Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
7
Replies

PIX 515 CONFIG HELP PLEASE

abruso
Level 1
Level 1

‎08-27-2003 11:55 AM - edited ‎02-20-2020 10:57 PM

I have a question regarding my PIX 515.

I am trying to find a way to allow users on the outside to access their computers here at the office via PcAnywhere through the PIX.

Prior to buying this firewall, we had a NAT config set up on our 2610 router, and it worked fine. However, I can not seem to find a way to do this with the PIX.

Do you have any ideas on how to get PcAnywhere to work with NAT? PcAnywhere uses ports 5631 for data and 5632 for status. Here is an example of how our router was setup to do this:

ip nat inside source static tcp 10.0.0.30 5631 x.x.224.90 5030 extendable

ip nat inside source static udp 10.0.0.30 5632 x.x.224.90 5031 extendable

We would do this for every internal IP and give each IP its own unique ports so everyone could have their own PcAnywhere session.

I’m not sure how to do something like this with the PIX, and I can’t find anything on Cisco’s web site.

Is there a better way to get this to work instead of using NAT? Would it be easier to use VPN? If you have any ideas on how to do this, please let me know.

0 Helpful
7 Replies 7

bdube
Level 2
Level 2

‎08-27-2003 12:28 PM

Andrew,

For sure, your need, external users accessing their own PC on inside, should be respond with VPN not PCAnywhere.

The reason you have this PIX is probably to close those holes opened through the 2610 router. You shouldn't try to leave external hosts accessing their PC directly, it's a major security concern.

Regards

Ben

0 Helpful

abruso
Level 1
Level 1
In response to bdube

‎08-27-2003 02:07 PM

Benoit,

Thanks for your reply. I completely agree with you, however, there are some reasons why we need PcAnywhere. I don't know if you are familiar with IBM controllers, but all of our PC's here at the office have an additional 3270 emulater card in them so they can connect to an IBM controller that we have sitting here. I don't have a lot of experience with VPN's but I was under the impression that a VPN wouldn't allow access to that conroller via the attachmate 3270 emulator cards.

Do you mean that I should just set up VPN tunnels, and then have users start a PcAnywhere session? Like I said, I don't have much experience with VPN's so I'm not sure how they work.

We are looking into Host Integration Server to get rid of that controller, but until then, I need this to work somehow. Anymore information would be extremely helpful. Thanks.

0 Helpful

bdube
Level 2
Level 2
In response to abruso

‎08-27-2003 02:38 PM

Hi Andrew,

My last customer is using 3270 as well, but with HIS for some applications and the IBM's TN3270 implementation for main SNA application. With TN3270, any TN3270 client may communicate over IP to the mainframe. Their users can start a SNA session from outside using their VPN (Cisco box) which is protected by a PIX.

Since PCAnywhere is communicating over IP, i suppose it can also over VPN, but since «The Devil is in the detail», you need to try it before.

About VPN, roughly an IPsec tunnel may encapsulate any IP packet, which give you the ability to secure & restrict the mainframe access.

Regards,

Ben

0 Helpful

abruso
Level 1
Level 1
In response to bdube

‎08-27-2003 02:54 PM

I guess where I am getting confused is how to configure the PIX for this. I don't have a VPN concentrator (I assume this is what you meant by "Cisco box") so everything would be working through the PIX. So, once an outside user makes a secure connection using a VPN tunnel, how does the PIX know what PC they need to connect to and how will PcAnywhere work once you get a secure vpn tunnel?

I'm new to all this VPN stuff. Thanks.

0 Helpful

bdube
Level 2
Level 2
In response to abruso

‎08-27-2003 06:04 PM

With VPN, your external will have a private IP address, one coming from your internal network. Then, the user just have to point PCAnywhere to the the internal IP address of his inside PC. I suppose that each internal PC has fix IP, since you already have configured this on the 2610.

The PIX doesn't need to know exactly what PC they to connect to.

Ben

0 Helpful

abruso
Level 1
Level 1
In response to bdube

‎08-28-2003 07:48 AM

That sounds easy enough. I will look into it. Thanks for your help.

0 Helpful

jmia
Level 7
Level 7

‎08-27-2003 12:30 PM

You'll require the following on the PIX for PcAnywhere:

> pcanywhere-status UDP 5632

> pcanywhere-data TCP 5631

Here's a cisco doc that might help:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/intro.htm

Jay.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card