Solved

Cisco PIX 501, Broken connection to SBS 2003 Remote Web Workplace

Posted on 2009-05-08
3
422 Views
Last Modified: 2012-08-14
I don't how,  but I've broken the connection to the SBS 2003 Remote Web Workplace.  I don't know what's changed in my Cisco PIX 501 config to get it to stop working.
Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

hostname pix-veits

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 64.219.161.225 NetworkPartnersSyslogServer

name 192.168.78.2 Server

object-group service Service-service-group tcp 

  port-object eq ident 

  port-object eq https 

  port-object eq smtp 

  port-object eq www 

access-list outside_access_in permit tcp any host 67.91.xx.xx object-group Service-service-group log 

access-list outside_access_in permit icmp any host 67.91.xx.xx echo-reply log 

access-list outside_access_in permit tcp any host 67.91.xx.xx eq 3389 

access-list outside_access_in permit tcp any host 67.91.xx.xx eq 4125 

access-list outside_access_in permit tcp any host 67.91.xx.xx  eq 444 

access-list inside_outbound_nat0_acl permit ip 192.168.78.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list vpngroup_splitTunnelAcl permit ip 192.168.78.0 255.255.255.0 192.168.100.0 255.255.255.0 

access-list inbound permit tcp any interface outside eq 3389 

access-list inmap permit tcp any host 67.91.xx.xx eq 3389 

pager lines 24

logging on

logging timestamp

logging monitor informational

logging device-id ipaddress outside

logging host outside NetworkPartnersSyslogServer

mtu outside 1500

mtu inside 1500

ip address outside 67.91.xx.xx  255.255.255.224

ip address inside 192.168.78.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.100.100-192.168.100.115

pdm location 205.172.249.0 255.255.255.0 outside

pdm location 192.168.0.2 255.255.255.255 inside

pdm location NetworkPartnersSyslogServer 255.255.255.255 outside

pdm location 64.233.245.0 255.255.255.0 outside

pdm location 192.168.100.0 255.255.255.0 outside

pdm location 192.168.78.96 255.255.255.224 outside

pdm location 192.168.78.0 255.255.255.0 inside

pdm location Server 255.255.255.255 inside

pdm location 67.91.19.35 255.255.255.255 outside

pdm location 192.168.78.3 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.78.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 67.91.xx.xx Server dns netmask 255.255.255.255 0 0 

access-group inmap in interface outside

route outside 0.0.0.0 0.0.0.0 67.91.19.33 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server RADIUS (inside) host Server veitsgroupllc timeout 10

aaa-server LOCAL protocol local 

aaa authentication ssh console LOCAL

aaa authorization command LOCAL 

ntp server 192.5.41.209 source outside

http server enable

http 205.172.249.0 255.255.255.0 outside

http 0.0.0.0 0.0.0.0 outside

http 192.168.78.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server outside Server C:\TFTP-Root

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL 

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpngroup address-pool vpnpool

vpngroup vpngroup dns-server Server

vpngroup vpngroup wins-server Server

vpngroup vpngroup default-domain xxxxxx.local

vpngroup vpngroup split-tunnel vpngroup_splitTunnelAcl

vpngroup vpngroup idle-time 1800

vpngroup vpngroup password ********

telnet timeout 5

ssh 205.172.249.0 255.255.255.0 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh 64.233.245.0 255.255.255.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

management-access outside

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

username xxxxxxxxx encrypted privilege 3

username xxxxxxxxx encrypted privilege 15

username xxxxxxxxx encrypted privilege 3

username xxxxxxxxx encrypted privilege 3

username xxxxxxxxx encrypted privilege 3

username xxxxxxxxx encrypted privilege 3

usernamexxxxxxxxx encrypted privilege 3

privilege show level 0 command version

privilege show level 0 command curpriv

privilege show level 3 command pdm

privilege show level 3 command blocks

privilege show level 3 command ssh

privilege configure level 3 command who

privilege show level 3 command isakmp

privilege show level 3 command ipsec

privilege show level 3 command vpdn

privilege show level 3 command local-host

privilege show level 3 command interface

privilege show level 3 command ip

privilege configure level 3 command ping

privilege show level 3 command uauth

privilege configure level 5 mode enable command configure

privilege show level 5 command running-config

privilege show level 5 command privilege

privilege show level 5 command clock

privilege show level 5 command ntp

privilege show level 5 mode configure command logging

privilege show level 5 command fragment

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx: end

[OK]

Open in new window

0
Comment
Question by:baggio8
  • 2
3 Comments
 
LVL 2

Expert Comment

by:chris_shaw
ID: 24334337
I can't see all your settings from your post - but you need to forward the following ports to your server:
Remote Web Workplace requires Port 4125
Generally, you should also be forwarding ports 80, 443 and 444 as well, for other services.
0
 

Accepted Solution

by:
baggio8 earned 0 total points
ID: 24337278
I figured this out.  Apparently the following was missing and I restored it to the config:
access-group outside_access_in in interface outside
I just compared my running configuration to an older saved config.

That gave me a scare.
0
 

Author Comment

by:baggio8
ID: 24337297
Answered myself based on my last comment
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 PACL 9 49
SBS2011 - Can't change internet domain name 4 28
Gateway Resilience 4 23
stacking Catalyst 3650 20 15
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now