Solved: Re: 8.03 Ports not opening

edockweb1 · ‎10-24-2010

I have been searching forums all over and spent much time looking for an answer to what is happening here. I have been trying to open up access to our internal server 2k3 vpn server and allow access to our RDP server and I can't seem to get any of the ports to open. In ADSM everything seems to be setup to work but still nothing is working. I am unanle to get outside connections to come in even with my ACL list setup and the group applied tot he outside connection. Here is my config file, and help would be greatly appreciated:

: Saved
:
PIX Version 8.0(3)
!
hostname XXXXXXX
enable password XXXXXXXXXXX encrypted
names
!
interface Ethernet0
description outside interface
speed 100
duplex full
nameif outside
security-level 100
ip address dhcp setroute
!
interface Ethernet1
description inside interface
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.254.254 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd XXXXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service RDP tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list 110 extended permit tcp any host 192.168.254.252 eq 3389
access-list 110 extended permit tcp any eq pptp host 192.168.254.5 eq pptp
access-list 110 extended permit gre any host 192.168.254.5
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pptp 192.168.254.5 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.254.252 3389 netmask 255.255.255.255
access-group 110 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
dns-server value 192.168.254.5
!
!
prompt hostname context
Cryptochecksum:c80ebce8bbe747e5a5fc68626f2cd3c0
: end
asdm image flash:/asdm-603.bin
no asdm history enable

Thanks,

Andrew

August Ritchie · ‎10-24-2010

access-list 110 extended permit tcp any host 192.168.254.252 eq 3389

needs to be

access-list 110 extended permit tcp any interface outside eq 3389

View solution in original post

August Ritchie · ‎10-24-2010

access-list 110 extended permit tcp any host 192.168.254.252 eq 3389

needs to be

access-list 110 extended permit tcp any interface outside eq 3389

edockweb1 · ‎10-24-2010

Thank you so much. I was able to get the RDP working but I am still having trouble with the PPTP pass through. I hav

e also made the changes to reflect what I changed for RDP and was able to connect to the server but not verify username and password? Could this be a problem with GRE? Even though I have it set just as the RDP and PPTP rule? Once again thanks for the lightning fast response.

August Ritchie · ‎10-24-2010

Hmm you might be able to add the "inspect pptp" to help out here.


pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#inspect pptp

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

edockweb1 · ‎10-25-2010

This is what I ahve now. Still having the same error. Getting stuck on verifying username and password.

class-map inspection_default

!

policy-map global_policy

class inspection_default

inspect pptp

!

prompt hostname context

Andrew

August Ritchie · ‎10-25-2010

Ahh it looks like you are missing a bit more of the default configuration than I realized. Here is the full config, that snippet before was to add to an already established policy-map.

class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect pptp
service-policy global_policy global

Right now, how you have it, the inspection isn't being applied. The config above applies the inspection.