rsochan
asked on
Cannot establish Remote Session with SMB Server
I have an old Pix 501 firewall that I would like to configure to allow some sort of remote access to the SMB server on the LAN. I would also like to allow users to access their workstations from home using RWW. I have tried connecting remotely using Remote Desktop (RDP), Remote Web Workplace (RWW), and even VNC, and none of them work. Connecting via Cisco VPN would also be nice, but I'm not sure if this 501 model supports VPN, and did not work when I tried connecting using a PC with Cisco VPN Client software.
When I configure a laptop on the internal LAN, I can use VNC and RDP to connect to the server without any problem.
When I configure the laptop on the WAN side and try to access, no luck. I have made all kinds of changes to the Pix trying different configurations I have found on the internet, so now I probably have additional lines in my Pix config that are unnecessary or possibly not even supported by an old 501. Maybe that's part of the problem? Maybe I need to go back to a very basic config? Anyway, any help would be greatly appreciated. The current Pix config is listed below.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd **************** encrypted
hostname mycopix
domain-name myco.org
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit icmp any any
access-list outside-access-in permit tcp any interface outside eq 5900
access-list outside-access-in permit gre any host 71.123.123.209
access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
access-list outside-access-in permit tcp any host 71.123.123.209 eq www
access-list outside-access-in permit tcp any host 71.123.123.209 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.123.123.209 255.255.255.248
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.6.100 192.168.6.100-192.168.6.20 0
ip local pool ippool 192.168.6.240-192.168.6.25 0
pdm location 192.168.6.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5900 192.168.6.2 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.123.123.214 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.136.10 rinat-ssf timeout 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup hsfvpn address-pool ippool
vpngroup hsfvpn dns-server 192.168.6.2
vpngroup hsfvpn wins-server 192.168.6.2
vpngroup hsfvpn default-domain hsf
vpngroup hsfvpn idle-time 1800
vpngroup hsfvpn password ********
telnet 68.164.241.0 255.255.255.0 outside
telnet 65.116.147.0 255.255.255.0 outside
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
When I configure a laptop on the internal LAN, I can use VNC and RDP to connect to the server without any problem.
When I configure the laptop on the WAN side and try to access, no luck. I have made all kinds of changes to the Pix trying different configurations I have found on the internet, so now I probably have additional lines in my Pix config that are unnecessary or possibly not even supported by an old 501. Maybe that's part of the problem? Maybe I need to go back to a very basic config? Anyway, any help would be greatly appreciated. The current Pix config is listed below.
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ************ encrypted
passwd **************** encrypted
hostname mycopix
domain-name myco.org
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list outside_access_in permit icmp any any
access-list outside-access-in permit tcp any interface outside eq 5900
access-list outside-access-in permit gre any host 71.123.123.209
access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
access-list outside-access-in permit tcp any host 71.123.123.209 eq www
access-list outside-access-in permit tcp any host 71.123.123.209 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.123.123.209 255.255.255.248
ip address inside 192.168.6.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool 192.168.6.100 192.168.6.100-192.168.6.20
ip local pool ippool 192.168.6.240-192.168.6.25
pdm location 192.168.6.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5900 192.168.6.2 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 71.123.123.214 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.136.10 rinat-ssf timeout 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup hsfvpn address-pool ippool
vpngroup hsfvpn dns-server 192.168.6.2
vpngroup hsfvpn wins-server 192.168.6.2
vpngroup hsfvpn default-domain hsf
vpngroup hsfvpn idle-time 1800
vpngroup hsfvpn password ********
telnet 68.164.241.0 255.255.255.0 outside
telnet 65.116.147.0 255.255.255.0 outside
telnet 192.168.6.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
ASKER
Thanks for the suggestions. I have a couple of questions as I set this up...
Why are the following lines removed but not replaced with something else:
no access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
no access-list outside-access-in permit gre any host 71.123.123.209
The following lines didn't work:
access-list outside-access-in permit tcp any host interface outside eq www
access-list outside-access-in permit tcp any host interface outside eq https
Was it supposed to be:
access-list outside-access-in permit tcp any interface outside eq www
access-list outside-access-in permit tcp any interface outside eq https
Why are the following lines removed but not replaced with something else:
no access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
no access-list outside-access-in permit gre any host 71.123.123.209
The following lines didn't work:
access-list outside-access-in permit tcp any host interface outside eq www
access-list outside-access-in permit tcp any host interface outside eq https
Was it supposed to be:
access-list outside-access-in permit tcp any interface outside eq www
access-list outside-access-in permit tcp any interface outside eq https
>Why are the following lines removed but not replaced with something else:
no access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
no access-list outside-access-in permit gre any host 71.123.123.209
Because you are trying to use IPSEC and not PPTP and these are not necessary
Was it supposed to be:
access-list outside-access-in permit tcp any interface outside eq www
access-list outside-access-in permit tcp any interface outside eq https
Yes, the keyword "host" does not need to be there. My bad first go round...
