DVmagic
asked on
Windows Remote Desktop through PIX 515
Forgive me, I'm the only one left as the guy who set this system up has left. Be patient and speak slowly and we might get through this.
I've read most of the posts here and the Cisco pages, but I might as well be reading Greek. I know this has worked in the past, but that access was removed and I'm now trying to put it back.
I need to allow a few remote users to log in to a Windows Remote Desktop server from outside our network. I don't know if I should be using PPTP, or VPN, or some other magic cure, but I need *something* to work soon.
I have an affiliate office who also has a PIX 515 and I've been trying to compare the two configs. So far nothing has worked. Eventually people in his office will need to remote into mine, but for now I'd be happy if anyone could log in at all.
They basically need to see the Windows RDP login screen. I'm not choosy at this point. It can be either a one step static setup or I can require them to get past the firewall and then log in to RDP.
This is my current PIX config (external IP's replaced with A.B.C.D) The desired IP address for remote access is A.B.C.D+1 :
Cisco Pix Firewall
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ************encrypted
passwd ******** encrypted
hostname pix
domain-name shearsonhomeloans.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name A.B.C.D Cox_Cable
name 192.168.4.40 RemoteDesktop
name A.B.C.D OutsideDesktop
object-group service Exchange tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object range 5000 5001
port-object range 135 135
object-group service Messenger tcp
port-object range 137 netbios-ssn
port-object range 135 135
object-group service MessengerTCP tcp
port-object range 137 netbios-ssn
port-object eq 135
port-object eq 445
object-group service TeVue tcp-udp
description Ports required for TeVue interface
port-object range 8050 8060
port-object range 1718 1720
port-object range 7000 7010
access-list 101 permit icmp any any
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
access-list inside_outbound_nat0_acl permit ip any 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.11.100
access-list inside_outbound_nat0_acl permit ip host RemoteDesktop 192.168.11.0 2
55.255.255.0
access-list inside_outbound_nat0_acl permit tcp any host OutsideDesktop eq 3389
pager lines 24
logging timestamp
logging trap warnings
logging history debugging
logging facility 23
logging queue 0
logging device-id hostname
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside A.B.C.D 255.255.255.224
ip address inside 192.168.4.254 255.255.255.0
ip address intf2 192.168.2.101 255.255.255.0
ip address intf3 192.168.3.101 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool cdapool 192.168.11.100-192.168.11.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location A.B.C.0 255.255.255.0 outside
pdm location 192.168.4.77 255.255.255.255 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.11.0 255.255.255.0 outside
pdm location 192.168.11.100 255.255.255.255 outside
pdm location RemoteDesktop 255.255.255.255 inside
pdm location OutsideDesktop 255.255.255.255 outside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 A.B.C.D
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 A.B.C.D 1
route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
route inside 192.168.6.0 255.255.255.0 192.168.4.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server location CDA Corporate
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetoutside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
vpdn username dvanvranken password *********
vpdn username admin password *********
vpdn enable outside
vpdn enable inside
username admin password qoNIlbVb3wAD8rbx encrypted privilege 15
username ciscoservice password WUEZkvO.LGuoLrcr encrypted privilege 15
terminal width 80
banner exec Shearson Home Loans, Inc.
banner exec Cisco Pix Firewall
banner exec Enable Mode
banner login Shearson Home Loans, Inc.
banner login Cisco Pix Firewall
banner login Authorized Users Only!
banner login Unauthorized users will be prosecuted to the fullest extent of the
law!
Cryptochecksum:931aefe9622
: end
pix#
I've read most of the posts here and the Cisco pages, but I might as well be reading Greek. I know this has worked in the past, but that access was removed and I'm now trying to put it back.
I need to allow a few remote users to log in to a Windows Remote Desktop server from outside our network. I don't know if I should be using PPTP, or VPN, or some other magic cure, but I need *something* to work soon.
I have an affiliate office who also has a PIX 515 and I've been trying to compare the two configs. So far nothing has worked. Eventually people in his office will need to remote into mine, but for now I'd be happy if anyone could log in at all.
