Solved

Opening port 3389 on a pix 501

Posted on 2004-10-14
31
641 Views
Last Modified: 2010-04-17
Hi,
        This sould be a piece of cake question. How do I open port 3389 (or any other for that matter) on a Pix 501 through the Graphical user interface? I basically need to be able to terminal service to a computer with an ip of 192.168.1.100 behind the pix 501 from the internet cloud.
        Will this work:
                   
                    access-list outside_access_in permit tcp any interface outside eq 3389
                    static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255
                    access-group outside_access_in in interface outside

               Thanks,
                        Mike
0
Comment
Question by:MichaelSwitzer
  • 17
  • 13
31 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12307196
Your syntax is exactly right. You can cut/paste this into the multipl line command line utility in the GUI, or straight to the command prompt from telnet or console..

                    access-list outside_access_in permit tcp any interface outside eq 3389
                    static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255
                    access-group outside_access_in in interface outside
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12308264
Can I copy/paste these 3 lines (changing the the last octect of the ip address to the corresponding computer) as many times as needed or do i just need to add solely the line of:

   static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255


Thank you so much for your help,
                Michael
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12308334
I believe i am not quite clear how i will "terminal Service" to 192.168.1.100 from out side the pix. Do i just use the IP address of the PIX (12.232.143.209, not changing) in Remote Desktop? If so, how then do I connect specifically to the 192.168.1.100 computer?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12308407
You can only create one static port xlate to the same port, but you can change the port that RDC listens on for other computers and forward those ports, i.e.
   static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255
   static (inside,outside) tcp interface 3390 192.168.1.101 3390 netmask 255.255.255.255
   static (inside,outside) tcp interface 3391 192.168.1.102 3391 netmask 255.255.255.255

How to change the listening port:
http://support.microsoft.com/default.aspx?scid=kb;en-us;306759

Yes, in your Remote Desktop client, you just put in the IP address of the outside 12.232.143.209
If you go the route of changing ports, then just add the port number when you connect, ie.  
   12.232.143.209  connects to .100  (default port not required to be specified)
   12.232.143.209:3390 connects to .101
   12.232.143.209:3391 connects to .102
  <etc>

Just remember that you also need to include an access-list entry for each port:
   access-list outside_access_in permit tcp any interface outside eq 3389
   access-list outside_access_in permit tcp any interface outside eq 3390
   access-list outside_access_in permit tcp any interface outside eq 3391

 
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12308536
You are amazing Irmoore.

I am going to go impliment these lines and I 'll give you an up date... (notice i have to "go" somewhere to access the router because i havent figured out how to admin the Pix remotely :(


Mike
0
 
LVL 5

Expert Comment

by:epylko
ID: 12308613
Or, you could use different ports on the outside (3389, 3390, etc) and map them to different IP addresses (keeping the same port of 3389) so you don't have to change the listening port on your servers.

-Eric
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12308702
That's helpful..

Thank you Eric
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12308737
Interesting twist, Eric. Thanks.
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12308991
After i get to "pixfirewall#" do i then enter the lines or do i need to go to another subcommand
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12309037
On the second line of code  (static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.255.255)             ... i received:

Error: static overlaps with 169.254.1.3/3389 to 192.168.1.100/3389


* 169.254.1.3 sounds like a bogus dhcp ip
how can i get rid of the what seems to be exhisting listening dhcp
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309043
You have to go to config mode:

pixfirewall#config term
pixfirewall(config)#     <=== now you can paste the config
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309114
pixfirewall# clear xlate

0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12309430
I am still receiveing the same error... is there more info i need to give you?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309473
Do you already have a static xlate for that?
  Can you post your whole config? Be sure to remove any passwords and real public IP's...
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12309878
Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.5 annon. computer1
name 192.168.1.6 annon. computer2


**the next lines block internet to (in the actual sense) 6 computers **not shown**

object-group network NoInternet
  description Live Update is Allowed
  network-object annon. computer1 255.255.255.255
object-group service TerminalServices tcp
  description Terminal Service Port for Remote Admin
  port-object eq 3389
access-list inside_access_in deny tcp object-group NoInternet any eq www
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 Residence 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location annon computer1 255.255.255.255 inside
pdm group NoInternet inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
rip inside default version 2
route inside BHCameras 255.255.255.255 AdTran 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http CountryClub 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
isakmp enable outside
isakmp keepalive 100 10
isakmp nat-traversal 20
telnet CountryClub 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username **not given** privilege 15
terminal width 80
Cryptochecksum:
: end
[OK]




I removed all real names and ip's. (the dhcp that is enabled is true)...