no access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
no access-list outside-access-in permit gre any host 71.123.123.209
Because you are trying to use IPSEC and not PPTP and these are not necessary
Was it supposed to be:
access-list outside-access-in permit tcp any interface outside eq www
access-list outside-access-in permit tcp any interface outside eq https
Yes, the keyword "host" does not need to be there. My bad first go round...
ASKER
>Because you are trying to use IPSEC and not PPTP and these are not necessary
So if I want to include PPTP as an option I should include those two lines (but change from host to interface)?
Good news (sort of) -- I made the changes at home this morning and I was able successfully establish a VPN connection and then using VNC on the internal LAN I was able to connect to my server.
(But I was not able to connect to VNC directly by targeting the outside interface address, or establish RWW at http://71.123.123.209/remote)
Now I'm at work and I can establish the VPN, but nothing else (no ping to server, no more VNC locally)
Could it be something with the firewall at my office?
So if I want to include PPTP as an option I should include those two lines (but change from host to interface)?
Good news (sort of) -- I made the changes at home this morning and I was able successfully establish a VPN connection and then using VNC on the internal LAN I was able to connect to my server.
(But I was not able to connect to VNC directly by targeting the outside interface address, or establish RWW at http://71.123.123.209/remote)
Now I'm at work and I can establish the VPN, but nothing else (no ping to server, no more VNC locally)
Could it be something with the firewall at my office?
Good news that we have some progress.
>So if I want to include PPTP as an option I should include those two lines (but change from host to interface
No, because the sysopt connection permit-pptp command will negate the need to allow those ports/protocols to the PIX interface itself.
>Could it be something with the firewall at my office?
Yes, certainly, but we can also add the following command to your PIX 501:
isakmp nat-traversal 20
This will let the PIX know that the client is behind a nat device (firewall) and adjust accordingly. This is assuming that the firewall at the office does not block UDP port 4500.
>So if I want to include PPTP as an option I should include those two lines (but change from host to interface
No, because the sysopt connection permit-pptp command will negate the need to allow those ports/protocols to the PIX interface itself.
>Could it be something with the firewall at my office?
Yes, certainly, but we can also add the following command to your PIX 501:
isakmp nat-traversal 20
This will let the PIX know that the client is behind a nat device (firewall) and adjust accordingly. This is assuming that the firewall at the office does not block UDP port 4500.
ASKER
The isakmp nat-traversal 20 command got things going again -- cool!!!
Now I have the ability to log into VPN and then use VNC to target the server's LAN address to gain control of the server.
VNC without the use of the VPN (targeting the WAN address of the PIX) still doesn't work, nor does RWW by targeting http://www
Also, I have downloaded the .bin file for the Pix Version 6.3(5). Will I lose all my configuration when I perform the upgrade?
Now I have the ability to log into VPN and then use VNC to target the server's LAN address to gain control of the server.
VNC without the use of the VPN (targeting the WAN address of the PIX) still doesn't work, nor does RWW by targeting http://www
Also, I have downloaded the .bin file for the Pix Version 6.3(5). Will I lose all my configuration when I perform the upgrade?
ASKER
Oops I meant "by targeting http://71.123.123.209/remote" for the RWW test...
The upgrade is quick, simple and painless and you will not lose any of the configuration.
Are you actually trying the RWW from outside the network, and not inside just using the public IP?
Make sure that the access-list is applied to the interface:
access-group outside-access-in in interface outside
Are you actually trying the RWW from outside the network, and not inside just using the public IP?
Make sure that the access-list is applied to the interface:
access-group outside-access-in in interface outside
ASKER
I am trying RWW (and VNC and RDP) from the outside world to see if any one will connect directly without requiring the VPN. (I know it is not secure, but I won't have the luxury of having a Cisco VPN Client in all cases).
>Make sure that the access-list is applied to the interface:
> access-group outside-access-in in interface outside
This line has always been part of my configuration, and I double checked to make sure it is still there.