They basically need to see the Windows RDP login screen. I'm not choosy at this point. It can be either a one step static setup or I can require them to get past the firewall and then log in to RDP.
This is my current PIX config (external IP's replaced with A.B.C.D) The desired IP address for remote access is A.B.C.D+1 :
Cisco Pix Firewall
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ************encrypted
passwd ******** encrypted
hostname pix
domain-name shearsonhomeloans.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name A.B.C.D Cox_Cable
name 192.168.4.40 RemoteDesktop
name A.B.C.D OutsideDesktop
object-group service Exchange tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object range 5000 5001
port-object range 135 135
object-group service Messenger tcp
port-object range 137 netbios-ssn
port-object range 135 135
object-group service MessengerTCP tcp
port-object range 137 netbios-ssn
port-object eq 135
port-object eq 445
object-group service TeVue tcp-udp
description Ports required for TeVue interface
port-object range 8050 8060
port-object range 1718 1720
port-object range 7000 7010
access-list 101 permit icmp any any
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
access-list inside_outbound_nat0_acl permit ip any 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.11.100
access-list inside_outbound_nat0_acl permit ip host RemoteDesktop 192.168.11.0 2
55.255.255.0
access-list inside_outbound_nat0_acl permit tcp any host OutsideDesktop eq 3389
pager lines 24
logging timestamp
logging trap warnings
logging history debugging
logging facility 23
logging queue 0
logging device-id hostname
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside A.B.C.D 255.255.255.224
ip address inside 192.168.4.254 255.255.255.0
ip address intf2 192.168.2.101 255.255.255.0
ip address intf3 192.168.3.101 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool cdapool 192.168.11.100-192.168.11.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location A.B.C.0 255.255.255.0 outside
pdm location 192.168.4.77 255.255.255.255 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.11.0 255.255.255.0 outside
pdm location 192.168.11.100 255.255.255.255 outside
pdm location RemoteDesktop 255.255.255.255 inside
pdm location OutsideDesktop 255.255.255.255 outside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 A.B.C.D
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 A.B.C.D 1
route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
route inside 192.168.6.0 255.255.255.0 192.168.4.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server location CDA Corporate
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetoutside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
vpdn username dvanvranken password *********
vpdn username admin password *********
vpdn enable outside
vpdn enable inside
username admin password qoNIlbVb3wAD8rbx encrypted privilege 15
username ciscoservice password WUEZkvO.LGuoLrcr encrypted privilege 15
terminal width 80
banner exec Shearson Home Loans, Inc.
banner exec Cisco Pix Firewall
banner exec Enable Mode
banner login Shearson Home Loans, Inc.
banner login Cisco Pix Firewall
banner login Authorized Users Only!
banner login Unauthorized users will be prosecuted to the fullest extent of the
law!
Cryptochecksum:931aefe9622
: end
pix#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>name A.B.C.D+1 OutsideDesktop
Do you have more than 1 IP address from the ISP?
If yes:
You don't want to do both of these:
static (inside,outside) tcp interface 3389 RemoteDesktop 3389 netmask 255.255.255.255 0 0
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
Suggest:
no static (inside,outside) tcp interface 3389 RemoteDesktop 3389 netmask 255.255.255.255 0 0
clear xlate
no access-group outside_in in interface outside
access-group outside_access_in in interface outside
Also check the server's TCP/IP settings. Does it point to the PIX' inside IP 192.168.4.254 as its default gateway?
Do you have more than 1 IP address from the ISP?
If yes:
You don't want to do both of these:
static (inside,outside) tcp interface 3389 RemoteDesktop 3389 netmask 255.255.255.255 0 0
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
Suggest:
no static (inside,outside) tcp interface 3389 RemoteDesktop 3389 netmask 255.255.255.255 0 0
clear xlate
no access-group outside_in in interface outside
access-group outside_access_in in interface outside
Also check the server's TCP/IP settings. Does it point to the PIX' inside IP 192.168.4.254 as its default gateway?
ASKER
Yes, I have a range of IP's avaliable. The PIX is the first in the range. We also have a public web server connected to the ISP on another IP address, separate from the PIX.
I'm working on the other lines now. Let's see what happens.
