PIX 501 Remote Desktop Assistance Problem

Discussion in 'Cisco' started by Stuart, Mar 28, 2006.

  1. Stuart

    Stuart Guest


    Could anyone help with a sample configuration which will allow a remote
    desktop assistance session from within a pix 501 firewalled network to
    an outside client:

    Assistance provider --- PIX 501 --- Router --- Internet --- Router ---
    Client needing assistance

    I tried several forums and spent a good deal of time reconfiguring the
    PIX to allow port 3389, however I could not establish a remote
    assitance session. Any help is most appreciated.

    Stuart, Mar 28, 2006
    1. Advertisements

  2. By default the PIX allows outgoing TCP connections. If you have
    configured the PIX -not- to allow that, then we will need to see
    your (sanitized) configuration in order to advise you on how to
    adjust it.

    A question: does the client happen to be behind NAT? If so then when
    they issue the invitation to you, the IP address that is going
    to be in the invitation is going to be the -internal- IP address.
    You can literally use a text editor to change that in the invitation.

    Remote Desktop invitations also include the remote hostname (as
    known to the remote host), so an alternative to editting the
    invitation is to set up name resolution for that remote hostname.
    You could use a common WINS server, or you could set up DNS,
    or you could edit your LMHOSTs file.
    Walter Roberson, Mar 28, 2006
    1. Advertisements

  3. Stuart

    Stuart Guest

    Sorry for the delay in getting back.

    The situation is we have an internal machine we want to use for remote
    assistance. It connects through a pix to a router to the internet. The
    client connection will change each time it could be any configuration.

    We have been sitting in the server room with a direct connection to via
    the router, so it is definately the pix which is our issue and not the
    client end.

    The pix config is shown below:

    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password xxx encrypted
    passwd xxx encrypted
    hostname pixfirewall
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name xx.xx.xx.204 server2
    name xx.xx.xx.203 server
    name xx.xx.xx.206 remoteassist
    access-list 101 permit tcp any host remoteassist eq www
    access-list 101 permit tcp any host remoteassist eq 3389
    access-list 101 permit tcp any host server2 eq www
    access-list 101 permit tcp any host server eq www
    access-list 101 permit tcp any host server eq pptp
    access-list 101 permit tcp any eq 47 host server eq 47
    access-list inside_access_in permit ip any any
    access-list acl-out permit tcp any host remoteassist eq www
    access-list acl-out permit tcp any host remoteassist eq 3389
    access-list acl-out permit tcp any host server2 eq www
    access-list acl-out permit gre any host server
    access-list acl-out permit tcp any host server eq www
    access-list acl-out permit tcp any host server eq pptp
    access-list acl-out permit tcp any host server eq 82
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    ip address outside xx.xx.xx.202
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location inside
    pdm location inside
    pdm location server outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (outside) 1 server
    nat (inside) 1 0 0
    static (inside,outside) server2 netmask 0
    static (inside,outside) server netmask 0 0

    static (inside,outside) remoteassist netmask 0 0
    access-group acl-out in interface outside
    access-group inside_access_in in interface inside
    route outside xx.xx.xx.201 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    isakmp enable outside
    isakmp key apple address netmask
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn username xxx password xxx
    dhcpd address inside
    dhcpd dns
    dhcpd lease 3600
    dhcpd ping_timeout 750
    terminal width 80
    : end

    Thanks in advance,

    Stuart, Apr 25, 2006
  4. As an aside: 6.3(3) has known security difficulties, which are
    fixed in the free update 6.3(4).

    There are also a fair number of bug fixes in 6.3(5) but that version
    requires a support contract to obtain.
    you do not apepar to use that access-list 101 in your configuration.
    You apply that "in" the inside interface. Because you are permitting
    all ip with it, use of it is redundant upon the default PIX behaviour
    when no access-group inside is present. I would suggest removing
    the access-group statement and the access
    That static conflicts with the second global (outside) statement.
    It is not permitted to static the entire IP of any IP which appears
    in a global PAT or global pool. It -is- permitted to static individual
    ports of an IP that appears in a global statement, but I don't think
    you want to do that in your case. The effect of the second global
    statement would be to use server as the outside IP for packets at the
    point where there were no more available ports in the first global PAT
    (the interface address.) If you are driving a PIX 501 to that
    many connections, the PIX 501 is probably the wrong device for the
    situation. I would suggest just deleting the second global statement.
    You do not have a vpdn enable statement, and you have no
    crypto map statements, so the vpdn is not going to have any
    effect and the isakmp is unneeded (and possibly dangerous to
    have sitting there without further configuration, though I cannot
    think of any attacks on it.) The sysopt is not consistant with
    the use of vpdn, as vpdn is only pptp or l2tp and not ipsec.

    This suggests that either you chopped some statements out of your
    configuration or else that your configuration used to include
    some VPN tunnels and has not been completely purged of them.
    If those tunnels are still there and you chopped them out of the
    posting, then we are trying to give advice based upon an
    incomplete description of the situation.
    Walter Roberson, Apr 25, 2006
  5. Stuart

    Stuart Guest

    Thanks for you post Walter.

    I am a complete novice to the PIX, half the stuff in our config I dont
    understand and I'm currently on cisco.com trying to learn what the
    config is doing.

    Here is the basic requirement:

    Forward requests on xx.xx.xx.203 to server 1 which is hosting a website
    Forward requests on xx.xx.xx.204 to server 2 which is hosting a website

    Allow VPN connections to be established with server 1 from anywhere on
    the internet

    Latest requirement - connect to clients via remote desktop assistance.

    Its very possible as you have already pointed out that there is old and
    redundant information in the config. I would appreciate whilst I am
    trying to understand the config if you could either guide me or post a
    stipped down config with an explaination of what each line does.

    Thanks again,

    Stuart, Apr 26, 2006
  6. Stuart

    Stuart Guest


    I have managed to get a remote desktop session established from my
    machine inside the firewall to a client machine. When I tried to use
    remote desktop assistance the client machine returned an error that it
    couldnt find the host. Is this because the remote assistant is sending
    my internal IP address to the client and the client is trying to use
    that to connect? If so how do I change it?

    Any ideas?

    P.S I can also remote desktop in from a client to xx.xx.xx.206 so it
    definately works both ways just a problem with remote assistant.

    Thanks in advance,
    Stuart, Apr 27, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.