Solved: Inherited a pix having outside RDP access issue

djl7780 · ‎02-19-2015

Hello,

I inherited this old PIX 515e and am trying to setup RDP access to a server behind the PIX. All I added was the static NAT, the ACL OUTSIDE_ACCESS_IN and the access group. Everything works like internet and traffic between the subnets, but I cannot get this to work. RDP is turned on, on the server and the firewall off. Here is my config. Any help would be greatly appreciated.

PIX Version 6.3(2)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 phones security90
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
hostname someone-pix515
domain-name someone
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network INSIDE_192.168.0.0
description LAN
network-object 192.168.0.0 255.255.255.0
object-group service WEB tcp
port-object eq www
port-object eq https
object-group service RDP tcp
port-object eq 3389
object-group network PHONES_192.168.30.0
description PHONE NETWORK
network-object 192.168.30.0 255.255.255.0
access-list INSIDE_ACCESS_IN remark -- This is the ACL allowing access in to the LAN
access-list INSIDE_ACCESS_IN permit ip 192.168.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list INSIDE_ACCESS_IN permit ip any any
access-list NONAT_INSIDE remark -- This is the NONAT ACL for the INSIDE interface
access-list NONAT_INSIDE permit ip 192.168.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list NONAT_PHONES remark -- This is the NONAT ACL for the PHONES interface
access-list NONAT_PHONES permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list PHONES_ACCESS_IN remark -- This is the ACL allowing access in to the PHONE network
access-list PHONES_ACCESS_IN permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list PHONES_ACCESS_IN permit ip any any
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.0.14 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu phones 1500
ip address outside x.x.x.73 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip address phones 192.168.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_INSIDE
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (phones) 0 access-list NONAT_PHONES
nat (phones) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.74 192.168.0.14 netmask 255.255.255.255 0 0
access-group OUTSIDE_ACCESS_IN in interface outside
access-group INSIDE_ACCESS_IN in interface inside
access-group PHONES_ACCESS_IN in interface phones
route outside 0.0.0.0 0.0.0.0 2x.x.x.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 6x.x.x.x 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.0.3-192.168.0.253 inside
dhcpd address 192.168.30.2-192.168.30.253 phones
dhcpd dns x.x.x.x x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
dhcpd enable phones
username admin password encrypted privilege 15
terminal width 80

guibarati · ‎02-20-2015

Wow 6.3(2).. long time since I've seen it.

here is the problem

static (inside,outside) x.x.x.74 192.168.0.14 netmask 255.255.255.255 0 0
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.0.14 eq 3389

on your access list you have to allow traffic to the external IP, the x.x.x.74 instead of the 192.168.0.14.

rate if it helps.

View solution in original post

guibarati · ‎02-20-2015

Wow 6.3(2).. long time since I've seen it.

here is the problem

static (inside,outside) x.x.x.74 192.168.0.14 netmask 255.255.255.255 0 0
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.0.14 eq 3389

on your access list you have to allow traffic to the external IP, the x.x.x.74 instead of the 192.168.0.14.

rate if it helps.

djl7780 · ‎02-20-2015

Thanks, I actually caught that and replaced with the external and it seemed to get it working, although now that it started working the pix is kicking my outside SSH connection. If I reboot the pix and no traffic is going to that server my SSH connection is steady, but as soon as I start RDP into that server behind the PIX I start getting disconnected after I log in and run a couple of commands.. Almost like some kind of NAT issue.. Any suggestions?

Also I removed all of the other ACL's except for the OUTSIDE_ACCESS_IN. This still allows my internet browsing etc. It did stop me from being able to talk across internal networks though. What could I add back to get that functionality working

guibarati · ‎02-20-2015

this one would need some more investigation.

You could take a look at show xlate and show conn to try to get some idea.