baggio8
asked on
Cisco PIX501 Configuration for Windows 2003 SBS Remote Web Workplace
Since we installed a Cisco PIX501 I'm not able to connect remotely to the Remote Web Workplace on Windows 2003 SBS. I'm able to log in to the main menu, but when I click on the button to connect to the server I get the following message:
VBScript: Remote Desktop Disconnected
The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.
VBScript: Remote Desktop Disconnected
The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try connecting again later. If the problem continues to occur, contact your administrator.
try
static (inside,outside) tcp 192.168.0.2 4899 192.168.1.2 4899 netmask 255.255.255.255 0 0 #map port to lan comp
conduit permit tcp host 192.168.0.2 eq 4899 any #permit access on LAN comp, app:RAdmin
192.168.0.2 - PIX outside IP
192.168.1.2 - PC on LAN
4899 - app port, for Remote desktop in windows use 3899
conduit - use instead assess list
static (inside,outside) tcp 192.168.0.2 4899 192.168.1.2 4899 netmask 255.255.255.255 0 0 #map port to lan comp
conduit permit tcp host 192.168.0.2 eq 4899 any #permit access on LAN comp, app:RAdmin
192.168.0.2 - PIX outside IP
192.168.1.2 - PC on LAN
4899 - app port, for Remote desktop in windows use 3899
conduit - use instead assess list
Hi,
Based on cisco website, conduits would be deprecated on future versions and it’s not recommended to use.
Please refer to the following link:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml
Based on cisco website, conduits would be deprecated on future versions and it’s not recommended to use.
Please refer to the following link:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_field_notice09186a00801d3621.shtml
Yes, I know
but
The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0.
You will never upload IOS 7.0 on PIX 501,so you can use conduit command
but
The PIX 501, PIX 506E, and PIX 520 security appliances are not supported in software Version 7.0.
You will never upload IOS 7.0 on PIX 501,so you can use conduit command
ASKER
Thanks for the comments. It will take me up to a week to respond since I have other more pressing issues that I must attend to.
ASKER
carribeantech: I added your suggestion and got the following:
Result of firewall command: "static (inside,outside) tcp interface 3389 <private_ip> 3389 netmask 255.255.255.255"
ERROR: invalid local IP address <private_ip>
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "access-list inbound permit tcp any interface outside eq 3389"
Result of firewall command: "access-group inbound in interface outside"
Should I have added an IP address where it showed <private_ip> ? And if so, what? Thanks!
Result of firewall command: "static (inside,outside) tcp interface 3389 <private_ip> 3389 netmask 255.255.255.255"
ERROR: invalid local IP address <private_ip>
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "access-list inbound permit tcp any interface outside eq 3389"
Result of firewall command: "access-group inbound in interface outside"
Should I have added an IP address where it showed <private_ip> ? And if so, what? Thanks!
ASKER
M3rc74: I added your suggestion and got the following:
Result of firewall command: "static (inside,outside) tcp 192.168.0.2 4899 192.168.1.2 4899 netmask 255.255.255.255 0 0 #map port to lan comp"
ERROR: duplicate of existing static
from inside:Server to outside:66.194.139.46 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "conduit permit tcp host 192.168.0.2 eq 4899 any #permit access on LAN comp, app:RAdmin"
ERROR: extra command argument(s)
Usage: [no] conduit deny|permit <protocol>|object-group <protocol_obj_grp_id>
<g_ip> <g_mask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<f_ip> <f_mask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[no] conduit deny|permit icmp <g_ip> <g_mask> | object-group <network_obj_grp_id>
<f_ip> <f_mask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
Command failed
Any other thoughts? Thanks!
Result of firewall command: "static (inside,outside) tcp 192.168.0.2 4899 192.168.1.2 4899 netmask 255.255.255.255 0 0 #map port to lan comp"
ERROR: duplicate of existing static
from inside:Server to outside:66.194.139.46 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "conduit permit tcp host 192.168.0.2 eq 4899 any #permit access on LAN comp, app:RAdmin"
ERROR: extra command argument(s)
Usage: [no] conduit deny|permit <protocol>|object-group <protocol_obj_grp_id>
<g_ip> <g_mask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<f_ip> <f_mask> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[no] conduit deny|permit icmp <g_ip> <g_mask> | object-group <network_obj_grp_id>
<f_ip> <f_mask> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
Command failed
Any other thoughts? Thanks!
You must use SBS 2003 IP, instead my ip 192.168.1.2, and port for Remote is 3389
static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 3389 any
remove all access-list command
static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 3389 any
remove all access-list command
Windows Small Business Server 2003 uses a feature named Remote Web Workplace. This feature uses TCP port 4125 for listening to RDP connections.
Also enable 4125 tcp port.
static (inside,outside) tcp <outside_IP_address> 4125 <sbs2003_IP_address> 4125 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 4125 any
Also enable 4125 tcp port.
static (inside,outside) tcp <outside_IP_address> 4125 <sbs2003_IP_address> 4125 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 4125 any
ASKER
M3rc74:
I am very inexperienced in Cisco commands. If I understand correctly, I should enter the following commands:
static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 3389 any
static (inside,outside) tcp <outside_IP_address> 4125 <sbs2003_IP_address> 4125 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 4125 any
remove all access-list
<would I just type "remove all access-list"? I currently have the following in my config:
access-list outside_access_in permit tcp any host <outside_IP_address> object-group Service-service-group log
access-list outside_access_in permit icmp any host <outside_IP_address> echo-reply log
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
Won't that interfere with it? Thanks
I am very inexperienced in Cisco commands. If I understand correctly, I should enter the following commands:
static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 3389 any
static (inside,outside) tcp <outside_IP_address> 4125 <sbs2003_IP_address> 4125 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 4125 any
remove all access-list
<would I just type "remove all access-list"? I currently have the following in my config:
access-list outside_access_in permit tcp any host <outside_IP_address> object-group Service-service-group log
access-list outside_access_in permit icmp any host <outside_IP_address> echo-reply log
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
Won't that interfere with it? Thanks
Conduit and access-list can work together, try without removing access-list
use the no command to nullify command
example:
static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 3389 any
no static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
no conduit permit tcp host <outside_IP_address> eq 3389 any
use the no command to nullify command
example:
static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
conduit permit tcp host <outside_IP_address> eq 3389 any
no static (inside,outside) tcp <outside_IP_address> 3389 <sbs2003_IP_address> 3389 netmask 255.255.255.255 0 0
no conduit permit tcp host <outside_IP_address> eq 3389 any
ASKER
M3rc74:
Both lines produced errors. I am posting the current config.
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0 "
ERROR: duplicate of existing static
from inside:Server to outside:xx.xxx.xxx.xx netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "conduit permit tcp host xx.xxx.xxx.xx eq 3389 any "
Result of firewall command: ""
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0"
ERROR: duplicate of existing static
from inside:Server to outside:xx.xxx.xxx.xx netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "conduit permit tcp host xx.xxx.xxx.xx eq 4125 any"
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname pix-veits
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 Server
name 64.219.161.225 NetworkPartnersSyslogServe
object-group service Service-service-group tcp
port-object eq ident
port-object eq https
port-object eq smtp
port-object eq www
access-list outside_access_in permit tcp any host 66.194.139.46 object-group Service-service-group log
access-list outside_access_in permit icmp any host 66.194.139.46 echo-reply log
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inbound permit tcp any interface outside eq 3389
pager lines 24
logging on
logging timestamp
logging monitor informational
logging device-id ipaddress outside
logging host outside NetworkPartnersSyslogServe
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xx 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.100-192.168.10
pdm location 205.172.249.0 255.255.255.0 outside
pdm location xx.xxx.xxx.xx 255.255.255.255 outside
pdm location Server 255.255.255.255 inside
pdm location NetworkPartnersSyslogServe
pdm location 192.168.0.96 255.255.255.224 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 64.233.245.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0
static (outside,inside) Server xx.xxx.xxx.xx netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
conduit permit tcp host xx.xxx.xxx.xx eq 3389 any
conduit permit tcp host xx.xxx.xxx.xx eq 4125 any
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Server veitsgroupllc timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 192.5.41.209 source outside
http server enable
http 205.172.249.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnpool
vpngroup vpngroup dns-server Server
vpngroup vpngroup wins-server Server
vpngroup vpngroup default-domain mydomain.local
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet timeout 5
ssh 205.172.249.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.xx 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username fwadmin password xxxxxxxxxxxxxxxx encrypted privilege 15
username veitsremote password xxxxxxxxxxxxxxxx encrypted privilege 3
username abhat password xxxxxxxxxxxxxxxx encrypted privilege 3
username vraman password xxxxxxxxxxxxxxxx encrypted privilege 3
username dkonstan password xxxxxxxxxxxxxxxx encrypted privilege 3
username slakshmi password xxxxxxxxxxxxxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
[OK]
Both lines produced errors. I am posting the current config.
