Enabling RAS on PIX 501


I wish to configure my pix 501 with RAS remote access but I am unsure of what i need to add to my firewall interms of directing traffic to my ras server. What access lists etc will i need to configure for outside access? is there any particular service that i need to add?

Thanks
bjbitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

icanhelpCommented:
What do you want to access from INTERNET?  Internal Server/Computer?  The PIX itself?

If computer:   with  - example:

Just setup port forwarding - example below
      static (inside,outside) tcp interface eq 3389 192.168.0.10 netmask 255.255.255.255 0 0 --> forwards RDP to PC
      static (inside,outside) tcp interface eq 5900 192.168.0.10 netmask 255.255.255.255 0 0 --> forwards VNC to PC

Filter on source ip address for access allow - example below
      access-list inbound line 1 permit host 10.0.0.1 host 172.168.0.1 eq 3389
      access-list inbound line 2 permit host 10.0.0.1 host 172.168.0.1 eq 5900

............
If PIX is what you want RAS for:

You need to configure ssh:
      ssh 0.0.0.0 0.0.0.0 outside -----> the "0.0.0.0 0.0.0.0" allows any host/subnet to ssh to "outside" interface
                                                      adjust the "0.0.0.0 0.0.0.0" to your WAN IP settings

You also need access-list entry to permit tcp port 22 traffic
     access-list inbound line 3 permit tcp any any eq 22

...

Hope this helps
rc

0
bjbitAuthor Commented:
Thanks.


I need to allow users access to mail/file servers etc.

should i not accept

 static (inside,outside) tcp interface eq 3389 0.0.0.0 netmask 255.255.255.255 0 0 --> forwards RDP to PC
      static (inside,outside) tcp interface eq 5900 0.0.0.0 netmask 255.255.255.255 0 0 --> forwards VNC to PC

as users will be using the dsl providers ips or is there a better way to lock this down and still allow
0
icanhelpCommented:
First, this is dangerous.  These mail/file servers should be on a dmz interface to segregate your internal network away from things that outside users can access.  I'd point you in the direction of vpn, however, it's much slower and you'd need to have your outside users run a vpn client just to get to their mail....try the dmz approach.

rc
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.