Opening PIX 525 to remote Desktop

DarlienDA · ‎02-09-2006

Hi,

I wanted to open my PIX 525 so that I can Remote Desktop to any PC in my DMZ. Currently, I have only one available IP and using PAT to do this job. I thought I have done the right thing's but kept on falling. Anyone can tell me where did I when wrong...

Here the code I add to my PIX 525 :

name 10.88.88.20 IBMConsole

name 10.88.88.21 PCOne

access-list outside_access_in permit tcp any interface outside eq 3300

access-list outside_access_in permit tcp any interface outside eq 3301

static (dmz,outside) tcp interface 3300 IBMConsole 3389 netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface 3301 PCOne 3389 netmask 255.255.255.255 0 0

thamdani · ‎02-09-2006

Hi,

Config seems to be fine,we can do follwoing changes.

Have you configured the NAT and global statement for the DMZ.

Just an example to make sure if you have the NAT configured.

nat (dmz) 1 10.88.88.0 255.255.255.0

global (outside) 1 interface

Try this.

remove both static and re-configure one of them.

static (dmz,outside) tcp interface 3389 IBMConsole 3389 netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq 3389

access-group outside_access_in in interface dmz

So what we are doing is that we are not changing the ports here.[I know we can not map the two IP to same IP but this is just to test it it works]

also before making this change make sure if you have the NAT and global configured for dmz,if not then configre that and test.If that does not work then change the static as given above.

Regards,

Tanveer

DarlienDA · ‎02-12-2006

Hi Tanveer,

I have change the code already but still cannot connect. What is the posible reason ?

Attach is my firewall cofiguration. Why I still can't remote desktop to one of my PC in the DMZ ?

Need Help,

Darlien

thamdani · ‎02-12-2006

Hi,

I have gone through the config and the only issue i see is this route

route inside 10.88.0.0 255.255.0.0 10.88.1.1 1

You have configured this class B static route to inside which include the DMZ subnet also.

We dont need this route because Pix will insert a directly connected route for the interfaces automatically.

Any specific reason for this route. ?

Can you remove/change this and then test.I dont see any other issue.

regards,

Tanveer

DarlienDA · ‎02-12-2006

FYI,

10.88.1.1 is our core switch and we are using both 10.88.0.0 and 192.168.0.0 VLAN in our network.

route inside 10.88.0.0 255.255.0.0 10.88.1.1 1

route inside 192.168.0.0 255.255.0.0 10.88.1.1 1

Should I change or remove this line ?

thamdani · ‎02-12-2006

Hi,

As per the Pix config you have divided 10.x.x.x into two class c subnets.

ip address inside 10.88.1.254 255.255.255.0

ip address dmz 10.88.88.1 255.255.255.0

If you check the routing table on Pix 'show route" you wil see a connected route for 10.88.1.0 255.255.255.0 .which tells the pix to route inside any packet destined for 10.88.1.0/24 .If you have anyother subnet of 10.x.x.x on inside please configure a specific route for that before removing the below given route.

I will suggest to remove this route

route inside 10.88.0.0 255.255.0.0 10.88.1.1 1

Regards,

Tanveer

DarlienDA · ‎02-12-2006

Tanveer,

when I show route it give me this...

outside 0.0.0.0 0.0.0.0 219.94.120.149 1 OTHER static

inside 10.88.0.0 255.255.0.0 10.88.1.1 1 OTHER static

inside 10.88.1.0 255.255.255.0 10.88.1.254 1 CONNECT static

dmz 10.88.88.0 255.255.255.0 10.88.88.1 1 CONNECT static

inside 192.168.0.0 255.255.0.0 10.88.1.1 1 OTHER static

outside 219.94.120.144 255.255.255.240 219.94.120.150 1 CONNECT static

base on this, isit ok if i remove :

route inside 10.88.0.0 255.255.0.0 10.88.1.1 1

Thanks,

Darlien

thamdani · ‎02-13-2006

Darlien,

If you only have 10.88.1.0 network on the inside then we can remove this route.

no route inside 10.88.0.0 255.255.0.0 10.88.1.1 1

If you have more subnets, lets take an example 10.88.10.0 also on the inside.then add the specific route for example add a specific route for the subnet given in above example.

Regards,

Tanveer