And yes, the default gateway points to the inside IP.
Should I be able to ping the outside number? Or telnet to 3389 and get a response?
I'm working on the other lines now. Let's see what happens.
And yes, the default gateway points to the inside IP.
Should I be able to ping the outside number? Or telnet to 3389 and get a response?
ASKER
Sorry, no dice.
If all of these conditions are met, there is no reason it should not work:
\\-- static xlate for public-private nat - CHECK
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
\\-- access-list to permit tcp/3389 - CHECK
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
\\-- acl applied to the interface - CHECK
access-group outside_access_in in interface outside
\\-- DG on server points to PIX - CHECK
\\-- You are actually testing from outside the network? Not from inside using the public IP? - CHECK??
Check results of "show access-list" and see if hitcounters are increasing ?
\\-- static xlate for public-private nat - CHECK
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
\\-- access-list to permit tcp/3389 - CHECK
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
\\-- acl applied to the interface - CHECK
access-group outside_access_in in interface outside
\\-- DG on server points to PIX - CHECK
\\-- You are actually testing from outside the network? Not from inside using the public IP? - CHECK??
Check results of "show access-list" and see if hitcounters are increasing ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Damn! instillmotion is onto something. I can't believe I missed that!
Yes, I agree, you must remove this line:
no route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
Kudos, instillmotion! Glad to have you on the team! These tired old eyes need help every once in a while.... <8-}
Yes, I agree, you must remove this line:
no route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
Kudos, instillmotion! Glad to have you on the team! These tired old eyes need help every once in a while.... <8-}
ASKER
Why do I have those? I wish I knew. I'll try that next.
We used to have a 192.168.6.0 subnet, but no longer. When this was first set up we had a half dozen 3525 switches, each on their own subnet with vlans. We've trimmed down and now only have the 192.168.4.0 for everything.
To answer lrmoore, yes I'm testing from the outside. I'm using one of the computers physically outside the firewall.
We used to have a 192.168.6.0 subnet, but no longer. When this was first set up we had a half dozen 3525 switches, each on their own subnet with vlans. We've trimmed down and now only have the 192.168.4.0 for everything.
To answer lrmoore, yes I'm testing from the outside. I'm using one of the computers physically outside the firewall.
ASKER
All hitcounters are at "zero"
Most of my access-list seems to be for 192.16811.x which was set aside before my time for VPNs.
Most of my access-list seems to be for 192.16811.x which was set aside before my time for VPNs.
Please remove the route statement - this is critical!
no route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
no route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
ASKER
Done, still no change
And people wonder why I'm turning gray!
Heres my new config, in case I've missed something. I left the last digits of the outside IP alone so you can more easily visualize what I have:
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ******** encrypted
passwd ******** encrypted
hostname pix
domain-name shearsonhomeloans.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.192 Cox_Cable
name 192.168.4.40 RemoteDesktop
name x.x.x.212 OutsideDesktop
object-group service Exchange tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object range 5000 5001
port-object range 135 135
object-group service Messenger tcp
port-object range 137 netbios-ssn
port-object range 135 135
object-group service MessengerTCP tcp
port-object range 137 netbios-ssn
port-object eq 135
port-object eq 445
object-group service TeVue tcp-udp
description Ports required for TeVue interface
port-object range 8050 8060
port-object range 1718 1720
port-object range 7000 7010
access-list 101 permit icmp any any
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
access-list inside_outbound_nat0_acl permit ip any 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.11.100
access-list inside_outbound_nat0_acl permit ip host RemoteDesktop 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit tcp any host OutsideDesktop eq 3389
pager lines 24
logging timestamp
logging trap warnings
logging history debugging
logging facility 23
logging queue 0
logging device-id hostname
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside x.x.x.211 255.255.255.224
ip address inside 192.168.4.254 255.255.255.0
ip address intf2 192.168.2.101 255.255.255.0
ip address intf3 192.168.3.101 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool cdapool 192.168.11.100-192.168.11.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location x.x.x.0 255.255.255.0 outside
pdm location 192.168.4.77 255.255.255.255 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.11.0 255.255.255.0 outside
pdm location 192.168.11.100 255.255.255.255 outside
pdm location RemoteDesktop 255.255.255.255 inside
pdm location OutsideDesktop 255.255.255.255 outside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server location CDA Corporate
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetoutside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
vpdn username dvanvranken password *********
vpdn username admin password *********
vpdn enable outside
vpdn enable inside
username admin password ******** encrypted privilege 15
username ciscoservice password ******** encrypted privilege 15
terminal width 80
: end
And people wonder why I'm turning gray!
