02-09-2006 08:26 PM - edited 02-21-2020 12:42 AM
Hi,
I wanted to open my PIX 525 so that I can Remote Desktop to any PC in my DMZ. Currently, I have only one available IP and using PAT to do this job. I thought I have done the right thing's but kept on falling. Anyone can tell me where did I when wrong...
Here the code I add to my PIX 525 :
name 10.88.88.20 IBMConsole
name 10.88.88.21 PCOne
access-list outside_access_in permit tcp any interface outside eq 3300
access-list outside_access_in permit tcp any interface outside eq 3301
static (dmz,outside) tcp interface 3300 IBMConsole 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3301 PCOne 3389 netmask 255.255.255.255 0 0
02-09-2006 11:15 PM
Hi,
Config seems to be fine,we can do follwoing changes.
Have you configured the NAT and global statement for the DMZ.
Just an example to make sure if you have the NAT configured.
nat (dmz) 1 10.88.88.0 255.255.255.0
global (outside) 1 interface
Try this.
remove both static and re-configure one of them.
static (dmz,outside) tcp interface 3389 IBMConsole 3389 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 3389
access-group outside_access_in in interface dmz
So what we are doing is that we are not changing the ports here.[I know we can not map the two IP to same IP but this is just to test it it works]
also before making this change make sure if you have the NAT and global configured for dmz,if not then configre that and test.If that does not work then change the static as given above.
Regards,
Tanveer
02-12-2006 08:59 PM
02-12-2006 09:16 PM
Hi,
I have gone through the config and the only issue i see is this route
route inside 10.88.0.0 255.255.0.0 10.88.1.1 1
You have configured this class B static route to inside which include the DMZ subnet also.
We dont need this route because Pix will insert a directly connected route for the interfaces automatically.
Any specific reason for this route. ?
Can you remove/change this and then test.I dont see any other issue.
regards,
Tanveer
02-12-2006 10:28 PM
FYI,
10.88.1.1 is our core switch and we are using both 10.88.0.0 and 192.168.0.0 VLAN in our network.
route inside 10.88.0.0 255.255.0.0 10.88.1.1 1
route inside 192.168.0.0 255.255.0.0 10.88.1.1 1
Should I change or remove this line ?
02-12-2006 10:40 PM
Hi,
As per the Pix config you have divided 10.x.x.x into two class c subnets.
ip address inside 10.88.1.254 255.255.255.0
ip address dmz 10.88.88.1 255.255.255.0
If you check the routing table on Pix 'show route" you wil see a connected route for 10.88.1.0 255.255.255.0 .which tells the pix to route inside any packet destined for 10.88.1.0/24 .If you have anyother subnet of 10.x.x.x on inside please configure a specific route for that before removing the below given route.
I will suggest to remove this route
route inside 10.88.0.0 255.255.0.0 10.88.1.1 1
Regards,
Tanveer
02-12-2006 11:13 PM
Tanveer,
when I show route it give me this...
outside 0.0.0.0 0.0.0.0 219.94.120.149 1 OTHER static
inside 10.88.0.0 255.255.0.0 10.88.1.1 1 OTHER static
inside 10.88.1.0 255.255.255.0 10.88.1.254 1 CONNECT static
dmz 10.88.88.0 255.255.255.0 10.88.88.1 1 CONNECT static
inside 192.168.0.0 255.255.0.0 10.88.1.1 1 OTHER static
outside 219.94.120.144 255.255.255.240 219.94.120.150 1 CONNECT static
base on this, isit ok if i remove :
route inside 10.88.0.0 255.255.0.0 10.88.1.1 1
Thanks,
Darlien
02-13-2006 12:36 AM
Darlien,
If you only have 10.88.1.0 network on the inside then we can remove this route.
no route inside 10.88.0.0 255.255.0.0 10.88.1.1 1
If you have more subnets, lets take an example 10.88.10.0 also on the inside.then add the specific route for example add a specific route for the subnet given in above example.
Regards,
Tanveer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide