XPunlimited connection through Pix 506e

Unanswered Question
Dec 14th, 2007
User Badges:

I have a Pix506e that I need to open port 3389 for remote connection to a Win2003 server that is running XPunlimited for 2003 Servers. I have searched the internet and have tried numerous different access list commands to try and make this work. What I'm looking for is a CCNE that can help me get this going and maybe look at my existing configuration file to tell me what isn't set up properly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 12/14/2007 - 07:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Could you post your config together with IP addressing details


Jon

stargonnc Fri, 12/14/2007 - 09:36
User Badges:

You bet....here it is



PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password wVolyRqUC55O9Zpf encrypted

passwd wVolyRqUC55O9Zpf encrypted

hostname TOS

domain-name

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list nat0 permit ip 172.20.10.0 255.255.255.0 172.20.11.0 255.255.255.0

access-list acl-out permit tcp any interface outside eq pcanywhere-data

access-list acl-out permit udp any interface outside eq pcanywhere-status

access-list acl-out permit tcp any host eq pcanywhere-data

access-list acl_out permit udp any host eq 5631

access-list acl_out permit tcp any host eq pcanywhere-data

access-list acl_out permit udp any host eq pcanywhere-status

access-list acl_out permit tcp any host eq 3389

access-list acl_out permit udp any host eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.20.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 172.20.11.1-172.20.11.10

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nat0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface pcanywhere-data 172.20.10.51 pcanywhere-da

ta netmask 255.255.255.255 0 0

static (inside,outside) udp interface pcanywhere-status 172.20.10.51 pcanywhere-

status netmask 255.255.255.255 0 0

access-group acl-out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set vpn1 esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set vpn1

crypto map seabrook 1 ipsec-isakmp dynamic dynmap

crypto map seabrook interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 1000

vpngroup sclient address-pool vpnpool

vpngroup sclient split-tunnel nat0

vpngroup sclient idle-time 1000

vpngroup sclient password ********

telnet 172.20.10.0 255.255.255.0 inside

telnet timeout 5

ssh 24.61.165.168 255.255.255.248 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80


Jon Marshall Fri, 12/14/2007 - 13:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


What is the address of the server ?


You only have statics setup for PCanywhere access ie. no port 3389 ie.


static (inside,outside) tcp "public address/interface" 3389 "local server address" 3389


HTH


Jon


Jon

Jon Marshall Fri, 12/14/2007 - 13:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

okay


So if the public address is the outside interface of the pix


static (inside,outside) tcp interface 3389 172.20.10.6 3389 netmask 255.255.255.255


if the public address is a separate public address


static (inside,outside) tcp "public ip address" 3389 172.20.10.6 3389 netmask 255.255.255.255


Jon

stargonnc Fri, 12/14/2007 - 13:34
User Badges:

I will add the command and see if that aloows me to get in remotely. Another question I have is...when I make these changes to thr router and write to memory...do I need to reboot the router everytime I make changes? If so, is there a command that I can use to do the reboot remotely?

Jon Marshall Fri, 12/14/2007 - 13:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No you don't need to reboot. In fact there are very few things you need to reboot a firewall/router for.


Jon

stargonnc Fri, 12/14/2007 - 14:13
User Badges:

Jon,


I added the line:

static (inside,outside) tcp interface 3389 172.20.10.6 3389 netmask 255.255.255.255


I still can't get in and I noticed that I had a line like that already in the config.



stargonnc Fri, 12/14/2007 - 09:39
User Badges:

Just so you know Jon....we can't use vpn because the 3rd party database the client uses does not perform well through the tunnel


My hands are kind of tried to using remote desktop. That's why we are trying XPunlimited. I had some sucess with it before.


Thanks for looking at this for me.

Actions

This Discussion