host mcjmckeon any eq pop3
    access-list acl_out permit tcp host mcjmckeon any eq smtp
    access-list acl_out permit tcp host mcjmckeon any eq domain
    access-list acl_out permit udp host mcjmckeon any eq domain
    access-list acl_out permit tcp host mcjmckeon any eq www
    access-list acl_out permit tcp host mcjmckeon any eq 443
    access-list acl_out permit udp host mcjmckeon any eq 443
    access-list acl_out permit tcp host mcjmckeon any eq 1270
    access-list acl_out permit tcp host mcjmckeon any eq 5190
    access-list acl_out permit tcp host mcsherburne any eq ftp
    access-list acl_out permit tcp host mcsherburne any eq pop3
    access-list acl_out permit tcp host mcsherburne any eq smtp
    access-list acl_out permit tcp host mcsherburne any eq domain
    access-list acl_out permit udp host mcsherburne any eq domain
    access-list acl_out permit tcp host mcsherburne any eq www
    access-list acl_out permit tcp host mcsherburne any eq 443
    access-list acl_out permit udp host mcsherburne any eq 443
    access-list acl_out permit tcp host mcsherburne any eq 1270
    access-list acl_out permit tcp host mcsherburne any eq 5190
    access-list acl_out permit tcp host mcgrobbins any eq ftp
    access-list acl_out permit tcp host mcgrobbins any eq pop3
    access-list acl_out permit tcp host mcgrobbins any eq smtp



    access-list acl_out permit tcp host mcgrobbins any eq domain
    access-list acl_out permit udp host mcgrobbins any eq domain
    access-list acl_out permit tcp host mcgrobbins any eq www
    access-list acl_out permit tcp host mcgrobbins any eq 443
    access-list acl_out permit udp host mcgrobbins any eq 443
    access-list acl_out permit tcp host mcgrobbins any eq 1270
    access-list acl_out permit tcp host mcgrobbins any eq 5190
    access-list acl_out permit tcp host mcrbecker any eq ftp
    access-list acl_out permit tcp host mcrbecker any eq pop3
    access-list acl_out permit tcp host mcrbecker any eq smtp
    access-list acl_out permit tcp host mcrbecker any eq domain
    access-list acl_out permit udp host mcrbecker any eq domain
    access-list acl_out permit tcp host mcrbecker any eq www
    access-list acl_out permit tcp host mcrbecker any eq 443
    access-list acl_out permit udp host mcrbecker any eq 443
    access-list acl_out permit tcp host mcrbecker any eq 1270
    access-list acl_out permit tcp host mcrbecker any eq 5190
    access-list acl_out permit tcp host mcrbecker any eq nntp
    access-list acl_out permit tcp host mcmtucker any eq ftp
    access-list acl_out permit tcp host mcmtucker any eq pop3
    access-list acl_out permit tcp host mcmtucker any eq smtp
    access-list acl_out permit tcp host mcmtucker any eq domain
    access-list acl_out permit udp host mcmtucker any eq domain
    access-list acl_out permit tcp host mcmtucker any eq www
    access-list acl_out permit tcp host mcmtucker any eq 443
    access-list acl_out permit udp host mcmtucker any eq 443
    access-list acl_out permit tcp host mcmtucker any eq 1270
    access-list acl_out permit tcp host mcmtucker any eq 5190
    access-list acl_out permit tcp host mcbtucker any eq ftp
    access-list acl_out permit tcp host mcbtucker any eq pop3
    access-list acl_out permit tcp host mcbtucker any eq smtp
    access-list acl_out permit tcp host mcbtucker any eq domain
    access-list acl_out permit udp host mcbtucker any eq domain
    access-list acl_out permit tcp host mcbtucker any eq www
    access-list acl_out permit tcp host mcbtucker any eq 443
    access-list acl_out permit udp host mcbtucker any eq 443
    access-list acl_out permit tcp host mcbtucker any eq 1270
    access-list acl_out permit tcp host mcbtucker any eq 5190
    access-list acl_out permit tcp host mcatucker any eq ftp
    access-list acl_out permit tcp host mcatucker any eq pop3
    access-list acl_out permit tcp host mcatucker any eq smtp
    access-list acl_out permit tcp host mcatucker any eq domain
    access-list acl_out permit udp host mcatucker any eq domain
    access-list acl_out permit tcp host mcatucker any eq www
    access-list acl_out permit tcp host mcatucker any eq 443
    access-list acl_out permit udp host mcatucker any eq 443
    access-list acl_out permit tcp host mcatucker any eq 1270
    access-list acl_out permit tcp host mcatucker any eq 5190
    access-list acl_out permit tcp host mcmcooper any eq ftp
    access-list acl_out permit tcp host mcmcooper any eq pop3
    access-list acl_out permit tcp host mcmcooper any eq smtp
    access-list acl_out permit tcp host mcmcooper any eq domain
    access-list acl_out permit udp host mcmcooper any eq domain
    access-list acl_out permit tcp host mcmcooper any eq www
    access-list acl_out permit tcp host mcmcooper any eq 443
    access-list acl_out permit udp host mcmcooper any eq 443
    access-list acl_out permit tcp host mcmcooper any eq 1270
    access-list acl_out permit tcp host mcmcooper any eq 5190
    access-list acl_out permit tcp host mci any eq www
    access-list acl_out permit tcp host mci any eq domain
    access-list acl_out permit udp host mci any eq domain
    access-list acl_out permit tcp host mci any eq ftp
    access-list acl_out permit tcp host mci any eq 443
    access-list acl_out permit udp host mci any eq 443
    access-list acl_out permit tcp host mcsciuffetti any eq ftp
    access-list acl_out permit tcp host mcsciuffetti any eq pop3
    access-list acl_out permit tcp host mcsciuffetti any eq smtp
    access-list acl_out permit tcp host mcsciuffetti any eq domain
    access-list acl_out permit udp host mcsciuffetti any eq domain
    access-list acl_out permit tcp host mcsciuffetti any eq www
    access-list acl_out permit tcp host mcsciuffetti any eq 443
    access-list acl_out permit tcp host mcsciuffetti any eq 1270
    access-list acl_out permit tcp host mcsciuffetti any eq 5190
    access-list acl_out permit tcp host mcjmarshall any eq ftp
    access-list acl_out permit tcp host mcjmarshall any eq pop3



