Link to home
Start Free TrialLog in
Avatar of compsol1993
compsol1993

asked on

configure pix501 for sbs2003 remote access

I have recently upgraded to a sbs2003 server from nt4.5. We have a cisco pix 501 firewall installed by a local dealer who no longer supports it. Our ISP provides us with 8 static ip - xx.xx.xx.104 to 111. Currently the pix501 is configured to allow anyone inside to access the internet on ip .104, e mail is coming to my server via ip .111 and we have a couple of pcanywhere clients using ip's .105, 106, 107. I'd like to configure the pix501 to allow access to features of SBS so that all users can get to their desktops. I have done this at other installations with the linksys router by using port forwarding of ports 443-444, 3389 and 4125 to the server ip when there was just 1 static ip. I'm not sure how to configure the pix501 to acomplish the same task. I am using the PDM device manger 2.0 to configure the 501. I have my server setup in the hosts/network tab with the server's ip 10.0.0.3 matched with the isp ip of xx.xx.xx.111. I have setup a translation rule for 10.0.03 to xx.xx.xx.111. For the mail I have setup an access rule for smtp & htpp and the mail works fine. I setup an access rule for the ports required by sbs2003 remote using service group I named sbsremote for the 4 ports required for sbsremote. when I try to access sbs remote using xx.xx.xx.111/remote I can't connect. Any ideas?
Avatar of harbor235
harbor235
Flag of United States of America image

Use the static command to perform port forwarding like this:

static (inside,outside) tcp xx.xx.xx.xx 3389 yy.yy.yy.yy 3389 netmask 255.255.255.255 0 0

x= outside address
y=inside address

harbor235
Avatar of compsol1993
compsol1993

ASKER

I am currently configuring the pix501 using the PDM interface. I have configured the ports using it. Is there something about the command language that is different? I haven't used the command language interface yet. Is it possible to connect to the pix501 other than with the PDM inerface? I read a post here that if I am connecting to the pix using PDM that it listens on port 443 and that will prevent me from accessing SBS2003 remotely. If I need to remove PDM access how can I configure the pix501? Do I need to connect serially or can I connect using something like telnet? As you can tell I'm not very experienced in working with Cisco products.
You can either telnet to it or plug a console cable into it.  Telnet access is controlled by IP address though, so you will need to go into the PDM and allow your machine access first.

Now i'm not that familiar with the PDM v2, but it should be similar.

Firstly, if you create a static PAT using HTTPS to the outside interface of the PIX, it means that you cannot access the PDM from outside i.e. over the Internet, but you will still be able to access it from inside your network. The static PAT will override the HTTPS port that the PDM uses so that you will be able to access the SBS. However, you have 8 static IP addresses, so you can use one of them to allow access to your SBS machine.

It seems that you have done everything correctly. Can you post the config for us?
I thought I had another solution but it didn't work out. I tried to access using telnet but there is a password. I tried to change the password in the PDM but I have to know the old one. Any ideas what the password might be for an initial setup?

Here is my config

Building configuration...
: Saved
:
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name accudyn.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.0.0.2 NTServer
name 10.0.0.17 Peg
name 10.0.0.24 ACCUDYN
name 10.0.0.14 Damon
name 10.0.0.3 APISRV
object-group service sbsremote tcp
  description small business server remote access
  port-object range 4125 4125
  port-object range https 444
  port-object range 3389 3389
access-list inside_access_in permit ip 10.0.0.0 255.255.255.0 any
access-list outside_access_in permit tcp any host 66.211.192.111 eq smtp
access-list outside_access_in permit tcp any host 66.211.192.111 eq www
access-list outside_access_in permit tcp any host 66.211.192.110 eq pcanywhere-data
access-list outside_access_in permit udp any host 66.211.192.110 eq pcanywhere-status
access-list outside_access_in permit tcp any host 66.211.192.111 eq pcanywhere-data
access-list outside_access_in permit udp any host 66.211.192.111 eq pcanywhere-status
access-list outside_access_in permit tcp any host 66.211.192.105 eq pcanywhere-data
access-list outside_access_in permit udp any host 66.211.192.105 eq pcanywhere-status
access-list outside_access_in permit tcp any host 66.211.192.106 eq pcanywhere-data
access-list outside_access_in permit udp any host 66.211.192.106 eq pcanywhere-status
access-list outside_access_in permit tcp any host 66.211.192.107 eq pcanywhere-data
access-list outside_access_in permit udp any host 66.211.192.107 eq pcanywhere-status
access-list outside_access_in permit tcp any range https 444 host 66.211.192.111 range https 444
access-list outside_access_in permit tcp any host 66.211.192.111 range 3389 3389
access-list outside_access_in permit tcp any range 4125 4125 host 66.211.192.111 range 4125 4125
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 66.211.192.104 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location NTServer 255.255.255.255 inside
pdm location Peg 255.255.255.255 inside
pdm location ACCUDYN 255.255.255.255 inside
pdm location Damon 255.255.255.255 inside
pdm location APISRV 255.255.255.255 inside
pdm location 10.0.0.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 66.211.192.110 NTServer netmask 255.255.255.255 0 0
static (inside,outside) 66.211.192.105 ACCUDYN netmask 255.255.255.255 0 0
static (inside,outside) 66.211.192.106 Peg netmask 255.255.255.255 0 0
static (inside,outside) 66.211.192.107 Damon netmask 255.255.255.255 0 0
static (inside,outside) 66.211.192.111 APISRV netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.211.192.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http NTServer 255.255.255.255 inside
http APISRV 255.255.255.255 inside
http Damon 255.255.255.255 inside
http 10.0.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet NTServer 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:5e3f6746ea015445c7b0c82f49f2b239
: end
[OK]


Okay I see where your problem is. Firstly I assume that APISRV is your SBS2003 machine and that it is mapped to 66.211.192.111 using the following static.

static (inside,outside) 66.211.192.111 APISRV netmask 255.255.255.255 0 0

Now for your access-lists you have:

>access-list outside_access_in permit tcp any range https 444 host 66.211.192.111 range https 444
                                                                    ^^^^^^^^^
access-list outside_access_in permit tcp any host 66.211.192.111 range 3389 3389
>access-list outside_access_in permit tcp any range 4125 4125 host 66.211.192.111 range 4125 4125
                                                                    ^^^^^^^^^

Note where i have marked above. What you are basically saying is that accept connections to 66.211.192.111 on ports 4125 with source port 4125, which is incorrect. The source port is dynamic and can be any port. You should not specify the source ports.

You should remove those entries that were marked and your configuration should be something like this (note the use of the service group):

object-group service sbsremote tcp
  description small business server remote access
  port-object eq 4125
  port-object range https 444
  port-object eq 3389

access-list outside_access_in permit tcp any host 66.211.192.111 object-group sbsremote

ASKER CERTIFIED SOLUTION
Avatar of pazmanpro
pazmanpro

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks pazmapro. That was the ticket. I had tried the sbsremote but had it on both the inside and outside. I thought that at one time I had used the any option on the outside but I must have missed it. As far as deleting the question, I inadvertantly published the IP addresses and wanted the question removed to enhance security. I would still like the quesiton removed but pazmanpro should get credit for the solution.