We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Enabling RAS on PIX 501

Medium Priority
319 Views
Last Modified: 2013-11-16

I wish to configure my pix 501 with RAS remote access but I am unsure of what i need to add to my firewall interms of directing traffic to my ras server. What access lists etc will i need to configure for outside access? is there any particular service that i need to add?

Thanks
Comment
Watch Question

Commented:
What do you want to access from INTERNET?  Internal Server/Computer?  The PIX itself?

If computer:   with  - example:

Just setup port forwarding - example below
      static (inside,outside) tcp interface eq 3389 192.168.0.10 netmask 255.255.255.255 0 0 --> forwards RDP to PC
      static (inside,outside) tcp interface eq 5900 192.168.0.10 netmask 255.255.255.255 0 0 --> forwards VNC to PC

Filter on source ip address for access allow - example below
      access-list inbound line 1 permit host 10.0.0.1 host 172.168.0.1 eq 3389
      access-list inbound line 2 permit host 10.0.0.1 host 172.168.0.1 eq 5900

............
If PIX is what you want RAS for:

You need to configure ssh:
      ssh 0.0.0.0 0.0.0.0 outside -----> the "0.0.0.0 0.0.0.0" allows any host/subnet to ssh to "outside" interface
                                                      adjust the "0.0.0.0 0.0.0.0" to your WAN IP settings

You also need access-list entry to permit tcp port 22 traffic
     access-list inbound line 3 permit tcp any any eq 22

...

Hope this helps
rc

Author

Commented:
Thanks.


I need to allow users access to mail/file servers etc.

should i not accept

 static (inside,outside) tcp interface eq 3389 0.0.0.0 netmask 255.255.255.255 0 0 --> forwards RDP to PC
      static (inside,outside) tcp interface eq 5900 0.0.0.0 netmask 255.255.255.255 0 0 --> forwards VNC to PC

as users will be using the dsl providers ips or is there a better way to lock this down and still allow
Commented:
First, this is dangerous.  These mail/file servers should be on a dmz interface to segregate your internal network away from things that outside users can access.  I'd point you in the direction of vpn, however, it's much slower and you'd need to have your outside users run a vpn client just to get to their mail....try the dmz approach.

rc

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.