    access-list acl_out permit tcp host mcjmarshall any eq smtp
    access-list acl_out permit tcp host mcjmarshall any eq domain
    access-list acl_out permit udp host mcjmarshall any eq domain
    access-list acl_out permit tcp host mcjmarshall any eq www
    access-list acl_out permit tcp host mcjmarshall any eq 443
    access-list acl_out permit udp host mcjmarshall any eq 443
    access-list acl_out permit tcp host mcjmarshall any eq 1270
    access-list acl_out permit tcp host mcjmarshall any eq 5190
    access-list acl_out permit udp host mci any eq ntp
    access-list acl_out permit tcp host mcmhouston any eq ftp
    access-list acl_out permit tcp host mcmhouston any eq pop3
    access-list acl_out permit tcp host mcmhouston any eq smtp
    access-list acl_out permit tcp host mcmhouston any eq domain
    access-list acl_out permit udp host mcmhouston any eq domain
    access-list acl_out permit tcp host mcmhouston any eq www
    access-list acl_out permit tcp host mcmhouston any eq 443
    access-list acl_out permit udp host mcmhouston any eq 443
    access-list acl_out permit tcp host mcmhouston any eq 1270
    access-list acl_out permit tcp host mcmhouston any eq 5190
    access-list acl_out permit tcp host mcplustwerk any eq ftp
    access-list acl_out permit tcp host mcplustwerk any eq pop3
    access-list acl_out permit tcp host mcplustwerk any eq smtp
    access-list acl_out permit tcp host mcplustwerk any eq domain
    access-list acl_out permit udp host mcplustwerk any eq domain
    access-list acl_out permit tcp host mcplustwerk any eq www
    access-list acl_out permit tcp host mcplustwerk any eq 443
    access-list acl_out permit udp host mcplustwerk any eq 443
    access-list acl_out permit tcp host mcplustwerk any eq 1270
    access-list acl_out permit tcp host mcplustwerk any eq 5190
    access-list acl_out permit tcp host 10.100.0.8 any eq 9013
    access-list acl_out permit tcp host mcwvachon any eq ftp
    access-list acl_out permit tcp host mcwvachon any eq pop3
    access-list acl_out permit tcp host mcwvachon any eq smtp
    access-list acl_out permit tcp host mcwvachon any eq domain
    access-list acl_out permit udp host mcwvachon any eq domain
    access-list acl_out permit tcp host mcwvachon any eq www
    access-list acl_out permit tcp host mcwvachon any eq 443
    access-list acl_out permit udp host mcwvachon any eq 443
    access-list acl_out permit tcp host mcwvachon any eq 1270
    access-list acl_out permit tcp host mcwvachon any eq 5190
    access-list acl_out permit tcp host mcwvachon any eq 9012
    access-list acl_out permit tcp host mcwvachon any eq 9013
    access-list acl_out permit tcp host mcbsmith any eq ftp
    access-list acl_out permit tcp host mcbsmith any eq pop3
    access-list acl_out permit tcp host mcbsmith any eq smtp
    access-list acl_out permit tcp host mcbsmith any eq domain
    access-list acl_out permit udp host mcbsmith any eq domain
    access-list acl_out permit tcp host mcbsmith any eq www
    access-list acl_out permit tcp host mcbsmith any eq 443
    access-list acl_out permit udp host mcbsmith any eq 443
    access-list acl_out permit tcp host mcbsmith any eq 1270
    access-list acl_out permit tcp host mcbsmith any eq 5190
    access-list acl_out permit tcp host mcbsmith any eq 9012
    access-list acl_out permit tcp host mcbsmith any eq 9013
    access-list acl_out permit udp host mcmjones any eq 8100
    access-list acl_out permit tcp host mcgrobbins any eq 8100
    access-list acl_out permit udp host mcgrobbins any eq 8100
    access-list acl_out permit tcp host mcgrobbins any eq 9012
    access-list acl_out permit tcp host mcgrobbins any eq 9013
    access-list acl_out permit tcp host mcmjones any eq 8100
    access-list acl_out permit tcp host jortega any eq ftp
    access-list acl_out permit tcp host jortega any eq pop3
    access-list acl_out permit tcp host jortega any eq smtp
    access-list acl_out permit tcp host jortega any eq domain
    access-list acl_out permit udp host jortega any eq domain
    access-list acl_out permit tcp host jortega any eq www
    access-list acl_out permit tcp host jortega any eq 443
    access-list acl_out permit udp host jortega any eq 443
    access-list acl_out permit tcp host jortega any eq 1270
    access-list acl_out permit tcp host jortega any eq 5190
    access-list acl_out permit tcp host jortega any eq 8100
    access-list acl_out permit udp host jortega any eq 8100
    access-list acl_out permit tcp host jortega any eq 9012
    access-list acl_out permit tcp host jortega any eq 9013
    access-list acl_out permit tcp host mcgrobbins any eq 5500



    access-list acl_out permit udp host mcgrobbins any eq 5500
    access-list acl_out permit tcp host mcgrobbins any eq 5900
    access-list acl_out permit udp host mcgrobbins any eq 5900
    access-list acl_out permit tcp host mcsherburne any eq 5500
    access-list acl_out permit udp host mcsherburne any eq 5500
    access-list acl_out permit tcp host mcsherburne any eq 5900
    access-list acl_out permit udp host mcsherburne any eq 5900
    access-list acl_out permit tcp host mcsherburne any eq 8100
    access-list acl_out permit udp host mcsherburne any eq 8100
    access-list acl_out permit tcp host mcsherburne any eq 9012
    access-list acl_out permit tcp host mcsherburne any eq 9013
    access-list acl_out permit tcp host mcsciuffetti any eq 3389
    access-list acl_in permit udp any host mci eq ntp
    access-list acl_in permit tcp host 216.99.233.71 any eq smtp
    access-list acl_in permit tcp any host mcsciuffetti eq 3389
    pager lines 24
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    no logging buffered
    no logging trap
    logging history errors
    logging facility 20
    logging queue 512
    interface ethernet0 10baset
    interface ethernet1 10baset
    mtu outside 1500
    mtu inside 1500
    ip address outside 66.106.2.98 255.255.255.248
    ip address inside 10.100.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group acl_out in interface inside
    route outside 0.0.0.0 0.0.0.0 66.106.2.97 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    no sysopt route dnat
    isakmp identity hostname
    telnet mcgrobbins 255.255.255.255 inside
    telnet mci 255.255.255.255 inside
    telnet timeout 10
    ssh timeout 5
    terminal width 90
    Cryptochecksum:ab84b59c18f27893f8a41be4722a9dfc
    : end
    [OK]
    pixfirewall# exit


    Logoff


    Type help or '?' for a list of available commands.






