?
Solved

Configure PIX 501 to access remote features of SBS2003

Posted on 2005-05-11
6
Medium Priority
?
238 Views
Last Modified: 2013-11-16
I have a Cisco PIX 501 firewall on a single class C network 192.168.1.x
The outside is connected via a modem that delivers a single public IP address using DHCP
There is a Small Business Server 2003 on 192.168.1.10
There is only one NIC in the server.
DHCP is handled by the SBS2003
The default configuration allows outbound web access OK
I want to configure the PIX to allow access to the remote features of Small Business Server. (Remote web workplace, Outlook Web Access, Outlook over http, VPN etc)
Should I just use port forwarding from the PIX501 to the server IP address on ports 3389,4125,47,1723,443,444,80,21,25
Will this allow the Small Business Server to be the VPN server or should I use the PIX for this.
If I use the PIX as the VPN server do I have to add a username and password for every remote user?
Am I thinking in the right direction or should I be doing something different to this ? If you can include the PIX commands required that would be excellent.
0
Comment
Question by:Milkybar-kid
  • 4
  • 2
6 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 13984442
"I want to configure the PIX to allow access to the remote features of Small Business Server. (Remote web workplace, Outlook Web Access, Outlook over http, VPN etc)"

"Should I just use port forwarding from the PIX501 to the server IP address on ports 3389,4125,47,1723,443,444,80,21,25"
You will need an exclusive static public address to translate from your internal network.  You may already have one of these from your ISP or may need to get another - when you get a connection with an ISP - they may have given you a pool of public ips - do you have this or do you have a free public ip?

"Will this allow the Small Business Server to be the VPN server or should I use the PIX for this."
Definetly use the PIX - it is a far better solution

"If I use the PIX as the VPN server do I have to add a username and password for every remote user?"
You don't need a specific username and password for every specific user - you can use a single account for several users ( note that the max number of ipsec vpn tunnels for a pix 501 is 10 - this is for software release 6.3)

"Am I thinking in the right direction or should I be doing something different to this ? If you can include the PIX commands required that would be excellent."
Yes - you are on the right lines - PIX for VPN, static translate your SBS server to the ips you want to access it :

conf t
static (inside, outside) x.x.x.x y.y.y.y 255.255.255.255 0 0
(where x.x.x.x is the static public ip assigned by your ISP and y.y.y.y is the internal lan address of your sbs server.)

access-list fromoutside permit tcp any host x.x.x.x eq 3389
access-list fromoutside permit tcp any host x.x.x.x eq 4125
access-list fromoutside permit tcp any host x.x.x.x eq 47
access-list fromoutside permit tcp any host x.x.x.x eq 1723
access-list fromoutside permit tcp any host x.x.x.x eq 443
access-list fromoutside permit tcp any host x.x.x.x eq 444
access-list fromoutside permit tcp any host x.x.x.x eq 80
access-list fromoutside permit tcp any host x.x.x.x eq 21
access-list fromoutside permit tcp any host x.x.x.x eq 25
                                             |
                               (based on the premise that the ports are tcp ports - replace with udp for udp ports)
access-group fromoutside in interface outside

If you have any further queries - pls post







0
 
LVL 1

Author Comment

by:Milkybar-kid
ID: 13994566
Thanks.

Can you just help me be clear about tha VPN.

I currently have a fixed IP. This is bridged to the outside interface of the PIX using DHCP on the PIX. I could get a range of IPs if necessary.

I want to use the standard VPN client built in to XP. I am used to configuring PPTP clients but you have mentioned IPSEC. So I can setup a single user account on the PIX for any user to connect through and I assume therefore that I reserve a ranf of IP numbers for the PIX to assign to client connections. Can the PIX be a PPTP server ? When the client connects how do they get DNS information for the internal network ? Isn't it just easier to forward PPTP traffic to the small business server and allow that to assign the VPN information including IP and DNS ?

Am I making sense ?
0
 
LVL 1

Author Comment

by:Milkybar-kid
ID: 13994915
Hmm ..

I have run the set of commands above. I started off with just adding in Port 80 and I could get into the web server no problem. So I then added the other ports and it broke web browsing from inside the network. So now I want to try and eliminate which one caused the problem (on the basis that in principle this works fine because port 80 worked)

I used the PDM to start removing each port but even after I had removed every line I could still not access the Internet from the safe side of the PIX.

0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
LVL 19

Expert Comment

by:nodisco
ID: 13999028
Milkybar-kid

Regarding the browsing issue - do the following :
clear xlate

write up the access-lists and re-apply the access-group command : access-group fromoutside in interface outside

This should be re-entered after making changes to access-lists.

Regarding VPN:
You will require a fixed ip address.  In answer to your Q's:
<I am used to configuring PPTP clients but you have mentioned IPSEC.>
IPSec is a more secure technology than pptp but pptp is still widely deployed for VPN

< So I can setup a single user account on the PIX for any user to connect through and I assume therefore that I reserve a ranf of IP numbers for the PIX to assign to client connections.>
Exactly.  you can use several usernames or just one - you assign a vpn pool of addresses that users pick up on connection.

<Can the PIX be a PPTP server ?>
Yes

< When the client connects how do they get DNS information for the internal network ?>
You configure vpdn to assign WINS/DNS information for the pptp pool users on their connection - very straight-forward.

<Isn't it just easier to forward PPTP traffic to the small business server and allow that to assign the VPN information including IP and DNS ?>
You can - from a security point of view though, the PIX is your protection from the outside - I would go with it as your firewall solution - besides, IPsec vpn tunnels terminated at the PIX are about as secure as you will realistically go.

<Am I making sense ?>
Yes!

Hope this helps
0
 
LVL 19

Expert Comment

by:nodisco
ID: 13999051
Have a look at this link for setting up PPTP for PIX
http://www.cisco.com/warp/public/110/pptppix.html
0
 
LVL 19

Expert Comment

by:nodisco
ID: 14219305
MilkyBar-kid

Are you still having issues or can this be closed?

cheers
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month16 days, 18 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question