?
Solved

Cisco Pix 501 inside another firewall - open access to remote employees

Posted on 2009-12-21
7
Medium Priority
?
379 Views
Last Modified: 2012-05-08
I need to allow network access to remote employees

I'm wondering whether to setup RDP access to specific IP addresses or setup a proper cisco client vpn.

My cisco 501 is quite old, about 6 years, but seems to work fine. Its inside an outer internet facing firewall which guests plug into to get internet access.

OuterFirewall 192.168.0.1
     Cisco501
           Internal company LAN network, including AD/DNS/DHCP
     Visitors
   
I know a cisco501 is a bit small for a company running 30 odd machines but it works great and I see no reason to replace it.

Question:

1. Is a Cisco vpn fairly easy to setup for a non-network expert ?
2. What command could I issue that only allows a certain client from the outer firewall ? Everything I see tells me that the inside firewall cannot tell where traffic came from, since its all natted to a local 192 address ??

Any help or guidance would be appreciated

thanks
0
Comment
Question by:plq
7 Comments
 
LVL 4

Assisted Solution

by:satyasingh
satyasingh earned 300 total points
ID: 26097671
Setting up VPN should not be tedious task, Pls refer to below URL and update incase getting stuck on any point...

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html#wpxref36421


0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 1300 total points
ID: 26097709
Hi,

1.Here's a good reference guide that you need:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

2. sh xlate tells you the nat table
Best regards,
Istvan
0
 
LVL 8

Author Comment

by:plq
ID: 26097861
OK, my PIX knowledge is zero, so could you help me here.

Your link suggests that I can let someone in and have them NATTED to a different server from the next guy, I think !

So lets say that remote employee 1 has internet ip address is 200.1.1.1
&& lets say that remote employee 2 has internet ip address is 200.2.2.2

Now I can let 200.1.1.1 and 200.2.2.2 through the outer firewall on 3389, thats easy.

Lets say the cisco 501 has an outer address of 192.168.0.200, and an inner address of 10.5.0.1

And lets say the server employee 1 logs onto is 10.5.0.101
And lets say the server employee 2 logs onto is 10.5.0.102

What commands can I issue so that employee 1 routes through from 200.1.1.1 through to 10.5.0.101
and 200.2.2.2 routes through to 10.5.0.102

??

Please remember my pix knowledge is zero !

thanks

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26097953
could you show me the whole config? And I put the lines that you need...
0
 
LVL 8

Author Comment

by:plq
ID: 26097974
Result of firewall command: "show config"
 
: Saved
: Written by enable_15 at 11:36:01.634 UTC Wed May 20 2009
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.5.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.5.0.65 255.255.255.255 inside
pdm location 10.5.0.66 255.255.255.255 inside
pdm location 10.5.0.67 255.255.255.255 inside
pdm location 10.5.0.68 255.255.255.255 inside
pdm location 10.5.0.69 255.255.255.255 inside
pdm location 10.5.0.70 255.255.255.255 inside
pdm location 10.5.0.71 255.255.255.255 inside
pdm location 10.5.0.72 255.255.255.255 inside
pdm location 10.5.0.73 255.255.255.255 inside
pdm location 10.5.0.74 255.255.255.255 inside
pdm location 10.5.0.75 255.255.255.255 inside
pdm location 10.5.0.76 255.255.255.255 inside
pdm location 10.5.0.77 255.255.255.255 inside
pdm location 10.5.0.78 255.255.255.255 inside
pdm location 10.5.0.79 255.255.255.255 inside
pdm location 10.5.0.80 255.255.255.255 inside
pdm location 10.5.0.81 255.255.255.255 inside
pdm location 10.5.0.82 255.255.255.255 inside
pdm location 10.5.0.83 255.255.255.255 inside
pdm location 10.5.0.84 255.255.255.255 inside
pdm location 10.5.0.85 255.255.255.255 inside
pdm location 10.5.0.86 255.255.255.255 inside
pdm location 10.5.0.87 255.255.255.255 inside
pdm location 10.5.0.88 255.255.255.255 inside
pdm location 10.5.0.89 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.5.0.0 255.255.255.0 inside
snmp-server host inside 10.5.0.65
snmp-server host inside 10.5.0.66
snmp-server host inside 10.5.0.67
snmp-server host inside 10.5.0.68
snmp-server host inside 10.5.0.69
snmp-server host inside 10.5.0.70
snmp-server host inside 10.5.0.71
snmp-server host inside 10.5.0.72
snmp-server host inside 10.5.0.73
snmp-server host inside 10.5.0.74
snmp-server host inside 10.5.0.75
snmp-server host inside 10.5.0.76
snmp-server host inside 10.5.0.77
snmp-server host inside 10.5.0.78
snmp-server host inside 10.5.0.79
snmp-server host inside 10.5.0.80
snmp-server host inside 10.5.0.81
snmp-server host inside 10.5.0.82
snmp-server host inside 10.5.0.83
snmp-server host inside 10.5.0.84
snmp-server host inside 10.5.0.85
snmp-server host inside 10.5.0.86
snmp-server host inside 10.5.0.87
snmp-server host inside 10.5.0.88
snmp-server host inside 10.5.0.89
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.5.0.2-10.5.0.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:8f70c9bc792a2a2a1aaf6f8d3b9d031a
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 1300 total points
ID: 26098171
access-list outside_access_in permit tcp host 200.1.1.1 inteface eq 3369
access-list outside_access_in permit tcp host 200.2.2.2 inteface eq 3379
static (inside,outside) tcp interface 3369 10.5.0.101 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3379 10.5.0.102 3389 netmask  255.255.255.255 0 0
access-group outside_access_in in interface outside


0
 
LVL 10

Assisted Solution

by:lanboyo
lanboyo earned 400 total points
ID: 26100092
If you are talking about an IPSec VPN solution;

You will probabally need to set the pix up as the "DMZ" port on the external firewall, in that all incoming traffic that is not directed with a particular PAT is sent to the firewall. Each vendor has a different name for this.... Otherwise make sure you set up the VPNs to use nat traversal so you can direct the incoming tcp/udp ports at the pix.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question