    Walter Roberson wrote:
    > In article <>,
    > W Abucewicz <> wrote:
    >
    > >Walter Roberson wrote:
    > >> In article <>,
    > >> W Abucewicz <> wrote:

    >
    > >> >I cannot get RDP to work theu a PIX

    >
    > >> If xxx.xxx.xxx.xxx is the interface IP, then:

    >
    > >> static (inside,outside) tcp interface 3389 yyy.yyy.yyy.yyy 3389

    > >netmask 255.255.255.255

    >
    > >> If xxx.xxx.xxx.xxx is a distinct IP that is not the interface IP, then:
    > >>
    > >> static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 yyy.yyy.yyy.yyy 3389

    > >netmask 255.255.255.255

    >
    >
    > >When I'm in "configure terminal"..
    > >The first line .. Static (....._) comes back with "invalid global IP"
    > >lines 2 and 3 seem OK...
    > >What am I missing?

    >
    > You have not been clear as to which of the two static that you have
    > tried. Also, you have not indicated which PIX version you are using.
    > You have not indicated the model number either.
    >
    > The outside IP that you give, xxx.xxx.xxx.xxx, must not be in the
    > same subnet as the inside IP, yyy.yyy.yyy.yyy, unless the inside
    > IP yyy.yyy.yyy.yyy is not in the same subnet as the IP address of the
    > inside interface.
     
    W Abucewicz, Aug 30, 2006
    #5
  6. In article <>,
    W Abucewicz <> wrote:

    >PIX Version 5.2(6)


    That's much too old to support PAT (port address translation).

    It is also much too old to be asking questions about without stating
    clearly which version you are using. These days, unless you specify
    otherwise, people will assume you are using PIX 6.3 or PIX 6.2
    (unless something in the syntax or what you say indicates PIX 7.x).

    >names
    >name 10.100.0.237 mci
    >name 10.100.0.230 mcsciuffetti


    >access-list acl_in permit udp any host mci eq ntp
    >access-list acl_in permit tcp host 216.99.233.71 any eq smtp
    >access-list acl_in permit tcp any host mcsciuffetti eq 3389


    You haven't applied acl_in to the outside interface.

    >ip address inside 10.100.0.254 255.255.255.0


    Your addresses 'mci' and 'mcsciuffetti' are on your inside interface.
    You can't make them accessible to the outside world in PIX 5.2
    without using a 'static' and listing the public IP address.

    In PIX 5.2, if you want inside hosts to be reachable from the outside,
    then unless you are using a VPN, you *must* use an additional public
    address to refer to them. In PIX 5.2, it is impossible to use the
    outside address of the PIX in order to start connections to inside
    hosts. That address-saving feature was not added until PIX 6.1.
     
    Walter Roberson, Aug 30, 2006
    #6
  7. W Abucewicz

    W Abucewicz Guest

    Thanks..
    I appreciate your input.. these "rules" were setup by my customer..

    As you can tell, I have little Cisco experience..
    Looks like an upgrade is needed... is that a firmware upgrade or
    something more involved?

    --Walter A


    Walter Roberson wrote:
    > In article <>,
    > W Abucewicz <> wrote:
    >
    > >PIX Version 5.2(6)

    >
    > That's much too old to support PAT (port address translation).
    >
    > It is also much too old to be asking questions about without stating
    > clearly which version you are using. These days, unless you specify
    > otherwise, people will assume you are using PIX 6.3 or PIX 6.2
    > (unless something in the syntax or what you say indicates PIX 7.x).
    >
    > >names
    > >name 10.100.0.237 mci
    > >name 10.100.0.230 mcsciuffetti

    >
    > >access-list acl_in permit udp any host mci eq ntp
    > >access-list acl_in permit tcp host 216.99.233.71 any eq smtp
    > >access-list acl_in permit tcp any host mcsciuffetti eq 3389

    >
    > You haven't applied acl_in to the outside interface.
    >
    > >ip address inside 10.100.0.254 255.255.255.0

    >
    > Your addresses 'mci' and 'mcsciuffetti' are on your inside interface.
    > You can't make them accessible to the outside world in PIX 5.2
    > without using a 'static' and listing the public IP address.
    >
    > In PIX 5.2, if you want inside hosts to be reachable from the outside,
    > then unless you are using a VPN, you *must* use an additional public
    > address to refer to them. In PIX 5.2, it is impossible to use the
    > outside address of the PIX in order to start connections to inside
    > hosts. That address-saving feature was not added until PIX 6.1.
     