:)    Irmoore: here is my problem and what i need:
       -The Ip address that was assigned to me by my ISP "is" 12.132.214.32. It is static. The gate way they assigned 'is' 12.132.214.1.

       -Strangly enough, the internet only work when DHCP is waiting for an assigned IP address; however, like i said earlier, the returning ip address is bogus. I dont want the ip address to be determined by dhcp but when i "think" i have statically assigned the Pix's ip address to the 12.132.214.32, i get no internet.


        -as soon as the ip address can be established correctly, our Point of sale tech support is waiting to RDC (hopefully through the PIX).
   
         I am extremely greatful for all your help. Ask, and i will give you whatever you need.
               mike
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12309898
I have taken 3 semesters of cisco but it did jack for me.   I have, up to this point, been using the GUI for most of my config........  grrrrr.......
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12309975
If you do have a static IP, then this should be your config (you must have both lines):
   ip address outside 12.132.214.32 255.255.255.???
   route outside 0.0.0.0 0.0.0.0 12.132.214.1

They take the place of this single line:
  >ip address outside dhcp setroute retry 4

You have no other static xlate's so a "clear xlate" should allow you to put the new statics in...
  just cut/paste this. We'll try just one to start with:

  static (inside,outside) tcp 12.132.214.32 3389 192.168.1.100 3389 netmask 255.255.255.255
  access-list outside_access_in permit tcp any 12.132.214.32 eq 3389

 

0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12310333
>>ip address outside 12.132.214.32 255.255.255.255
     route outside 0.0.0.0 0.0.0.0 12.132.214.1

                 ^------------Severed my internet connection

im doing something incorrectly with the assigning of the static ip. ;.(....
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12310340
are you familiar with the gui for the pix 501?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12310411
>ip address outside 12.132.214.32 255.255.255.255
                                                                       ^^^
You cannot use a host mask on the interface! You'll have to ask your ISP what your mask is supposed to be.
For now, try it with:
    ip address outside 12.132.214.32 255.255.255.0
                                                                       ^^

Yes, I am familiar with the GUI...

0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12310492
i had actually tried that different subnet (Not to mention every other possibility that comes to mind) and the connection is still severing. is there a possibility that some of the information that i am giving you is incorrect? would the ISP have any role in this?  
**i feel like im blindfolded and my hands are tied behind my back***

again, thank you for all your help
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12310559
If it works using dhcp client, then let it get an IP address, and use "show interface" to see what IP /mask you get...
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12310620
This is the most puzzling part to me.... even though the internet works, even thought the ipadddress is what i expect (when i go to 'myipaddress.com') the pix says it ip is 169.254.1.2, obviously a mistake.
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12310986
what on earth am i doing incorrectly/??!?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12311617
What do you see with "show interface"
 169.254.x.x is APIPA address that WINDOWS XP/2000 machines default to if no dhcp server can be found....
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12311662
i got something....:)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12311739
APIPA addresses are not routeable on the Internet just like Private IP's...
I can't see how the PIX would function with this on the interface, unless the DSL modem is in "gateway" mode instead of bridge mode and IT is giving you an IP addres, and IT has the 12.x.x. ip address on it's WAN side...???
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12311966
you hit the nail on the head... we have a T3 connection and the transreceiving radio has what i call a psuedo router that i didnot know about. I just thought it bridged the connection. So i called the ISP and he was like " ya... the radio has NAT enabled..." shoot me now..... after that, everything worked very well. all the code you gave me worked like a charm.

Again, thank you a million times for all your help and support

                                 Michael
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12312051
Great news!

Glad to help any time!
0
 
LVL 1

Author Comment

by:MichaelSwitzer
ID: 12312172
one more quickie....

to open port 80, i just need :

access-list outside_access_in permit tcp any interface outside eq 80   ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12312199
You got it, but you need the static to go along with it...
  static (inside,outside) tcp interface http <inside IP> http netmask 255.255.255.255

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now