November 19, 2008 02:27am pst

1. batry_boy 632,921
2. lrmoore 520,600
3. PeteLong 141,217
4. Voltz-dk 120,870
5. MrHusy 120,045
6. mkielar 107,219
7. JFrederic... 103,500
8. Cyclops3... 98,738
9. Pugglewu... 73,677
10. _jesper_ 65,025
11. harbor235 50,640
12. rsivanandan 49,505
13. grblades 46,350
14. raptorjb007 44,800
15. nodisco 40,900
16. arnold 40,323
17. ck459 39,525
18. 2PiFL 35,575
19. RPPreacher 35,046
20. Jay_Gridley 34,935
21. from_exp 34,120
22. mabutterfi... 33,425
23. MikeKane 32,090
24. clearacid 31,205
25. naughton 28,380

1. lrmoore 2,467,881
2. batry_boy 1,001,045
3. rsivanandan 352,134
4. grblades 349,235
5. PeteLong 328,058
6. nodisco 277,487
7. calvinetter 254,590
8. MrHusy 241,746
9. Voltz-dk 228,809
10. Cyclops3... 215,644
11. JFrederic... 160,500
12. harbor235 121,650
13. tim_holman 120,177
14. carribeant... 108,132
15. mkielar 107,219
16. keith_ala... 105,619
17. _jesper_ 86,525
18. Pugglewu... 73,677
19. RPPreacher 73,023
20. stressedo... 60,512
21. td_miles 60,417
22. pruecons... 57,463
23. charan_j... 55,118
24. jjoseph_x 46,722
25. billwharton 45,258

09.20.2007 at 06:43AM PDT, ID: 22841276

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.6

DMZ access from IPSEC client dial in on Cisco PIX 7.20

Asked by prodriveit in Cisco PIX Firewall, Virtual Private Networking (VPN)

Tags: permit, pix, any, cisco, dmz

Hi Guys,

Got the following config on a cisco PIX running v7.20. My problem is when trying secure to access to the address 10.253.253.10 (in the DMZ) from a client which is connected to the PIX via a IPSEC client tunnel. As it stands, I cannot seem to limit the communication to just RDP (port 3389) - if I try to use the NoNAT access list then it tells me I can't do this because I'm specifying a port (e.g. access-list NoNat permit tcp host 10.253.253.10 192.168.254.0 255.255.255.0 eq 3389).

Any way I can limit connectivity from VPN to DMZ to just port 3389?

