User569041
asked on
pix 501 config - new install
I have a Pix 501, flat network, no routers, etc. Pix is running latest IOS.
Internal network is 192.168.0.x.
I am trying to figure out how to route terminal server traffic (TCP port 3389) from the internet (outside) to a specific server on the internal side.
I have reviewed a few things on TAC but I am lost as they all have routers, etc.
Can someone provide specific things I need to type in to get this to work?
Thanks in advance.
Michael
Internal network is 192.168.0.x.
I am trying to figure out how to route terminal server traffic (TCP port 3389) from the internet (outside) to a specific server on the internal side.
I have reviewed a few things on TAC but I am lost as they all have routers, etc.
Can someone provide specific things I need to type in to get this to work?
Thanks in advance.
Michael
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When entering the 1st command, I get the followign error:
Result of firewall command: "access-list inbound permit any any eq 3389"
ERROR: invalid protocol any
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
Result of firewall command: "access-list inbound permit any any eq 3389"
ERROR: invalid protocol any
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed
My bad...
access-list inbound permit tcp any any eq 3389
access-list inbound permit tcp any any eq 3389
the access-group command binds the access list to the interface where you want it to apply to inbound traffic (in this case, the "outside" interface.
You might want to make the access list a little tighter by making it permit only to the server you want to reach, like:
access-list inbound permit tcp any host 192.168.0.22 eq 3389
but as there is only one "static" statement, this isn't strictly necessary.
If you know the source addresses of the remote hosts or subnets, you could even limit the access-list further, permitting just 1.2.3.4 and anyone on 198.133.219.x to connect.
access-list inbound permit tcp host 1.2.3.4 host 192.168.0.22 eq 3389
access-list inbound permit tcp 198.133.219.0 255.255.255.0 host 192.168.0.22 eq 3389
If you type "no access-list inbound" to delete it, then you'll have to re-enter the access-group command again, deleting an access list on a Pix removes any associated access-group statements (unlike on a router where there is an implicit "permit any any" where you have an access-group statement that refers to a non-existent access list).
You might want to make the access list a little tighter by making it permit only to the server you want to reach, like:
access-list inbound permit tcp any host 192.168.0.22 eq 3389
but as there is only one "static" statement, this isn't strictly necessary.
If you know the source addresses of the remote hosts or subnets, you could even limit the access-list further, permitting just 1.2.3.4 and anyone on 198.133.219.x to connect.
access-list inbound permit tcp host 1.2.3.4 host 192.168.0.22 eq 3389
access-list inbound permit tcp 198.133.219.0 255.255.255.0 host 192.168.0.22 eq 3389
If you type "no access-list inbound" to delete it, then you'll have to re-enter the access-group command again, deleting an access list on a Pix removes any associated access-group statements (unlike on a router where there is an implicit "permit any any" where you have an access-group statement that refers to a non-existent access list).
Are you still working on this? Can you close out this question?
Thanks!
Thanks!
g4dbn,
Your heart is in the right place, but you can't do what you propose with the access-list. Access lists applied to external interfaces do not use the private IP Address associated with the internal system. In order to ensure no rogue traffic enters the PIX, the access-list statement should be: "access-list permit tcp any host <public IP> eq 3389".
Your heart is in the right place, but you can't do what you propose with the access-list. Access lists applied to external interfaces do not use the private IP Address associated with the internal system. In order to ensure no rogue traffic enters the PIX, the access-list statement should be: "access-list permit tcp any host <public IP> eq 3389".
Ah, cut and paste is a terrible thing. I picked a silly IP address out of the air.
Replace 192.168.0.22 with 22.0.168.192 in the example and it would be valid, but yours is better!
I'll try to be more generic in future....
Replace 192.168.0.22 with 22.0.168.192 in the example and it would be valid, but yours is better!
I'll try to be more generic in future....
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
--> ACCEPT:lrmoore
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
tim_holman
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
--> ACCEPT:lrmoore
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
tim_holman
EE Cleanup Volunteer
ASKER
access-group inbound in interface outside
Thanks in advance.