Heres my new config, in case I've missed something. I left the last digits of the outside IP alone so you can more easily visualize what I have:
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password ******** encrypted
passwd ******** encrypted
hostname pix
domain-name shearsonhomeloans.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.192 Cox_Cable
name 192.168.4.40 RemoteDesktop
name x.x.x.212 OutsideDesktop
object-group service Exchange tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object range 5000 5001
port-object range 135 135
object-group service Messenger tcp
port-object range 137 netbios-ssn
port-object range 135 135
object-group service MessengerTCP tcp
port-object range 137 netbios-ssn
port-object eq 135
port-object eq 445
object-group service TeVue tcp-udp
description Ports required for TeVue interface
port-object range 8050 8060
port-object range 1718 1720
port-object range 7000 7010
access-list 101 permit icmp any any
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
access-list inside_outbound_nat0_acl permit ip any 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.11.100
access-list inside_outbound_nat0_acl permit ip host RemoteDesktop 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit tcp any host OutsideDesktop eq 3389
pager lines 24
logging timestamp
logging trap warnings
logging history debugging
logging facility 23
logging queue 0
logging device-id hostname
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside x.x.x.211 255.255.255.224
ip address inside 192.168.4.254 255.255.255.0
ip address intf2 192.168.2.101 255.255.255.0
ip address intf3 192.168.3.101 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool cdapool 192.168.11.100-192.168.11.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location x.x.x.0 255.255.255.0 outside
pdm location 192.168.4.77 255.255.255.255 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.11.0 255.255.255.0 outside
pdm location 192.168.11.100 255.255.255.255 outside
pdm location RemoteDesktop 255.255.255.255 inside
pdm location OutsideDesktop 255.255.255.255 outside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server location CDA Corporate
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetoutside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
vpdn username dvanvranken password *********
vpdn username admin password *********
vpdn enable outside
vpdn enable inside
username admin password ******** encrypted privilege 15
username ciscoservice password ******** encrypted privilege 15
terminal width 80
: end
From outside (Internet), can you do the following;
Do this for now;
no ip verify reverse-path interface outside
telnet <OutsideDesktop> 3389 => See if you get connected.
Config looks okay.. so try that first and see
Cheers,
Rajesh
Do this for now;
no ip verify reverse-path interface outside
telnet <OutsideDesktop> 3389 => See if you get connected.
Config looks okay.. so try that first and see
Cheers,
Rajesh
Your config looks fine. Please reboot the firewall and try again
lrmoore thanks for your kind comments the more eyes on the config the better chance we have to figure this out. I agree that the config looks good now. I am wondering about something though. The initial config had reference to several internal subnets. What's the internal topology like? Do you have a core switch with different VLANs? There could be some filtering going on on a core switch.
ASKER
Nope, nothing...
Come to think of it, it's all connected via a Catalyst 6500. The server is on the 6500, the 6500 then connects to the firewall which hooks (via a hub) to our ISP's Cable Modem. I have a computer on that hub using an outside IP address I'm using to test the connection.
Previously this was a Call Center with a hundred workstations. Each room was on it's own vlan. The server vlan is where the RemoteDesktop and firewall reside. Since then, the entire system has been trimmed down to the 6500, the servers (file sharing, web, Remote Desktop (I hope!) and a Catalyst 3524 to distribute connections to the workstations. There's now no need for any vlans or subnets, and I configured the 3524 to be on the same vlan as the servers.
I haven't looked, but could it be the 6500 is blocking that port? What would I look for to confirm this? For testing purposes I suppose I could add a hub between the firewall and 6500 and connect the server directly. Am I heading in the right direction with this line of thinking? Please stop me if you think I'll hurt something.
Come to think of it, it's all connected via a Catalyst 6500. The server is on the 6500, the 6500 then connects to the firewall which hooks (via a hub) to our ISP's Cable Modem. I have a computer on that hub using an outside IP address I'm using to test the connection.
Previously this was a Call Center with a hundred workstations. Each room was on it's own vlan. The server vlan is where the RemoteDesktop and firewall reside. Since then, the entire system has been trimmed down to the 6500, the servers (file sharing, web, Remote Desktop (I hope!) and a Catalyst 3524 to distribute connections to the workstations. There's now no need for any vlans or subnets, and I configured the 3524 to be on the same vlan as the servers.
I haven't looked, but could it be the 6500 is blocking that port? What would I look for to confirm this? For testing purposes I suppose I could add a hub between the firewall and 6500 and connect the server directly. Am I heading in the right direction with this line of thinking? Please stop me if you think I'll hurt something.
Is the server and the inside interface of the PIX in the same vlan?
Can you RDP to the server from any of the workstations?
Can you RDP to the server from any of the workstations?
ASKER
Yes, the server and inside interface are on the same vlan.
Yes, I can RDP from the workstations, just not from the outside.
Yes, I can RDP from the workstations, just not from the outside.
I think you will find that it actually does work if you try it from outside your network, like from home.
If you check result of 'show access-list' I'll bet you see hitcounts
I get prompted for credentials, so I know it should work.
<there was enough information in your intial posts to infer the complete IP address. I can/will edit that information out of this post if you want me to>
If you check result of 'show access-list' I'll bet you see hitcounts
I get prompted for credentials, so I know it should work.
<there was enough information in your intial posts to infer the complete IP address. I can/will edit that information out of this post if you want me to>
ASKER
That's wonderful news. Strange that I can't do it myself. I'll try it during a lunch break today.
DVmagic, it's not strange that you cannot do it yourself. You are on the inside of the PIX. A PIX is like a bottle neck that allows traffic only one way.
Traffic that goes out on 1 interface cannot go back in by design. I didn't realize you were testing from inside.
Traffic that goes out on 1 interface cannot go back in by design. I didn't realize you were testing from inside.
ASKER
No, actually I'm testing from the outside, from a separate machine with an outside IP address. It's attached to a hub between the firewall and the cable modem.
Interesting, like lrmoore I'm able to remote desktop into A.B.C.D+11 and get a windows server 2003 prompt.
Not sure why you are not able to do it from your outside machine.
Now that we've helped you put a hole through your firewall :) I must say I would not want to do that on one of my firewalls. At the very least you need to use some type of encryption on the RDP connection as by default I believe the credentials will be passed in the clear.
Personnaly I prefer to setup VPN and only RDP over the vpn tunnel.
Not sure why you are not able to do it from your outside machine.
Now that we've helped you put a hole through your firewall :) I must say I would not want to do that on one of my firewalls. At the very least you need to use some type of encryption on the RDP connection as by default I believe the credentials will be passed in the clear.
Personnaly I prefer to setup VPN and only RDP over the vpn tunnel.
Username is sent in the clear, but passwords are encrypted.
Data is encrypted by default.
You can lock it down more with something like this: http://www.2x.com/securerdp/
Data is encrypted by default.
You can lock it down more with something like this: http://www.2x.com/securerdp/
ASKER
Sorry guys, still nothing.
instillmotion says he can log in to x.x.x.222 but that's not us. That's outside our assigned range, and we don't have a SBS 2003 server. I'm trying to reach x.x.x.212
Should I be able to ping the outside interface x.x.x.212? That doesn't work either.
instillmotion says he can log in to x.x.x.222 but that's not us. That's outside our assigned range, and we don't have a SBS 2003 server. I'm trying to reach x.x.x.212
Should I be able to ping the outside interface x.x.x.212? That doesn't work either.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
pix# show access-list outside_access_in
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 permit tcp any host OutsideDesktop eq 3389
(hitcnt=0)
pix#
I thought I had added the icmp thing in the past, but apparently I didn't do it correctly. I'll do that next.
access-list outside_access_in; 1 elements
access-list outside_access_in line 1 permit tcp any host OutsideDesktop eq 3389
(hitcnt=0)
pix#
I thought I had added the icmp thing in the past, but apparently I didn't do it correctly. I'll do that next.