    W Abucewicz, Aug 30, 2006
    #7
  8. In article <>,
    W Abucewicz <> wrote:
    >As you can tell, I have little Cisco experience..
    >Looks like an upgrade is needed... is that a firmware upgrade or
    >something more involved?


    It would not be a firmware upgrade, but if the device is sufficiently
    old then it might require two stages. Based upon the configuration
    (or, more correctly, what the configuration does NOT contain), and
    based upon my knowledge of which devices existed at which stage of PIX OS,
    I would hypothesize that the device is a PIX 506 (but not 506E).
    Is that correct?

    Upgrading a PIX 506 is relatively easy, but there would be a non-trivial
    cost to upgrading one that old. Cisco's price lists are a maze
    full of red herrings, so the best I can estimate is $US 1000 to get the
    software upgrade. It might not be worth it from an investment point of
    view, as the PIX 506 now seems to be quite unlikely to be supported in
    PIX 7.x.


    Your outside IP address has a netmask of 255.255.255.248 indicating
    that the ISP has assigned a range of 8 IPs to the connection.
    Two of those are reserved (by the IP protocols), one would be allocated
    to your end of the connection, one would be allocated to their end of
    the connection -- and that leaves 4 unaccounted for.

    You may thus *already* have additional public IPs that you can use. If
    so then you do not need any software upgrade: the restrictions I discussed
    before had to do with using the PIX outside interface IP -itself-
    as the target of incoming connections; using a different IP in the
    same subnet is fair game, if you have the IP.
     
    Walter Roberson, Aug 30, 2006
    #8
  9. W Abucewicz

    W Abucewicz Guest

    You are correct... we have additional public addresses that are not in
    use

    Can you point me in a direction ...?

    How to assign the inside IP to a differnt public IP..?

    Then the rules that you originally sent should work...

    --Walter



    Walter Roberson wrote:
    > In article <>,
    > W Abucewicz <> wrote:
    > >As you can tell, I have little Cisco experience..
    > >Looks like an upgrade is needed... is that a firmware upgrade or
    > >something more involved?

    >
    > It would not be a firmware upgrade, but if the device is sufficiently
    > old then it might require two stages. Based upon the configuration
    > (or, more correctly, what the configuration does NOT contain), and
    > based upon my knowledge of which devices existed at which stage of PIX OS,
    > I would hypothesize that the device is a PIX 506 (but not 506E).
    > Is that correct?
    >
    > Upgrading a PIX 506 is relatively easy, but there would be a non-trivial
    > cost to upgrading one that old. Cisco's price lists are a maze
    > full of red herrings, so the best I can estimate is $US 1000 to get the
    > software upgrade. It might not be worth it from an investment point of
    > view, as the PIX 506 now seems to be quite unlikely to be supported in
    > PIX 7.x.
    >
    >
    > Your outside IP address has a netmask of 255.255.255.248 indicating
    > that the ISP has assigned a range of 8 IPs to the connection.
    > Two of those are reserved (by the IP protocols), one would be allocated
    > to your end of the connection, one would be allocated to their end of
    > the connection -- and that leaves 4 unaccounted for.
    >
    > You may thus *already* have additional public IPs that you can use. If
    > so then you do not need any software upgrade: the restrictions I discussed
    > before had to do with using the PIX outside interface IP -itself-
    > as the target of incoming connections; using a different IP in the
    > same subnet is fair game, if you have the IP.
     
    W Abucewicz, Aug 31, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Gerard

    win2003 server and Bluetooth

    John Gerard, Sep 13, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    806
    Sandy Spinrad [MSFT]
    Sep 15, 2004
  2. =?Utf-8?B?SWdvciBSb2RyaWd1ZXM=?=

    Promote Win2003 R2 in infraestructure Win2003 SP1

    =?Utf-8?B?SWdvciBSb2RyaWd1ZXM=?=, Jun 18, 2007, in forum: MCSE
    Replies:
    3
    Views:
    570
    Vigo Breadcrumbs
    Jun 20, 2007
  3. Replies:
    21
    Views:
    1,495
    Shauna
    Aug 26, 2008
  4. Tim
    Replies:
    0
    Views:
    466
  5. Gary
    Replies:
    0
    Views:
    507
Loading...

Share This Page