Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 CONFIG HELP PLEASE

I have a question regarding my PIX 515.

I am trying to find a way to allow users on the outside to access their computers here at the office via PcAnywhere through the PIX.

Prior to buying this firewall, we had a NAT config set up on our 2610 router, and it worked fine. However, I can not seem to find a way to do this with the PIX.

Do you have any ideas on how to get PcAnywhere to work with NAT? PcAnywhere uses ports 5631 for data and 5632 for status. Here is an example of how our router was setup to do this:

ip nat inside source static tcp 10.0.0.30 5631 x.x.224.90 5030 extendable

ip nat inside source static udp 10.0.0.30 5632 x.x.224.90 5031 extendable

We would do this for every internal IP and give each IP its own unique ports so everyone could have their own PcAnywhere session.

I’m not sure how to do something like this with the PIX, and I can’t find anything on Cisco’s web site.

Is there a better way to get this to work instead of using NAT? Would it be easier to use VPN? If you have any ideas on how to do this, please let me know.

7 REPLIES
New Member

Re: PIX 515 CONFIG HELP PLEASE

Andrew,

For sure, your need, external users accessing their own PC on inside, should be respond with VPN not PCAnywhere.

The reason you have this PIX is probably to close those holes opened through the 2610 router. You shouldn't try to leave external hosts accessing their PC directly, it's a major security concern.

Regards

Ben

New Member

Re: PIX 515 CONFIG HELP PLEASE

Benoit,

Thanks for your reply. I completely agree with you, however, there are some reasons why we need PcAnywhere. I don't know if you are familiar with IBM controllers, but all of our PC's here at the office have an additional 3270 emulater card in them so they can connect to an IBM controller that we have sitting here. I don't have a lot of experience with VPN's but I was under the impression that a VPN wouldn't allow access to that conroller via the attachmate 3270 emulator cards.

Do you mean that I should just set up VPN tunnels, and then have users start a PcAnywhere session? Like I said, I don't have much experience with VPN's so I'm not sure how they work.

We are looking into Host Integration Server to get rid of that controller, but until then, I need this to work somehow. Anymore information would be extremely helpful. Thanks.

New Member

Re: PIX 515 CONFIG HELP PLEASE

Hi Andrew,

My last customer is using 3270 as well, but with HIS for some applications and the IBM's TN3270 implementation for main SNA application. With TN3270, any TN3270 client may communicate over IP to the mainframe. Their users can start a SNA session from outside using their VPN (Cisco box) which is protected by a PIX.

Since PCAnywhere is communicating over IP, i suppose it can also over VPN, but since «The Devil is in the detail», you need to try it before.

About VPN, roughly an IPsec tunnel may encapsulate any IP packet, which give you the ability to secure & restrict the mainframe access.

Regards,

Ben

New Member

Re: PIX 515 CONFIG HELP PLEASE

I guess where I am getting confused is how to configure the PIX for this. I don't have a VPN concentrator (I assume this is what you meant by "Cisco box") so everything would be working through the PIX. So, once an outside user makes a secure connection using a VPN tunnel, how does the PIX know what PC they need to connect to and how will PcAnywhere work once you get a secure vpn tunnel?

I'm new to all this VPN stuff. Thanks.

New Member

Re: PIX 515 CONFIG HELP PLEASE

With VPN, your external will have a private IP address, one coming from your internal network. Then, the user just have to point PCAnywhere to the the internal IP address of his inside PC. I suppose that each internal PC has fix IP, since you already have configured this on the 2610.

The PIX doesn't need to know exactly what PC they to connect to.

Ben

New Member

Re: PIX 515 CONFIG HELP PLEASE

That sounds easy enough. I will look into it. Thanks for your help.

Gold

Re: PIX 515 CONFIG HELP PLEASE

You'll require the following on the PIX for PcAnywhere:

> pcanywhere-status UDP 5632

> pcanywhere-data TCP 5631

Here's a cisco doc that might help:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/intro.htm

Jay.

130
Views
0
Helpful
7
Replies