Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco PiX 506e  microsoft remoteweb work place

Posted on 2006-07-23
5
419 Views
Last Modified: 2008-02-01
Well I am tired of working with this problem hope you can help (im sure you can =) )

Here the deal I can get rdp to work but I can not get remoteweb work place to work here’s the port’s I need to forward they all need to go to 192.168.0.193 (local)

3389
443
444
4125
And maybe 80?
This server is running windows small business server 2003
Config is below

Joe



Written by enable_15 at 07:03:04.134 UTC Sun Jul 23 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.193 dev50
access-list outside_access_in deny icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside range https 444
access-list outside_access_in permit tcp any interface outside eq 4125
access-list outside_access_in permit tcp any any
access-list outside_access_in permit tcp any host dev50 eq 3389
access-list outside_access_in permit udp any any
access-list outside_access_in permit udp any any range 3388 3389
access-list outside_access_in permit tcp any host dev50 eq 4125
access-list outside_access_in permit tcp any interface outside range https https

access-list outside_access_in permit tcp any host dev50 eq https
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168
.0.0 255.255.255.192
access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 192.168.5.0
 255.255.255.0
access-list Site-2-Site permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.
255.0
access-list acl permit tcp any host 24.213.59.166 eq 3389
access-list outside_in permit tcp any host 24.213.59.166 eq 3389
pager lines 24
logging on
logging trap warnings
logging host inside dev50
mtu outside 1500
mtu inside 1500
ip address outside 24.213.59.166 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Remote 192.168.0.20-192.168.0.40
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 outside
pdm location dev50 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.213.59.166 3389 dev50 3389 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 24.213.59.166 4125 dev50 4125 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 24.213.59.166 www dev50 www netmask 255.255.255.255
0 0
static (inside,outside) tcp 24.213.59.166 https dev50 https netmask 255.255.255.
255 0 0
static (inside,outside) tcp 24.213.59.166 444 dev50 444 netmask 255.255.255.255
0 0
access-group outside_in in interface outside
conduit permit tcp host dev50 eq 3389 any
conduit permit tcp host dev50 eq 4125 any
conduit permit tcp host dev50 eq www any
conduit permit tcp host dev50 eq https any
conduit permit tcp host dev50 eq 444 any
route outside 0.0.0.0 0.0.0.0 24.213.59.165 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
Comment
Question by:jmenze
  • 2
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17163426
Do not use both conduits and acls.
Remove all conduits
do not use "dev50" in the outside acl. This is how the acl should look

no access-list outside_access_in
# start over with a new acl
access-list outside_access_in deny icmp any any echo
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside range https 444
access-list outside_access_in permit tcp any interface outside eq 4125
access-group outside_access_in in interface outside

Use "interface" for statics, too:
static (inside,outside) tcp interface 3389 dev50 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 dev50 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www dev50 www netmask 255.255.255.2550 0
static (inside,outside) tcp interface https dev50 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 dev50 444 netmask 255.255.255.255 0 0

Enable logging to see any particular ports or traffic that is being denied
 logging on
 logg trap information
 logg buffer

Use "show log" to see any log entries.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17168770
But it's working. Try this URL:
http://24.213.59.166/tsweb/

Dean
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17168823
It's working because of this line, which is very dangerous to leave in the config:
>access-list outside_access_in permit tcp any any

It could also be that you are testing from inside the PIX and not really from the outside? You can never get to any services by the public ip from the inside. You must be physically outside the firewall. I know that a $50 Linksys router will allow you to do this, but not a $1000 Cisco product.
0
 
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 17169113
TSWEB is using only port 80. Actually it is a good idea to use it through port 443 which BTW is also working:
https://24.213.59.166/tsweb/
Remove the conduits and the “any any” ACL and try it again.

Dean

PS: PIX IOS v.7 allows traffic coming through an interface to go out through the same interface. That makes possible for example in a HUB and Spoke VPN config to have communication between the remote sites
0
 

Author Comment

by:jmenze
ID: 17179471
lrmoore ,Yes u the man its all cleaned up I really lossend end it up in my frustration but that’s all fixed now thanks for you’re help and yours as well Netometer
Joe
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 78
Home Router DHCP query 9 42
ip igmp join-group 8 40
HP thin clients mass configuration/ control 2 23
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question