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0 "
ERROR: duplicate of existing static
from inside:Server to outside:xx.xxx.xxx.xx netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "conduit permit tcp host xx.xxx.xxx.xx eq 3389 any "
Result of firewall command: ""
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0"
ERROR: duplicate of existing static
from inside:Server to outside:xx.xxx.xxx.xx netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Result of firewall command: "conduit permit tcp host xx.xxx.xxx.xx eq 4125 any"
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname pix-veits
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 Server
name 64.219.161.225 NetworkPartnersSyslogServe
object-group service Service-service-group tcp
port-object eq ident
port-object eq https
port-object eq smtp
port-object eq www
access-list outside_access_in permit tcp any host 66.194.139.46 object-group Service-service-group log
access-list outside_access_in permit icmp any host 66.194.139.46 echo-reply log
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inbound permit tcp any interface outside eq 3389
pager lines 24
logging on
logging timestamp
logging monitor informational
logging device-id ipaddress outside
logging host outside NetworkPartnersSyslogServe
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xx 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.100-192.168.10
pdm location 205.172.249.0 255.255.255.0 outside
pdm location xx.xxx.xxx.xx 255.255.255.255 outside
pdm location Server 255.255.255.255 inside
pdm location NetworkPartnersSyslogServe
pdm location 192.168.0.96 255.255.255.224 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 64.233.245.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0
static (outside,inside) Server xx.xxx.xxx.xx netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
conduit permit tcp host xx.xxx.xxx.xx eq 3389 any
conduit permit tcp host xx.xxx.xxx.xx eq 4125 any
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Server veitsgroupllc timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 192.5.41.209 source outside
http server enable
http 205.172.249.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnpool
vpngroup vpngroup dns-server Server
vpngroup vpngroup wins-server Server
vpngroup vpngroup default-domain mydomain.local
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet timeout 5
ssh 205.172.249.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.xx 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username fwadmin password xxxxxxxxxxxxxxxx encrypted privilege 15
username veitsremote password xxxxxxxxxxxxxxxx encrypted privilege 3
username abhat password xxxxxxxxxxxxxxxx encrypted privilege 3
username vraman password xxxxxxxxxxxxxxxx encrypted privilege 3
username dkonstan password xxxxxxxxxxxxxxxx encrypted privilege 3
username slakshmi password xxxxxxxxxxxxxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
[OK]
Remove
static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0
then try
static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx dns 192.168.0.2 dns netmask 255.255.255.255 0 0
static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0
then try
static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx dns 192.168.0.2 dns netmask 255.255.255.255 0 0
ASKER
Result of firewall command: "no static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0"
The command has been sent to the firewall
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0"
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0"
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx dns 192.168.0.2 dns netmask 255.255.255.255 0 0"
invalid global port dns
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
The command has been sent to the firewall
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0"
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0"
Result of firewall command: "static (inside,outside) tcp xx.xxx.xxx.xx dns 192.168.0.2 dns netmask 255.255.255.255 0 0"
invalid global port dns
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed
Hi baggio8,
Try the following:
static (inside,outside) tcp xx.xxx.xxx.xx 53 192.168.0.2 53 netmask 255.255.255.255 0 0
Hope this helps!
Try the following:
static (inside,outside) tcp xx.xxx.xxx.xx 53 192.168.0.2 53 netmask 255.255.255.255 0 0
Hope this helps!
ASKER
static (inside,outside) tcp xx.xxx.xxx.xx 3389 192.168.0.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx dns 192.168.0.2 dns netmask 255.255.255.255 0 0
When I tried to remove these lines after I got the failure I got disconnected and now I can't get back in to the PIX and there is no access to the mailserver. Sounds like I removed something that I shouldn't have. Isn't there a way to telnet into the PIX and use command line instructions and if so, how should I do this? I'm kind of desperate now since the mail server is down.
static (inside,outside) tcp xx.xxx.xxx.xx 4125 192.168.0.2 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.xxx.xx dns 192.168.0.2 dns netmask 255.255.255.255 0 0
When I tried to remove these lines after I got the failure I got disconnected and now I can't get back in to the PIX and there is no access to the mailserver. Sounds like I removed something that I shouldn't have. Isn't there a way to telnet into the PIX and use command line instructions and if so, how should I do this? I'm kind of desperate now since the mail server is down.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Carribeantech: Is there any way to ssh from the outside?
Sure,
Try to ssh to the PIX Firewall outside ip address, it's already enable.
Try to ssh to the PIX Firewall outside ip address, it's already enable.
ASKER
carribeantech: That fixed it and gave me access to remote web workplace, but now split tunneling won't work. Any idea's how to fix it back. See https://www.experts-exchange.com/questions/21494223/How-to-enable-split-tunneling-in-Cisco-PIX501.html
Hi,
Add the following lines:
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
Hope this helps!
Add the following lines:
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
Hope this helps!
ASKER
I already have those lines loaded
Could you upload the current config?
ASKER
Building configuration...