When I connect via the VPN, then I am able to use all of the above (VNC, RWW, RDP) using the local LAN IP address of the server (192.168.6.2).
>Make sure that the access-list is applied to the interface:
> access-group outside-access-in in interface outside
This line has always been part of my configuration, and I double checked to make sure it is still there.
When I connect via the VPN, then I am able to use all of the above (VNC, RWW, RDP) using the local LAN IP address of the server (192.168.6.2).
save the config and hard reboot the pix. 6.3(1) has some bugs that requires a reboot, and I mean hard reboot with power off/back on.
ASKER
I did the hard reboot (power off/back on) and nothing has changed. I will try to do the upgrade to 6.3(5) next, but apparently I need to obtain a TFTP program first.
I was just thinking -- could the problem be that I'm targeting the IP address of the Pix (x.x.x.209) when I try to VNC or RDP to the server? Should I be using one of the other usable IP addresses and somehow assign that to represent the server? So instead of using x.x.x.209 (the IP address of the PIX), would use something like x.x.x.210 to access the server directly with RDP or VNC requests. Would that make any difference? How would the Pix config change in that case?
I was just thinking -- could the problem be that I'm targeting the IP address of the Pix (x.x.x.209) when I try to VNC or RDP to the server? Should I be using one of the other usable IP addresses and somehow assign that to represent the server? So instead of using x.x.x.209 (the IP address of the PIX), would use something like x.x.x.210 to access the server directly with RDP or VNC requests. Would that make any difference? How would the Pix config change in that case?
Well, yea, that's kind of one of the bugs in this version of code.
Since the reboot didn't work, let's try this:
no static (inside,outside) tcp interface 5900 192.168.6.2 5900 netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) 71.123.123.210 192.168.6.2 netmask 255.255.255.255
\\-- note the "_" instead of dash (another bug)
access-list outside_access_in permit tcp any host 71.123.123.210 eq www
access-list outside_access_in permit tcp any host 71.123.123.210 eq https
access-list outside_access_in permit tcp any host 71.123.123.210 eq pptp
access-group outside_access_in in interface outside
write mem
Then you have to reboot after making a change to the static command (another bug)
Since the reboot didn't work, let's try this:
no static (inside,outside) tcp interface 5900 192.168.6.2 5900 netmask 255.255.255.255 0 0
clear xlate
static (inside,outside) 71.123.123.210 192.168.6.2 netmask 255.255.255.255
\\-- note the "_" instead of dash (another bug)
access-list outside_access_in permit tcp any host 71.123.123.210 eq www
access-list outside_access_in permit tcp any host 71.123.123.210 eq https
access-list outside_access_in permit tcp any host 71.123.123.210 eq pptp
access-group outside_access_in in interface outside
write mem
Then you have to reboot after making a change to the static command (another bug)
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
First off, this is a very buggy version and needs to be upgraded to 6.3(5)
Good news is that this 501 does indeed support Cisco VPN client.
>access-group inside_access_in in interface inside
Remove this. All traffic from inside going out is allowed by default.
For the VPN to work, try this:
ip local pool VPNPOOL 192.168.126.1-192.168.126.
access-list NONAT permit ip 192.168.6.0 255.255.255.0 192.168.126.0 255.255.255.0
nat (inside) 0 access-list NONAT
access-list SPLIT_TUNNEL permit ip 192.168.6.0 255.255.255.0 192.168.126.0 255.255.255.0
vpngroup hsfvpn address-pool VPNPOOL
vpngroup hsfvpn split-tunnel SPLIT_TUNNEL
>crypto map outside_map client authentication RADIUS
Try getting it working with LOCAL first, then work on RADIUS as a separate item. Don't try to get too many things going at once
crypto map outside_map client authentication LOCAL
For access to the server, use the "interface" keyword everywhere:
no access-list outside-access-in permit tcp any host 71.123.123.209 eq www
no access-list outside-access-in permit tcp any host 71.123.123.209 eq https
no access-list outside-access-in permit tcp any host 71.123.123.209 eq pptp
no access-list outside-access-in permit gre any host 71.123.123.209
access-list outside-access-in permit tcp any interface outside eq 5900
access-list outside-access-in permit tcp any host interface outside eq www
access-list outside-access-in permit tcp any host interface outside eq https
static (inside,outside) tcp interface 5900 192.168.6.2 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.6.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.6.2 https netmask 255.255.255.255 0 0
Make sure the server's default gateway is set to the PIX