cscisco_admin Tue, 06/17/2008 - 01:01
User Badges:

Hi! Thanks for your help. I followed the first link but internet did not work on my pc. Here is the pix config


pixfirewall(config)# sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password encrypted

passwd encrypted

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skin

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

logging on

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside (my public ip)

ip address inside 10.1.1.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 (public ip range-public ip range) netmask (net mask)

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 public ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80



am i missing something like allowing http traffic or something else?


Thanks!

Farrukh Haroon Tue, 06/17/2008 - 02:09
User Badges:
  • Red, 2250 points or more

No, when going from higher security level (inside) to outside, the only thing you need in PIX 6.x is NAT.


What are you seeing in the firewall's log?


logging console 7

or

IF telnet:

logging monitor 7

terminal monitor


Regards


Farrukh

cscisco_admin Tue, 06/17/2008 - 02:54
User Badges:

When i try to access any website.




710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from 10.1.1.2/137 to inside:10.1.1.255/netbios-ns

710005: UDP request discarded from

Farrukh Haroon Tue, 06/17/2008 - 03:18
User Badges:
  • Red, 2250 points or more

That message has nothing to do with internet access, those are just netbios broadcasts.


Regards


Farrukh

cscisco_admin Tue, 06/17/2008 - 03:22
User Badges:

I know but then that means the http request is not even reaching pix. What is missing?


Thanks!

Farrukh Haroon Tue, 06/17/2008 - 03:44
User Badges:
  • Red, 2250 points or more

I would check the routing, computer's default gateway, can it ping the PIX inside interface?


Do you have DNS properly configured on the end user machines.


Regards


Farrukh

cscisco_admin Tue, 06/17/2008 - 04:57
User Badges:

1. access-list outbound permit udp [Inside-LAN-Network] [Inside-Subnet] any eq 53


2. access-group outbound in interface inside


after trying the above internet started working but is it required. I did not find this anywhere on internet or on cisco website.


Thanks!

Farrukh Haroon Tue, 06/17/2008 - 05:05
User Badges:
  • Red, 2250 points or more

Are you sure that is the only line you have in your ACL?


There is an implicit deny at the end of every ACL.


Regards


Farrukh

cscisco_admin Tue, 06/17/2008 - 06:40
User Badges:

I deleted the deny rule. I think there must be some DNS configuration on PIX outside or inside interface where i should enter my isp DNS Server address. Don't you think so?


Thanks!

Farrukh Haroon Tue, 06/17/2008 - 06:43
User Badges:
  • Red, 2250 points or more

No the PIX does not need the DNS information. It just 'relays' the DNS packets/requests (after performing the configured security checks) from the users towards the DNS server on the internet, just like a router.


Regards


Farrukh

cscisco_admin Sat, 06/21/2008 - 01:41
User Badges:

Hi!


I left configuring PIX for Internet access. The only thing i need is using PIX to protect my Terminal Server by allowing only Remote Desktop Access to my Terminal Server so that my users can use this server. Does PIX provide maximum security with its default config and how can i configure RDP access from internet to my Terminal Server through PIX?


Thanks!

Farrukh Haroon Sat, 06/21/2008 - 02:08
User Badges:
  • Red, 2250 points or more

Technically speaking RDP is not a secure protocol, on Windows you can tunnel it inside 'HTTPS' (check advanced options for the terminal services client). But it needs some extra configuration. Simple RDP can be opened like this:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml


Please rate helpful posts.


Farrukh

cscisco_admin Sat, 06/21/2008 - 23:15
User Badges:

What can be the other option since i don't have a fixed IP in one of our branches and they are connecting through a wireless internet that can't have fixed ip?


Thanks!

Farrukh Haroon Sun, 06/22/2008 - 02:19
User Badges:
  • Red, 2250 points or more

The RDP server does not have a fixed IP or the client?


You can use dynamic DNS to get the IP of the remote host dynamically but the ASA/PIX do not support ACL filtering based on hostnames.


Regards


Farrukh

cscisco_admin Sun, 06/22/2008 - 23:41
User Badges:

Definitely the clients do not have fixed ips.


Is there any other way i can use PIX to secure my Terminal Server instead of using RDP?


Farrukh Haroon Mon, 06/23/2008 - 00:57
User Badges:
  • Red, 2250 points or more

The Clients having a dynamic IP is not the issue here. It is the server!


I already suggested RDP over HTTPs, please do a google search on that.


Regards


Farrukh

cscisco_admin Mon, 06/23/2008 - 02:12
User Badges:

Ok Thanks but i got two other problems. One is that Internet Access is open on my Terminal Server through PIX. I don't know how but by chance i checked it and it was opening all the websites. How can i block it?


Secondly, I have a Cisco 1841 Router in head office in which i have two IPs. One is public and one private 192.168.2.1. This router is controlled by my ISP and i don't have access to it. People coming from all other branches are able to connect to my Terminal Server 192.168.2.2 through PIX from the Public IP but people behind 192.168.2.1 are not able to connect to Terminal Server. Do i need to add something else for this network in my PIX?


Thanks!

Actions

This Discussion