10-03-2005 06:29 PM - edited 02-21-2020 12:26 AM
I have 2 problems, the first is, I need to set up a ACL that will enable only certain IP addresses access to my internal W2K Terminal Server. My second issue is my PIX seems to just stop working.... meaning, I don't change anything, just all of a sudden, I can't get to the internet... I can't ping my internet router. But when I reload my configuration, everything starts to work again... I am not exactly sure how to trouble shoot this problem. CAN ANYONE HELP ME?
Solved! Go to Solution.
10-04-2005 12:54 AM
to access an internal server with terminal session,
if you've got only one public ip,
static (inside,outside) tcp
if you've got more than one public ip,
static (inside,outside)
regardless which static command you use, you still need to apply the following:
access-list 100 permit tcp
access-list 100 permit tcp
access-group 100 in interface outside
clear xlate
may i suggest that allowing terminal session directly from internet is not very secured. you may configure remote vpn client access or alternatively, manipulate the standard port number so that hacker will not discover the port as easy.
e.g.
static (inside,outside) tcp
access-list 100 permit tcp
access-group 100 in interface outside
with the commands above, the trusted remote user needs to point to tcp port 10000 instead of default port 3389 when connecting to the server.
to establish a terminal session with a specific port:
regarding the connectivity issue, are you using pix501? if so, do a "sh ver" to verify the internal user licence. you may have a 10 or 50 internal user licence.
10-13-2005 06:31 PM
just wondering if the internet issue still bothering you.
10-04-2005 12:54 AM
to access an internal server with terminal session,
if you've got only one public ip,
static (inside,outside) tcp
if you've got more than one public ip,
static (inside,outside)
regardless which static command you use, you still need to apply the following:
access-list 100 permit tcp
access-list 100 permit tcp
access-group 100 in interface outside
clear xlate
may i suggest that allowing terminal session directly from internet is not very secured. you may configure remote vpn client access or alternatively, manipulate the standard port number so that hacker will not discover the port as easy.
e.g.
static (inside,outside) tcp
access-list 100 permit tcp
access-group 100 in interface outside
with the commands above, the trusted remote user needs to point to tcp port 10000 instead of default port 3389 when connecting to the server.
to establish a terminal session with a specific port:
regarding the connectivity issue, are you using pix501? if so, do a "sh ver" to verify the internal user licence. you may have a 10 or 50 internal user licence.
10-04-2005 05:49 AM
I am using a PIX515E... I was wondering if it has anything to do with the timeout settings.
My settings are...
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
Would it help you help me if I posted my entire configuration?
Thanks
10-04-2005 06:54 AM
these settings are default and it shouldn't cause any issue, as i have never manipulate the settings.
10-04-2005 09:54 AM
ok, I will not change any of these settings. Yet, it seems like when there is no activity my connection to the internet goes down. For example, over night my connection to the internet goes down, but like now when I am at the office and all of my users are doing things on the internet, the connection stays up. What would you suggest for troubleshooting? Oh, yeah, by the way, the RDP ACL works fine... thanks a million
10-13-2005 06:28 PM
it's good to learn that the rdp is working fine.
according to cisco:
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page.
10-13-2005 06:31 PM
just wondering if the internet issue still bothering you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide