topic Terminal services and pix 515 in Network Security

Terminal services and pix 515

dland1 — Fri, 21 Feb 2020 06:47:46 GMT

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I have a pix 515 and I want to allow terminal services to work on two diff. servers. I already have one working just fine. I created a static route from outside interface to inside interface. (ex. my outside interface ip is xxx.xxx.xxx.x and my internal server is 192.168.1.x. I want to be able to terminal services into a diff. server. My isp has assigned me 14 other ip addresses. How would I go about assigning one of those public IPs to my outside interface. I am stumped and new to pix. Any help would be greatly appreciated.. also attached is my current config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname PIX

domain-name xxxxx.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list vpnacl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list smtp permit tcp any host xxx.xxx.xxx.3 eq smtp

access-list outsideif permit tcp any any eq www

access-list outsideif permit udp any any eq 80

access-list outsideif permit tcp any any eq 3389

access-list outsideif permit udp any any eq 3389

access-list outsideif permit tcp any any eq ftp

pager lines 24

logging on

logging timestamp

logging trap errors

logging host inside 192.168.1.7

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside xxx.xxx.xxx.x 255.255.255.240

ip address inside 192.168.1.1 255.255.255.0

ip address DMZ 172.16.128.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn3000-pool 192.168.2.1-192.168.2.150

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list vpnacl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 192.168.1.8 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.1.7 3389 netmask 255.255.255.255 0 0

static (DMZ,outside) xxx.xxy.3.5 172.16.128.103 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-group outsideif in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.x 1

route inside 192.168.0.0 255.255.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool vpn3000-pool

vpngroup vpn3000 dns-server xxx.xzz.193.250 xxx.xzz.203.12

vpngroup vpn3000 default-domain eatel.net

vpngroup vpn3000 split-tunnel vpnacl

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd dns xxx.xzz.203.12 xxx.xzz.193.250

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:--moderator edit--

: end

Re: Terminal services and pix 515

mostiguy — Wed, 11 Jun 2003 14:45:17 GMT

You are currently using PAT.

static (inside,outside) tcp interface 12345 192.168.1.125 3389 netmask 255.255.255.255 0 0

If you server is 192.168.1.125, the above line would allow TS to work, but you would need to connect to port 12345 to do so, so in the TS client, you would need to specific the outside interface of the pix's ip:12345

You can statically nat one ip address to the ip of the server:

static (inside, outside) 209.164.3.6 192.168.1.125 netmask 255.255.255.255

you then could connect to TS via just 209.164.3.6 without having to specify the port number.

Have you secured your terminal servers? Do you have a pop up login banner and a password policy with account lock outs to protect against brute forcing?

Matt

Re: Terminal services and pix 515

dland1 — Wed, 11 Jun 2003 14:54:35 GMT

Yes I do have them secure. I tried typing the following in that you specified and it gave me the following error.

"static (inside,outside) 209.124.236.x 192.168.1.5 255.255.255.255

unrecognized option: 255.255.255.255

Type help or '?' for a list of available commands."

Any suggestions I would rather not have to worry about port numbers.

Thanks

Re: Terminal services and pix 515

dland1 — Wed, 11 Jun 2003 15:32:03 GMT

I tried it both ways and neither of them work. Any suggestions?

Re: Terminal services and pix 515

mostiguy — Wed, 11 Jun 2003 16:03:32 GMT

did you type in "netmask" before 255.255.255.255 ?

Re: Terminal services and pix 515

dland1 — Wed, 11 Jun 2003 16:06:29 GMT

Yes, I thought about it after my post and went back and did it. It took the command but will not let me connect to the terminal server??

Re: Terminal services and pix 515

mostiguy — Wed, 11 Jun 2003 16:45:56 GMT

you probably need to do a clear xlate to clear out all translation slots. this will clear the connection table, breaking all active connections. you might want to do that at the end of the day

Re: Terminal services and pix 515

dland1 — Thu, 12 Jun 2003 15:00:11 GMT

Alright lets see if you guys can explain this. I put in the static route yesterday. Did not do the clear xlate command. User tells me today they can not access internet. Took out static route and did a clear xlate command, can access internet fine now. Back to square one. I would like to get to this box via terminal services but I need it to be able to access web also. Any suggestions??