Advertisement

11.06.2007 at 12:14PM PST, ID: 22942970
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.0

terminal server through a pix 506 that is between 2 internal networks

Asked by saulj in Cisco PIX Firewall

Hi,
I have 2 internal networks, one with internet access and one without internet access.
The internet access network (Plant) is 192.168.0.x
The non-internet access network (office)  is 192.168.1.x

We have a pix between the 2 networks set up so that a server on the plant network (192.168.1.1) can FTP to the server on the office network (192.168.0.6)
They now want to be able to access the terminal server on the plant network from some of the workstations on the office network, namely 192.168.0.190-195
Ive tried several different static commands and messing with the access list without any luck.
I will attach the config below.
Ideally I want the users to termserv to the outside interface of the pix 192.168.0.201 so that I do not have to add a route to the workstations for the plant network, however if I do have to, I can do that.
Thanks in advance for your help.

PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pix506
domain-name local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUTBOUND permit icmp any any echo
access-list OUTBOUND permit icmp any any echo-reply
access-list OUTBOUND permit icmp any any unreachable
access-list OUTBOUND permit icmp any any time-exceeded
access-list OUTBOUND deny icmp any any
access-list OUTBOUND permit tcp host 192.168.1.1 host 192.168.0.6 eq ftp
access-list OUTBOUND permit tcp host 192.168.1.1 host 192.168.0.6 eq ftp-data
access-list OUTBOUND deny ip any any
access-list INBOUND permit icmp any any echo
access-list INBOUND permit icmp any any echo-reply
access-list INBOUND permit icmp any any unreachable
access-list INBOUND permit icmp any any time-exceeded
access-list INBOUND permit tcp any interface outside eq 3389
access-list INBOUND permit icmp host 192.168.1.1 any echo-reply
access-list INBOUND deny icmp any any
access-list INBOUND deny ip any any
pager lines 24
logging on
logging buffered debugging
icmp permit any echo outside
icmp permit any echo-reply outside
icmp deny any outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp deny any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.201 255.255.255.0
ip address inside 192.168.1.13 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.0.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
terminal width 80Start Free Trial
 
Keywords: terminal server through a pix 506 tha…
Title
1 PIX
2 PIX to PIX VPN issue
3 PIX and xlate problems
4 Pix to Pix VPN
5 pix VPN
6 Comcast and Cisco Pix
 
Loading Advertisement...
 
[+][-]11.06.2007 at 02:11PM PST, ID: 20228302

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11.06.2007 at 02:15PM PST, ID: 20228348

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Cisco PIX Firewall
Sign Up Now!
Solution Provided By: Voltz-dk
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20081112-EE-VQP-42 / EE_QW_2_20070628