Cisco Pix 515 Problem with Remote Desktop

phoenix706
phoenix706 used Ask the Experts™
on
I'm trying to get a Cisco Pix 515 to work, allowing outside users to access a Windows 2000 server via remote desktop. I keep getting a timeout whenever anyone outside of the network tried to access it. I'm new to this kind of thing, so any help is greatly appreciated. Below I've pasted the config file from the Pix. Note: I changed the IP addresses so that random hackers don't get any ideas... ;-)

Also note that there is a Cisco Router connecting everything to the internet, but it is set to allow anything through both ways.

CONFIG FILE:

:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.243.20.1 SWGSA
access-list outside_access_in permit tcp any host 123.123.123.123
access-list outside_access_in permit udp any host 123.123.123.123
access-list outside_access_in permit icmp any host 123.123.123.123
access-list outside_access_in permit ip any host 123.123.123.123
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 123.123.123.123 255.255.255.240
ip address inside 10.243.1.209 255.255.224.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 10.243.1.141 255.255.255.255 inside
pdm location 10.243.4.141 255.255.255.255 inside
pdm location 10.243.0.0 255.255.0.0 inside
pdm location SWGSA 255.255.255.255 inside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 123.123.123.123SWGSA netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.156.169.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.243.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.243.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
: end
[OK]
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr. Systems Engineer
Top Expert 2008
Commented:
Holy smokes, Batman! You're letting EVERYTHING in??

access-list outside_access_in permit tcp any host 123.123.123.123
access-list outside_access_in permit udp any host 123.123.123.123
access-list outside_access_in permit icmp any host 123.123.123.123
access-list outside_access_in permit ip any host 123.123.123.123

Is the Interface address the ONLY ip address you can use, or do you have the whole subnet to play with? The reason I ask is that your acl lets all traffic into the same "host" as your outside interface IP address. I realize these are placeholders for security, but....

Assuming you have only the interface address to use for everything:

<-- this will permit Terminal Server access, and some icmp for troubleshooting-->
! <-- delete existing acl-->
no access-list outside_access_in
!
<-- use the interface address here -->
access-list outside_access_in permit tcp any host 123.123.123.123 eq 3389
<-- alternative use a different IP if you have them to spare:
access-list outside_access_in permit tcp any host 123.123.123.124 eq 3389
!
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
!
<-- set up static port map to an inside host-->
static(inside,outside) tcp interface 3389 10.243.20.1 3389
<-- alternative if you have another IP address -->
static(inside,outside) tcp 123.123.123.124 3389 10.243.20.1 3389

<-- re-apply the acl-->
access-group outside_access_in in interface outside
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
There has not been any response from you on this question in a while.
Are you still working on this and need more information?
Or, can you go ahead and close it out?
The help pages here will guide you:
http://www.experts-exchange.com/help/

Author

Commented:
Sorry about that. I haven't had a chance to try it out (we had a few emergencies this week). I'll try the suggestion Monday and (hopefully) let you know that it went okay and give you the points.

Thanks for the follow up!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial