XPunlimited connection through Pix 506e

stargonnc · ‎12-14-2007

I have a Pix506e that I need to open port 3389 for remote connection to a Win2003 server that is running XPunlimited for 2003 Servers. I have searched the internet and have tried numerous different access list commands to try and make this work. What I'm looking for is a CCNE that can help me get this going and maybe look at my existing configuration file to tell me what isn't set up properly.

Jon Marshall · ‎12-14-2007

Hi

Could you post your config together with IP addressing details

Jon

stargonnc · ‎12-14-2007

You bet....here it is

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password wVolyRqUC55O9Zpf encrypted

passwd wVolyRqUC55O9Zpf encrypted

hostname TOS

domain-name

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list nat0 permit ip 172.20.10.0 255.255.255.0 172.20.11.0 255.255.255.0

access-list acl-out permit tcp any interface outside eq pcanywhere-data

access-list acl-out permit udp any interface outside eq pcanywhere-status

access-list acl-out permit tcp any host eq pcanywhere-data

access-list acl_out permit udp any host eq 5631

access-list acl_out permit tcp any host eq pcanywhere-data

access-list acl_out permit udp any host eq pcanywhere-status

access-list acl_out permit tcp any host eq 3389

access-list acl_out permit udp any host eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 172.20.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 172.20.11.1-172.20.11.10

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nat0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface pcanywhere-data 172.20.10.51 pcanywhere-da

ta netmask 255.255.255.255 0 0

static (inside,outside) udp interface pcanywhere-status 172.20.10.51 pcanywhere-

status netmask 255.255.255.255 0 0

access-group acl-out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set vpn1 esp-des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set vpn1

crypto map seabrook 1 ipsec-isakmp dynamic dynmap

crypto map seabrook interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 1000

vpngroup sclient address-pool vpnpool

vpngroup sclient split-tunnel nat0

vpngroup sclient idle-time 1000

vpngroup sclient password ********

telnet 172.20.10.0 255.255.255.0 inside

telnet timeout 5

ssh 24.61.165.168 255.255.255.248 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

terminal width 80

Jon Marshall · ‎12-14-2007

Hi

What is the address of the server ?

You only have statics setup for PCanywhere access ie. no port 3389 ie.

static (inside,outside) tcp "public address/interface" 3389 "local server address" 3389

HTH

Jon

stargonnc · ‎12-14-2007

The server ip is 172.20.10.6

Jon Marshall · ‎12-14-2007

okay

So if the public address is the outside interface of the pix

static (inside,outside) tcp interface 3389 172.20.10.6 3389 netmask 255.255.255.255

if the public address is a separate public address

static (inside,outside) tcp "public ip address" 3389 172.20.10.6 3389 netmask 255.255.255.255

Jon

stargonnc · ‎12-14-2007

I will add the command and see if that aloows me to get in remotely. Another question I have is...when I make these changes to thr router and write to memory...do I need to reboot the router everytime I make changes? If so, is there a command that I can use to do the reboot remotely?

Jon Marshall · ‎12-14-2007

No you don't need to reboot. In fact there are very few things you need to reboot a firewall/router for.

Jon

stargonnc · ‎12-14-2007

Jon,

I added the line:

static (inside,outside) tcp interface 3389 172.20.10.6 3389 netmask 255.255.255.255

I still can't get in and I noticed that I had a line like that already in the config.

stargonnc · ‎12-14-2007

Just so you know Jon....we can't use vpn because the 3rd party database the client uses does not perform well through the tunnel

My hands are kind of tried to using remote desktop. That's why we are trying XPunlimited. I had some sucess with it before.

Thanks for looking at this for me.