Thanks for the response, I will try that. But I have to ask, only because I am fairly new to the firewall environment. Would PC Anywhere work through a VPN connection? Is there any configuration requirement to allow PC Anywhere to tunnel through a VPN connection?

I do have two other ACLs configured on the firewall, one for inbound vpn connections (access-list 101) and the other for outbound traffic (access-list 65) in that order. Just wondering what would be the best practice as to where to place the PC Anywhere ACL.

First: Are you talk about Cisco VPN Client or a site to site VPN?

In that case it depends on your VPN access-list but usually you pemit any traffic to communicate with the VPN IP Pool to your inside network. Check your VPN access-list 101. So in that case you can connect with your PC Anywhere trought your VPN Tunnel using your internal IP Address.

My example allows to acess an internal host from the internet from a specified public IP.

Second: The outbound access-list is on the inside interface, right ?

access-group 65 in interface inside

This controlls traffic from the internal interface in direction to all other interfaces and not the other way arround.

hope it helps

Patrick

I apologized for not being more specific. We use Cisco VPN client. The access-list 65 is bound to the inside interface for outbound traffic. It looks like I am going to configure an access-list for inbound PC Anywhere connections and follow your example.

One more thing I must ask. Would there need to be any authentication configured on the PIX for the PC Anywhere inbound connections. Thank you very much for all your help.

Carlos

Carlos,

Authentication is allways good, if it is a critical system. ==> Depends on your Security Policy

Anyway you are allready authenticated by the VPN Client and I imagine that there will be another one for PcAnywhere access. The access-list 65 on the interface will not be used as the connection is initiated from the outside interface (vpn).

The solution with the VPN Client is the best and securest way to do this.

By the way I changed my CCO Account thats why you see

another name !!

;-)

hope it helps

Patrick

The first thing that I attempted was from the configuration mode. I typed in the command:

"fixup protocol pptp 1723"

The PIX would not accept the command, it gives the following feedback:

"bad protocol pptp"

Do I need to configure something else prior to this or is it possible that my version does not support the command? We have a PIX-515, PIX firewall version 6.1(2), and PDM version 1.1(2). Thanks again in advance.

Upgrade to 6.3.(4)

You need a CCO Account to download this software

Software download:

http://www.cisco.com/cgi-bin/tablebuild.pl/pix

Upgrade instructions:

http://www.cisco.com/warp/public/110/upgrade.shtml

sincerely

Patrick

Will it be necessary to upgrade the PDM after the OS upgrade? Will conduit configurations continue to work with the new OS or is it necessary to convert them to access-lists? Thanks for your help.

Carlos

Yes you have to upgarde the pdm to:

download it form the same site and follow the instructions. Conduits will still work but are not

supported any more by cisco. On the same download

page you will find an conduit to access-list migration

tool.

sincerely

Patrick

I am now getting around to doing this and I wanted to ask if after copying the new pdm image file to the pix, will I need to reconfigure the software even if there is an existinig configuration in place. Will it just detect the configuration and run with it? Thanks again.

Carlos

No the new pdm version will autodetect the configuration.

The sample configuration worked like charm. Thanks for all your help.

I did run into a little problem that has me concern. After I bound the access-list to the outside interface there was a bit of a problem. We do have some conduit configurations on our firewall and after binding the acl to the outside interface the conduit would not work because they were ignored, I am guessing. Which leaves with the dreaded option of having to convert the conduits to acl's.

I would like to use the converter to do this, but I am not sure that I fully understand what configurations/features are supported/not supported on the tool converting tool.

I am thinking of just removing the conduit lines and inserting the acl manually. Is this a better option?

Thanks again in advance.

YES, change your conduits to access-list, as conduits are not supported any more. If you want to try use the conduit to access-list converter on the POIX download page, occ-121.zip.

PIX Firewall Outbound Conduit Converter Binary version 1.2.1, for Windows

See:http://www.cisco.com/cgi-bin/tablebuild.pl/pix

sincerely

Ptrick

I am having trouble figuring out which command allows me to save my configuration to a tftp server. Or is it possible? I have look at the configure net and write net commands but both of those seem like they would configure the PIX from a tftp file. I would like to save my confiuration to a tftp server. Thanks again.