You have the icmp added to a list that's not applied. it assigned to access-list 101 which is not used.
ASKER
Got it. I can now ping the PIX from the outside. However, I still cannot ping the PIX+1 address
Quick question is that +1 server able to access the outside, like the internet?
ASKER
It used to be able to. I just checked and now it does not. I can ping the inside numbers, but it won't connect to anything on the outside. Is it because I restricted all ports except 3389?
ASKER
I can even access the PDM from there, but nothing else.
ASKER
Considering the entire system has been reconfigured and I no longer need all the extra stuff someone else added, should I consider blowing out the configuration and starting from scratch? If so, what would I need to do to backup my config so I can put it back if necessary?
Might not be a bad idea to start over again.
You might have some other things going on inside the network because it was working earlier today, now it's not...and the server can't get to the internet?
You can't ping the server public IP, only the PIX outside ip unless you add icmp echo to the acl...
You can just cut/paste the current config into wordpad or something to save as a .txt file for use later if you need it.
You might have some other things going on inside the network because it was working earlier today, now it's not...and the server can't get to the internet?
You can't ping the server public IP, only the PIX outside ip unless you add icmp echo to the acl...
You can just cut/paste the current config into wordpad or something to save as a .txt file for use later if you need it.
The access-list you have restricts incoming traffic not outgoing, so that's not the problem.
Are you able to ping the RDP server from the pix?, if not are you able to ping the RDP server from another workstation on the LAN?
Are you able to ping the RDP server from the pix?, if not are you able to ping the RDP server from another workstation on the LAN?
To save you pix config you can do what lrmoore says: copy/paste config to a text file. Only drawback is passwords don't show so you'll have to replace *** with the real info.
If you want to save the complete config you can save it to a tftp server.
Install tftp server on machine on LAN. Here a good free one: http://www.download.com/TFTP-Desktop/3000-2085_4-10116545.html
ON the PIX configure tftp:
tftp-server inside <ip address of tftp server> /configname
to save configuration to tftp server:
write net
Restore configuration from tftp server (Overwrite):
config net
Add "clear configure all" at begining of config file.
It will clear old config and load saved one.
If you want to save the complete config you can save it to a tftp server.
Install tftp server on machine on LAN. Here a good free one: http://www.download.com/TFTP-Desktop/3000-2085_4-10116545.html
ON the PIX configure tftp:
tftp-server inside <ip address of tftp server> /configname
to save configuration to tftp server:
write net
Restore configuration from tftp server (Overwrite):
config net
Add "clear configure all" at begining of config file.
It will clear old config and load saved one.
ASKER
To sum up today's efforts:
lrmoore,
No, it never has worked. Earlier today was a mistaken IP address. I've added the icmp echo and I can now ping the PIX from the outside, but not the RDP outside address.
instillmotion,
Yes I can ping the RDP from inside the LAN. In fact I can log in to it and actually work on it.
This week is the "drop dead" week. Something has to go and I'd rather it not be me.
lrmoore,
No, it never has worked. Earlier today was a mistaken IP address. I've added the icmp echo and I can now ping the PIX from the outside, but not the RDP outside address.
instillmotion,
Yes I can ping the RDP from inside the LAN. In fact I can log in to it and actually work on it.
This week is the "drop dead" week. Something has to go and I'd rather it not be me.
We know it works through a pix...
>https://www.experts-exchange.com/questions/22010709/Setup-incoming-RDP-port-3389-through-Cisco-PIX-501-without-disturbing-current-pix-to-pix-vpn-connection.html#17649076
>For testing purposes I suppose I could add a hub between the firewall and 6500 and connect the server directly.
I would try something like this.
I would also try saving the PIX config and hard-rebooting it. Power down completely, reboot.
>https://www.experts-exchange.com/questions/22010709/Setup-incoming-RDP-port-3389-through-Cisco-PIX-501-without-disturbing-current-pix-to-pix-vpn-connection.html#17649076
>For testing purposes I suppose I could add a hub between the firewall and 6500 and connect the server directly.