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname pix-veits
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 Server
name 64.219.161.225 NetworkPartnersSyslogServe
object-group service Service-service-group tcp
port-object eq ident
port-object eq https
port-object eq smtp
port-object eq www
access-list outside_access_in permit tcp any host xx.xxx.xxx.xx object-group Service-service-group log
access-list outside_access_in permit icmp any host xx.xxx.xxx.xx echo-reply log
access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq 3389
access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq 4125
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inbound permit tcp any interface outside eq 3389
pager lines 24
logging on
logging timestamp
logging monitor informational
logging device-id ipaddress outside
logging host outside NetworkPartnersSyslogServe
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xx 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.100-192.168.10
pdm location 205.172.249.0 255.255.255.0 outside
pdm location xx.xxx.xxx.xx 255.255.255.255 outside
pdm location Server 255.255.255.255 inside
pdm location NetworkPartnersSyslogServe
pdm location 192.168.0.96 255.255.255.224 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 64.233.245.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Server veitsgroupllc timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 192.5.41.209 source outside
http server enable
http 205.172.249.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnpool
vpngroup vpngroup dns-server Server
vpngroup vpngroup wins-server Server
vpngroup vpngroup default-domain veitsgroup.local
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet timeout 5
ssh 205.172.249.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.x 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username fwadmin password xxxxxxxxxxxxxxxx encrypted privilege 15
username veitsremote password xxxxxxxxxxxx encrypted privilege 3
username abhat password xxxxxxxxxxxxx encrypted privilege 3
username vraman password xxxxxxxxxxxx encrypted privilege 3
username dkonstan password xxxxxxxxxxxxx encrypted privilege 3
username slakshmi password xxxxxxxxxxxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
[OK]
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname pix-veits
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 Server
name 64.219.161.225 NetworkPartnersSyslogServe
object-group service Service-service-group tcp
port-object eq ident
port-object eq https
port-object eq smtp
port-object eq www
access-list outside_access_in permit tcp any host xx.xxx.xxx.xx object-group Service-service-group log
access-list outside_access_in permit icmp any host xx.xxx.xxx.xx echo-reply log
access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq 3389
access-list outside_access_in permit tcp any host xx.xxx.xxx.xx eq 4125
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpngroup_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inbound permit tcp any interface outside eq 3389
pager lines 24
logging on
logging timestamp
logging monitor informational
logging device-id ipaddress outside
logging host outside NetworkPartnersSyslogServe
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.xxx.xx 255.255.255.224
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.100-192.168.10
pdm location 205.172.249.0 255.255.255.0 outside
pdm location xx.xxx.xxx.xx 255.255.255.255 outside
pdm location Server 255.255.255.255 inside
pdm location NetworkPartnersSyslogServe
pdm location 192.168.0.96 255.255.255.224 outside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 64.233.245.0 255.255.255.0 outside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xxx.xxx.xx Server dns netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Server veitsgroupllc timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
ntp server 192.5.41.209 source outside
http server enable
http 205.172.249.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpngroup address-pool vpnpool
vpngroup vpngroup dns-server Server
vpngroup vpngroup wins-server Server
vpngroup vpngroup default-domain veitsgroup.local
vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet timeout 5
ssh 205.172.249.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh xx.xxx.xxx.x 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access outside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
username fwadmin password xxxxxxxxxxxxxxxx encrypted privilege 15
username veitsremote password xxxxxxxxxxxx encrypted privilege 3
username abhat password xxxxxxxxxxxxx encrypted privilege 3
username vraman password xxxxxxxxxxxx encrypted privilege 3
username dkonstan password xxxxxxxxxxxxx encrypted privilege 3
username slakshmi password xxxxxxxxxxxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:xxxxxxxxxxx
: end
[OK]
ASKER
carribeantech:
Have you had a chance to look at what cancelled out the split tunneling?
Have you had a chance to look at what cancelled out the split tunneling?
Hi baggio8,
The configuration seems fine to me.
Try removing the following line:
no vpngroup vpngroup dns-server Server
Hope this helps!
The configuration seems fine to me.
Try removing the following line:
no vpngroup vpngroup dns-server Server
Hope this helps!
ASKER
Carribeantech:
Good work! Problem fixed.
Good work! Problem fixed.
static (inside,outside) <public_ip> <private_ip>
access-list inbound permit tcp any host <public_ip> eq 3389
access-group inbound in interface outside
If you are using the pix outside interface to static map the server try the following:
static (inside,outside) tcp interface 3389 <private_ip> 3389 netmask 255.255.255.255
access-list inbound permit tcp any interface outside eq 3389
access-group inbound in interface outside
Hope this helps!