Cheers
DS

PIX Version 7.2(1)
!
hostname SEWOKIPIXFW01
enable password boqYWcQZRlcZo0P. encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address a.a.a.a 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 4
ip address 10.253.253.254 255.255.255.0
!
passwd w2NRmfMHl/IxHWi2 encrypted
ftp mode passive
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 101 extended permit ip 192.168.254.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.2.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.4.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.5.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.6.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.7.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.3.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list NoNAT extended permit ip host 10.253.253.10 192.168.254.0 255.255.255.0
access-list 111 extended permit ip 192.168.4.0 255.255.255.0 any
access-list 111 extended permit tcp 192.168.4.0 255.255.255.0 any
access-list 111 extended permit udp 192.168.4.0 255.255.255.0 any
access-list 111 extended permit icmp 192.168.4.0 255.255.255.0 any
access-list 111 extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list 111 extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list 111 extended permit tcp host 192.168.4.4 any eq domain
access-list 111 extended permit udp host 192.168.4.4 any eq domain
access-list 111 extended permit tcp host 192.168.1.4 any eq domain
access-list 111 extended permit udp host 192.168.1.4 any eq domain
access-list 111 extended permit tcp host 192.168.2.4 any eq domain
access-list 111 extended permit udp host 192.168.2.4 any eq domain
access-list 111 extended permit tcp host 192.168.3.4 any eq domain
access-list 111 extended permit udp host 192.168.3.4 any eq domain
access-list 111 extended permit tcp host 192.168.6.4 any eq domain
access-list 111 extended permit udp host 192.168.6.4 any eq domain
access-list 111 extended permit tcp 192.168.2.0 255.255.255.0 any eq www
access-list 111 extended permit tcp 192.168.2.0 255.255.255.0 any eq https
access-list 111 extended permit tcp 192.168.3.0 255.255.255.0 any eq www
access-list 111 extended permit tcp 192.168.3.0 255.255.255.0 any eq https
access-list 111 extended permit tcp 192.168.5.0 255.255.255.0 any eq www
access-list 111 extended permit tcp 192.168.5.0 255.255.255.0 any eq https
access-list 111 extended permit tcp 192.168.6.0 255.255.255.0 any eq www
access-list 111 extended permit tcp 192.168.6.0 255.255.255.0 any eq https
access-list 111 extended permit tcp 192.168.1.0 255.255.255.0 host d.d.d.d eq 11997
access-list 131 extended permit tcp any host a.a.a.e eq https
access-list 131 extended permit tcp any host a.a.a.e eq www
access-list 131 extended permit tcp host c.c.c.c host a.a.a.d eq citrix-ica
access-list 131 extended permit tcp host c.c.c.c host a.a.a.d eq 15678
access-list 131 extended permit tcp b.b.b.b 255.255.255.240 host a.a.a.d eq 15678
access-list 131 extended permit tcp b.b.b.b 255.255.255.240 host a.a.a.d eq citrix-ica
access-list 131 extended permit tcp any host a.a.a.c eq www
access-list 131 extended permit tcp any host a.a.a.c eq https
access-list 131 extended permit tcp any host a.a.a.b eq pptp
access-list 131 extended permit tcp b.b.b.b 255.255.255.240 host a.a.a.d eq 2598
access-list 131 extended permit tcp host c.c.c.c host a.a.a.d eq 2598
access-list 131 extended permit tcp 192.168.254.0 255.255.255.0 host 10.253.253.10 eq www
access-list 131 extended permit tcp 192.168.254.0 255.255.255.0 host 10.253.253.10 eq https
access-list 121 extended permit tcp host 10.253.253.10 host 10.253.253.1 eq sqlnet
access-list 121 extended permit tcp host 10.253.253.10 any eq www
access-list 121 extended permit tcp host 10.253.253.10 any eq https
access-list 121 extended permit tcp host 10.253.253.10 any eq domain
access-list 121 extended permit udp host 10.253.253.10 any eq domain
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool SEWOKIVPN-pool 192.168.254.0-192.168.254.254
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list NoNAT
static (inside,outside) a.a.a.b 192.168.1.4 netmask 255.255.255.255
static (inside,outside) a.a.a.c 192.168.4.6 netmask 255.255.255.255
static (inside,outside) a.a.a.d 192.168.4.12 netmask 255.255.255.255
static (DMZ,outside) a.a.a.e 10.253.253.10 netmask 255.255.255.255
static (inside,DMZ) 10.253.253.1 192.168.4.10 netmask 255.255.255.255
access-group 131 in interface outside
access-group 111 in interface inside
access-group 121 in interface DMZ
route outside 0.0.0.0 0.0.0.0 a.a.a.z 1
route inside 192.168.1.0 255.255.255.0 192.168.4.250 1
route inside 192.168.2.0 255.255.255.0 192.168.4.250 1
route inside 192.168.3.0 255.255.255.0 192.168.4.250 1
route inside 192.168.5.0 255.255.255.0 192.168.4.250 1
route inside 192.168.6.0 255.255.255.0 192.168.4.250 1
route inside 192.168.7.0 255.255.255.0 192.168.4.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy SEWOKIVPN-GroupPolicy internal
group-policy SEWOKIVPN-GroupPolicy attributes
dns-server value 192.168.1.4
default-domain value *.g
username Support-PDITS password eZcZZRuX3gUlV40b encrypted
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set SEWOKIVPN-ts esp-3des esp-md5-hmac
crypto dynamic-map SEWOKIVPN-dmap 10 set transform-set SEWOKIVPN-ts
crypto dynamic-map SEWOKIVPN-dmap 10 set reverse-route
crypto map SEWOKIVPN-smap 10 ipsec-isakmp dynamic SEWOKIVPN-dmap
crypto map SEWOKIVPN-smap interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group SEWOKIVPN-TunnelGroup type ipsec-ra
tunnel-group SEWOKIVPN-TunnelGroup general-attributes
address-pool SEWOKIVPN-pool
tunnel-group SEWOKIVPN-TunnelGroup ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.5.0 255.255.255.0 inside
telnet 192.168.4.0 255.255.255.0 inside
telnet 192.168.254.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 inside
telnet 192.168.6.0 255.255.255.0 inside
telnet 192.168.7.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
tftp-server inside 192.168.4.192 pix721.bin
ssl encryption des-sha1 rc4-md5
prompt hostname context
Cryptochecksum:ef82b0422db85cb44244552111097296Start Free Trial

Keywords: DMZ access from IPSEC client dial in on…

	Title
1	PIX AND ISA IPSEC VPN
2	Remote access to a Pix from a Pix prot…
3	How to configure PIX 515E for VPN …
4	Remote Access Problem for Cisco AS…
5	VPN software clients cannot connect …
6	SBS 2003/ISA 2004 IPSec Prob…

Loading Advertisement...

20080716-EE-VQP-32 / EE_QW_1_20070628

DMZ access from IPSEC client dial in on Cisco PIX 7.20

Asked by prodriveit in Cisco PIX Firewall, Virtual Private Networking (VPN)

Tags: permit, pix, any, cisco, dmz

About this solution