PIX 515E

I have a Pix 515e setup at my company.  I need to be able to RDP to a server behind the Pix by the address  24.92.123.123 from my home.  The internal address of the server is 172.16.16.16.  I have pasted my config below.  If anyone has any suggestions on how it would be greatly appreciated.    



User Access Verification

Password:
Type help or '?' for a list of available commands.
cph-pix> enable
Password: ******
cph-pix# show run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 16baset
interface ethernet1 16baset
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security160
nameif ethernet2 intf2 security16
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Yn8Esq3NcXIHL35v encrypted
passwd XLcDKg3X8eBKlimL encrypted
hostname cph-pix
fixup protocol dns maximum-length 1536
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host 24.92.123.124 eq smtp
access-list acl_out permit tcp any host 24.92.123.123 eq 5800
access-list acl_out permit tcp any host 24.92.123.123 eq 5900
access-list acl_out permit tcp any host 24.92.123.123 eq 16319
access-list acl_out permit tcp any host 24.92.123.123 eq 9002
access-list acl_out permit tcp any host 24.92.123.123 eq domain
access-list acl_out permit udp any host 24.92.123.123 eq domain
access-list acl_out permit tcp any host 24.92.123.123 eq 3389
access-list acl_out permit udp any host 24.92.123.123 eq 3389
access-list acl_out permit udp host 172.16.16.16 any eq 3389
access-list acl_out permit tcp host 172.16.16.16 any eq 3389
access-list outside_cryptomap_160 permit ip 172.16.0.0 255.255.0.0 172.172.0.0 2
55.255.0.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.172.0.
0 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 24.92.123.122 255.255.255.248
ip address inside 172.16.72.137 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 24.92.123.125
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 24.92.123.124 172.16.16.14 netmask 255.255.255.255 0 0
static (inside,outside) 24.92.123.123 172.16.16.16 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 24.92.123.121 1
route inside 172.22.176.0 255.255.255.224 172.16.72.16 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:16:00 udp 0:02:00 rpc 0:16:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 172.16.16.18 timeout 20 protocol TCP ve
rsion 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 160 ipsec-isakmp
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set peer 29.236.120.30
crypto map outside_map 160 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key address 29.236.120.30 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption aes
isakmp policy 16 hash sha
isakmp policy 16 group 2
isakmp policy 16 lifetime 86400
telnet 172.16.72.133 255.255.255.255 inside
telnet 172.16.72.16 255.255.255.255 inside
telnet 172.16.72.129 255.255.255.255 inside
telnet 172.16.72.200 255.255.255.255 inside
telnet 172.22.176.0 255.255.255.224 inside
telnet 172.16.72.83 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:6c0847e54d35e60a014fd9ef946f5f92
: end
cph-pix#
JaybirdJetsAsked:
Who is Participating?
 
redgunCommented:
HI,
you only need to add another access list to allow the outside interface receive your specific traffic for your server
translation is already configured with this line
static (inside,outside) 24.92.123.123 172.16.16.16 netmask 255.255.255.255 0 0

so you will have to add something like this

access-list acl_out permit tcp any host 24.92.123.123 eq RDP

I put RDP because did not know this specific port application so you must know if it is tcp/udp and the required port. (if this application uses more than 1 port you must also add another accesslist for each one)

If you have a valid and static ip addres for the source you can restrict more doing it like
access-list acl_out permit tcp host x.y.z.w host 24.92.123.123 eq RDP

Regards.
0
 
n8pttCommented:
Not to rain on how you connect but you would probably be better off (security wise) to VPN into the pix (using cisco vpn client) and THEN do remote desktop to the server. Opening port 3389 to the internet I would consider a possible security problem. An idea to consider.
--
Ken
0
 
JaybirdJetsAuthor Commented:
Thanks.  So I am not going crazy then.  I have added the needed access list already --- access-list acl_out permit tcp any host 24.92.123.123 eq 3389 and access-list acl_out permit udp any host 24.92.123.123 eq 3389 and still wasnt able to connect.  Maybe RDP does use another port that I didnt know of or my static ip isnt configured correctly.  Either way i definetly agree with you both about security issues with opening port 3389 to the whole world.  Both of your guys expert advice have confirmed a suspicion I had, that connecting this way is not secure and should be avoided if possible.  I will keep using the VPN client software as suggested.


Thanks graciously.
Jaybirdjets
0
 
Mad_JasperCommented:
static (inside,outside) tcp 24.92.123.123 3389 172.16.16.16 3389 netmask 255.255.255.255 0 0
access-list acl_inbound permit tcp any host 24.92.123.123 eq 3389
access-group acl_inbound in interface outside

This will allow RDP to your server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.