Can remote into server but not workstations

scapcaadmin · ‎11-18-2011

I have a Pix 501 that allows certain IP addresses (3) access to our network. The address that allows access to our network (excepting OWA and separate machine). When I use microsoft's Remote Desktop program to access the server it works great. I am supposed to be able to reach any machine on the network after connecting to the Pix, but cannot. Is there a reason for this?

cadet alain · ‎11-19-2011

Hi,

by default traffic from a low security level to a high security level is not permitted except if you tie an ACL inbound on the low security level interface permitting this traffic and you must also have a static NAT which nats the inside IP which generally is a private address so not routeable on the internet to a public IP.

Can you post output of following:

-sh run static

-sh access-list

-sh run access-group

- sh route

Regards.

Alain

Don't forget to rate helpful posts.

scapcaadmin · ‎11-21-2011

Can I e-mail the files to you?

cadet alain · ‎11-22-2011

hi,

if you want to, you can but why not send them here as attached zip file?

Regards.

Alain

Don't forget to rate helpful posts.

scapcaadmin · ‎11-22-2011

Is it secure. My ip addresses are out there for the world to see.

cadet alain · ‎11-22-2011

Hi,

just change them or replace some octets value.

Regards.

Alain

Don't forget to rate helpful posts.

scapcaadmin · ‎11-22-2011

Ok. Here are the files you asked for with substitues in for the ip addresses. Let me know what you find out.

cadet alain · ‎11-23-2011

Hi,

I don't see anything wrong in the config.

Could you explain exactly what is not working? Can you access the servers from outside?

Or are you accessing a server with RDP from outside and then from your RDP session you try to RDP to other servers which are either in same interface or on another interface?

If this is the case it won't work as the Pix won't let traffic go out traffic on the same interface it came in.

In ASA this possible with same-security-traffic command but on the Pix I think there is no work around.

Regards.

Alain

Don't forget to rate helpful posts.

scapcaadmin · ‎11-23-2011

Let me explain everything I know.

We access our network for 3 different functions:

SCAPCADC (internal server ip) that accesses the server and all other machines on the network.

SPOCOLL (internal eco ip) that is a secure connection from the state network.

OWA (OWA_ip) a connection to our exchange server using outlook web access.

We have been given 5 active ip addresses, 3 of which we use. They are:

Pix_eco_ip: which is the ip address ecology uses to get to their machine (spocoll)

OWA_Ip: which is the ip address used to get to outlook web access

Pix_network_ip: which is the ip address used to get to the server and other network computers (scapcadc)

As far as I know, Pix_eco_ip is working, and so is OWA_ip, but until last week we were able to get into the server but not any other machine on the network (we were able to get into everything). Now we can't even see the server.

To get into the network (server and network computers)I open the VPN connection and it says that a network connection is open, but when I use Remote Desktop connection it tells me it can't find the computer. I can't ping any of the machines on the network, either. If this isn't a pix problem, can you recommend anything else?

Hope this and the attachments I sent you are helpful.

cadet alain · ‎11-24-2011

Hi,

so you can vpn into the network where the server and workstations are but you can't RDP to any machine in this network from internet?But before you could do it?

Can you sniff traffic on server when doing this and do you see trafffic hitting the server?

Can you do a packet-tracer and or capture traffic on both interfaces when trying to RDP and send results.

Regards.

Alain

Don't forget to rate helpful posts.