IF he is running a old version of pcanywhere, he might need to check the port numbers - they have changed at least once over the years. He should also check to see if there are any patches for it - it has had a lousy security history. a vpn is recommended

Hi Jay!

I'm a little bit of a newbie in this subject. :-)

Shall I just pust the two lines at the end of

the config-file and then download them to the PIX?

Can I freely change the portnumbers to something else if I want? Finally, how do I download the file to the pix? Through hyperterminal?

Kind Regards, Jorgen

Please help me anyone!

I have added the two lines at the bottom of my config-file as below but the pix won't accept the new two lines. How should I write the commands to get the pix to accept them?

Kindly Jorgen Fransson

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxx encrypted

hostname xxxxxxxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.100.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.100.200-192.168.100.220 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

conduit permit icmp any any

pcanywhere-status UDP 5632

pcanywhere-data TCP 5631

Hello Jorgen,

I will try to help you with this issue. I assume that someone is trying to connect to a system on your inside LAN through pcAnywhere. You can let this connection through by making an access-list to do so.

Use the following commands in the configuration mode.

Access-list outside_access_in permit udp any (systems_ip_address) 255.255.255.255 eq 5632

Access-list outside_access_in permit tcp any (systems_ip_address) 255.255.255.255 eq 5631

Access-list outside_access_in permit icmp any any

Access-list outside_access_in deny ip any any

no conduit permit icmp any any

Then apply the access-list to the outside interface with the following command:

access-group outside_access_in in interface outside

This should do the trick. If not, then you can put on some logging to find out what is holding back the connection.--> -->

In configuration mode enter the commands:

logging on

logging monitor 4

After doiing this you should now see at the console what is blocking the connection.

To set the logging level back use the "logging monitor 0" command.

Please let me know how you are doiing.

kind regards Dirk Smit

Hi Plemieux72!

I can't use a VPN because I havn't got a static IP-address and the client who should connect to me don't want to use VPN because it's very tricky for him to config. But if you want to help me so can you freely post an example for a VPN-config based on my config-file. So can we test that one too.

Kindley Regards, Jorgen

I don't have a static IP either but still use VPN.

It is tricky and takes some time to learn how to configure, however once all the parts are up and running, it's very easy to connect if you use the Cisco VPN Client.

I registered a domain name and since I don't run my own DNS, I also registered with the dyndns.org service. On one of my internal Windows hosts, I setup one of the dynamic DNS clients listed on that site. The client automatically updates my A record on dyndns.org's servers when my public IP address changes.

So, in the Cisco VPN Client, instead of connecting to a public IP address, I use vpn.xxxxxxxxx.com. The address gets resolved, the security negotiation occurs and voila.

You do need to learn about IKE, SAs, AAA etc. to setup VPN on the PIX. Or, use EasyVPN (I never tried it so I don't know how easy it is).

Oki, I think I just open up two ports temporary will I use the pcAnywhere software. It's not so often we use pcAnywhere so we can live with that.

Thank you for your time...