I would try something like this.
I would also try saving the PIX config and hard-rebooting it. Power down completely, reboot.
ASKER
Okay, I changed the IP address of the RDP server and internet access was restored. It seems the PIX is indeed blocking it.
I'm carefully winding my way through the procedures to reset this to default without impacting our daily business too badly.
I'm carefully winding my way through the procedures to reset this to default without impacting our daily business too badly.
ASKER
Rather than reset the entire PIX, taking what I learned from you I went through and deleted anything that doesn't need to be there from the earlier configs. Lo and behold, the internet access to the RDP server was restored! I then entered lrmoore's commands and it works!
I'm splitting the points between my two heroes, lrmoore and instillmotion.
Thanks guys!
I'm splitting the points between my two heroes, lrmoore and instillmotion.
Thanks guys!
Thank you DVmagic and thanks lrmoore.
Glad to help!
- Cheers!
- Cheers!
ASKER
I'm trying to see 192.168.4.40 from the outside. The 192.168.11.X is a range of VPN numbers left over from the old days.
The name RemoteDesktop is this 192.168.4.40 host on the inside connection. The name OutsideDesktop is a host on the outside interface and it's assigned one IP number above my firewall default. Both were created by me via PDM and if it's wrong I have no problem in removing them.
Here's my new config:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
enable password *********** encrypted
passwd ********** encrypted
hostname pix
domain-name shearsonhomeloans.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name A.B.C.D Cox_Cable
name 192.168.4.40 RemoteDesktop
name A.B.C.D+1 OutsideDesktop
object-group service Exchange tcp
port-object eq www
port-object eq pop3
port-object eq smtp
port-object range 5000 5001
port-object range 135 135
object-group service Messenger tcp
port-object range 137 netbios-ssn
port-object range 135 135
object-group service MessengerTCP tcp
port-object range 137 netbios-ssn
port-object eq 135
port-object eq 445
object-group service TeVue tcp-udp
description Ports required for TeVue interface
port-object range 8050 8060
port-object range 1718 1720
port-object range 7000 7010
access-list 101 permit icmp any any
access-list outside_access_in permit tcp any host OutsideDesktop eq 3389
access-list inside_outbound_nat0_acl permit ip any 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host 192.168.11.100
access-list inside_outbound_nat0_acl permit ip host RemoteDesktop 192.168.11.0 255.255.255.0
access-list inside_outbound_nat0_acl permit tcp any host OutsideDesktop eq 3389
access-list outside_in permit tcp any interface outside eq 3389
pager lines 24
logging timestamp
logging trap warnings
logging history debugging
logging facility 23
logging queue 0
logging device-id hostname
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside A.B.C.D 255.255.255.224
ip address inside 192.168.4.254 255.255.255.0
ip address intf2 192.168.2.101 255.255.255.0
ip address intf3 192.168.3.101 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool cdapool 192.168.11.100-192.168.11.
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location A.B.C.0 255.255.255.0 outside
pdm location 192.168.4.77 255.255.255.255 inside
pdm location 192.168.6.0 255.255.255.0 inside
pdm location 192.168.11.0 255.255.255.0 outside
pdm location 192.168.11.100 255.255.255.255 outside
pdm location RemoteDesktop 255.255.255.255 inside
pdm location OutsideDesktop 255.255.255.255 outside
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 RemoteDesktop 3389 netmask 255.255.255.255 0 0
static (inside,outside) OutsideDesktop RemoteDesktop netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 A.B.C.C 1
route outside OutsideDesktop 255.255.255.255 RemoteDesktop 1
route inside 192.168.6.0 255.255.255.0 192.168.4.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:00:00 udp 0:00:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:00:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
http server enable
http 192.168.4.0 255.255.255.0 inside
snmp-server location CDA Corporate
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetoutside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
vpdn username dvanvranken password *********
vpdn username admin password *********
vpdn enable outside
vpdn enable inside
username admin password *********** encrypted privilege 15
username ciscoservice password **********encrypted privilege 15
terminal width 80
: end
pix#