Solved

Cisco PiX 506e  microsoft remoteweb work place

Posted on 2006-07-23
5
404 Views
Last Modified: 2008-02-01
Well I am tired of working with this problem hope you can help (im sure you can =) )

Here the deal I can get rdp to work but I can not get remoteweb work place to work here’s the port’s I need to forward they all need to go to 192.168.0.193 (local)

3389
443
444
4125
And maybe 80?
This server is running windows small business server 2003
Config is below

Joe



Written by enable_15 at 07:03:04.134 UTC Sun Jul 23 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.193 dev50
access-list outside_access_in deny icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside range https 444
access-list outside_access_in permit tcp any interface outside eq 4125
access-list outside_access_in permit tcp any any
access-list outside_access_in permit tcp any host dev50 eq 3389
access-list outside_access_in permit udp any any
access-list outside_access_in permit udp any any range 3388 3389
access-list outside_access_in permit tcp any host dev50 eq 4125
access-list outside_access_in permit tcp any interface outside range https https

access-list outside_access_in permit tcp any host dev50 eq https
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.0.0 255.255.255.192
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.5.0
 255.255.255.0
access-list Site-2-Site permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.
255.0
access-list acl permit tcp any host 24.213.59.166 eq 3389
access-list outside_in permit tcp any host 24.213.59.166 eq 3389
pager lines 24
logging on
logging trap warnings
logging host inside dev50
mtu outside 1500
mtu inside 1500
ip address outside 24.213.59.166 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.168.0.20-192.168.0.40
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 outside
pdm location dev50 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.213.59.166 3389 dev50 3389 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 24.213.59.166 4125 dev50 4125 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 24.213.59.166 www dev50 www netmask 255.255.255.255
0 0
static (inside,outside) tcp 24.213.59.166 https dev50 https netmask 255.255.255.
255 0 0
static (inside,outside) tcp 24.213.59.166 444 dev50 444 netmask 255.255.255.255
0 0
access-group outside_in in interface outside
conduit permit tcp host dev50 eq 3389 any
conduit permit tcp host dev50 eq 4125 any
conduit permit tcp host dev50 eq www any
conduit permit tcp host dev50 eq https any
conduit permit tcp host dev50 eq 444 any
route outside 0.0.0.0 0.0.0.0 24.213.59.165 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
Comment
Question by:jmenze
  • 2
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
Do not use both conduits and acls.
Remove all conduits
do not use "dev50" in the outside acl. This is how the acl should look

no access-list outside_access_in
# start over with a new acl
access-list outside_access_in deny icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside range https 444
access-list outside_access_in permit tcp any interface outside eq 4125
access-group outside_access_in in interface outside

Use "interface" for statics, too:
static (inside,outside) tcp interface 3389 dev50 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 dev50 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www dev50 www netmask 255.255.255.2550 0
static (inside,outside) tcp interface https dev50 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 dev50 444 netmask 255.255.255.255 0 0

Enable logging to see any particular ports or traffic that is being denied
 logging on
 logg trap information
 logg buffer

Use "show log" to see any log entries.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
Comment Utility
But it's working. Try this URL:
http://24.213.59.166/tsweb/

Dean
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It's working because of this line, which is very dangerous to leave in the config:
>access-list outside_access_in permit tcp any any

It could also be that you are testing from inside the PIX and not really from the outside? You can never get to any services by the public ip from the inside. You must be physically outside the firewall. I know that a $50 Linksys router will allow you to do this, but not a $1000 Cisco product.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
Comment Utility
TSWEB is using only port 80. Actually it is a good idea to use it through port 443 which BTW is also working:
https://24.213.59.166/tsweb/
Remove the conduits and the “any any” ACL and try it again.

Dean

PS: PIX IOS v.7 allows traffic coming through an interface to go out through the same interface. That makes possible for example in a HUB and Spoke VPN config to have communication between the remote sites
0
 

Author Comment

by:jmenze
Comment Utility
lrmoore ,Yes u the man its all cleaned up I really lossend end it up in my frustration but that’s all fixed now thanks for you’re help and yours as well Netometer
Joe
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
MAC Needs 2 Domains 2 42
Route summarization 5 20
cisco switch stacking 6 29
What's the problem with my DSL? 4 11
Let’s list some of the technologies that enable smooth teleworking. 
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now