Solved: Re: Pix 501 configuring.... - Page 2

mikentosh · ‎03-29-2010

My client has recently purchased a fiber line. The ISP provided th following information:

IP routes:

Interface IP 216.x.x.x

Gateway IP 216.x.x.x

Mask 255.255.255.252

and DNS servers

They also provided "Routed Network Info", which is confusing to me.

Subnet is 24.x.x.x/29 with 6 usable IPs

Gateway 24.x.x.x

Mask 255.255.255.248

My first task is to try to configure a Pix 501 for insdie - out internet access

Second task is to set up the RDP access to individual computers on the LAN. I had done this before using DD-WRT port forwarding on a router where I could give the client the public IP with a port number (public:1234) and configure a forwarding table to relay each assigned port to their computer IP on port 3389. Now that I am introducing the Pix and the additional routing info from ISP I am way confused. Any help would be appreciated. I would settle for getting internet access from the inside at this point.

I will try to get what I have configured (but not tested) posted soon.

Thanks!

mikentosh · ‎04-01-2010

ok i'm pinging again. figured out i was missing the access-group outside_in. now for the rdp problems.... and did i mention i would be setting up a site to site vpn?

JORGE RODRIGUEZ · ‎04-01-2010

Hi Mike, good that you are making progress.

The access-list outbound permit ip any any applied to inside interface s fine and you can leave it, simply it allows TCP/UDP outbound from any inside hosts, so you do not need these .

These three lines ca be removed - as long you leave access-list outbound permit ip any any applied to inside interface.
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq ftp

As for not being unable to ping the ISP gateway it most likely is that ISP blocking icmps , but you have confirmed internet connectivity to 4.2.2.2 from pix and inside hosts after you added outside permit ip any any to inside interface.

As for Site to Site VPN go to this link and reference in mid page down Site to Site VPN (L2L) with PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Don't forget to reate helpful posts

Regards

Jorge Rodriguez

mikentosh · ‎04-05-2010

jorgemcse,

Thanks for the link to Site to Site VPN, I will look at that next. I will also remove the lines you specified for www, ftp & ftp-data.

As for the RDP access, I currently have configured to allow 3389 acces to the internal Terminal Server as follows:

access-list outside_in permit tcp any interface outside eq 3389

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0

Am I missing the "access-group outside_in in interface outside" to allow the above configuration to work?

I currently have the additional routing to a specific internal workstation for a user set as follows:

access-list RDPUSER permit tcp any interface outside eq 1000

static (inside,outside) tcp interface 1000 192.168.1.55 3389 netmask 255.255.255.255 0 0

access-group RDPUSER in interface outside

Can I add more of these one to one configurations, such as 1001 to x.x.x.56? Will the following work?

access-list RDPUSER permit tcp any interface outside eq 1001

static (inside,outside) tcp interface 1000 192.168.1.56 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1002

static (inside,outside) tcp interface 1000 192.168.1.57 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1003

static (inside,outside) tcp interface 1000 192.168.1.58 3389 netmask 255.255.255.255 0 0

Will they all use the access-group RDPUSER in interface outside?

I know I'm asking many questions here, but I just want to provide a solution for the port forwarding we used to do in the router.....at the perimeter (Pix) now. I don't want to go the VPN route for fear of trashing the office network with home computer bugs.

Please let me know if you think this is feasible and my configuration examples are proper (albeit unorthodox).

As always, Thanks for your time and help!

JORGE RODRIGUEZ · ‎04-05-2010

Hi Mike, thanks for rating .. using rating system will also allow Cisco to contributing $1 to help Haiti earthquake victims .

For bellow scenario you cannot do it this way using same port 1000 forwarding based on the static PAT translation, you
will get error on duplicate existing NAT, I think you probably meant tcp ports 1001,1002 etc.. based on your acl.

access-list RDPUSER permit tcp any interface outside eq 1001
static (inside,outside) tcp interface 1000 192.168.1.56 3389 netmask 255.255.255.255 0 0
access-list RDPUSER permit tcp any interface outside eq 1002
static (inside,outside) tcp interface 1000 192.168.1.57 3389 netmask 255.255.255.255 0 0
access-list RDPUSER permit tcp any interface outside eq 1003
static (inside,outside) tcp interface 1000 192.168.1.58 3389 netmask 255.255.255.255 0 0

So it will look like this bellow , using different ports

static (inside,outside) tcp interface 1001 192.168.1.56 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.57 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.58 3389 netmask 255.255.255.255 0 0

access-list RDPUSER permit tcp any interface outside eq 1001
access-list RDPUSER permit tcp any interface outside eq 1002
access-list RDPUSER permit tcp any interface outside eq 1003

As for the RDP access, I currently have configured to allow 3389 acces to the internal Terminal Server as follows:
access-list outside_in permit tcp any interface outside eq 3389
static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255 0 0

The access-list and static nat above is fine, bu the acl named ( outside_in ) needs to be applied to outside interface.
Use one access-list ( naming ) per interface like I said before. Elimimate the RDPUSER access list, or the other one (outside_access_in)
and stick with one acl for outside interface.

So your ultimate configuration for your inbound rules to these systems would be like this bellow, consolidate the access-list rules in one acl for outside interface.

static (inside,outside) tcp interface 3389 192.168.1.253 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1001 192.168.1.56 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1002 192.168.1.57 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1003 192.168.1.58 3389 netmask 255.255.255.255

access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003

Remove access-group RDPUSER from outside interface

no access-group RDPUSER in interface outside

and apply new access-list to it

access-group outside_in in interface outside

Regards

Jorge Rodriguez

mikentosh · ‎04-06-2010

jorgemcse,

Once again, thank you. I will try the suggested configuration and let you know the results later this week. Thanks!

mikentosh · ‎04-07-2010

jorgemcse,

Configuration works great! Thank You!! Tested on one PC (separate from domain). Just have to change gateway and DNS servers for all internal PC, then plug in the new fiber line to switches and remove the DSL. I will be working on the Site to Site connection next and I will keep you posted on the progress.

-Mike

JORGE RODRIGUEZ · ‎04-07-2010

Hi Mike, glad you got it working ..

On the site-to-site VPN reference the link I provided in previous post, try attempting to configure the tunnel, if issues with that open a new L2L thread on this same forum category.

Regards

Jorge Rodriguez