04-03-2012 12:20 PM - edited 03-11-2019 03:50 PM
Hi,
I'm having issues both with port forwarding and VPN with my PIX. I've tried different ways to set up port forwarding for remote desktop, but I still haven't had any luck.
With the VPN, I can secure a connection into the PIX, but I cannot access the internet or ping any of my devices on the remote network.
The config is below.
Thanks!
hostname PIX-515E-1
domain-name #####
enable password ##### encrypted
passwd ##### encrypted
names
!
interface Ethernet0
description Outside
nameif Outside
security-level 0
ip address x.x.x.x 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name #####
object-group service RDP tcp
port-object eq 3389
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp host 192.168.1.10 any object-group RDP
access-list Outside_access_in_1 remark RDP
access-list Outside_access_in_1 extended permit tcp any any eq 3389
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu inside 1500
ip local pool pool1 192.168.1.20-192.168.1.29 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Outside) 0 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (Outside,inside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
access-group Outside_access_in_1 in interface Outside
route Outside 0.0.0.0 0.0.0.0 ##### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set ESP-DES-SHA1 ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn PIX-515E-1
subject-name CN=PIX-515E-1
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn PIX-515E-1
subject-name CN=PIX-515E-1
keypair ####
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate e93c7a4f
<output omitted>
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 083d7a4f
<output omitted>
quit
crypto isakmp enable Outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication rsa-sig
encryption des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy1 internal
group-policy 51 internal
group-policy 51 attributes
dns-server value 192.168.1.10 167.102.160.34
vpn-tunnel-protocol IPSec
default-domain value #####
group-policy VPN1 internal
group-policy VPN1 attributes
dns-server value 192.168.1.10 167.102.160.34
vpn-tunnel-protocol IPSec
default-domain value #####
username ##### password ##### encrypted privilege 15
username ##### attributes
vpn-group-policy GroupPolicy1
username ##### password #### encrypted privilege 15
username admin attributes
service-type admin
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
authentication-server-group (Outside) LOCAL
authorization-server-group LOCAL
tunnel-group TunnelGroup1 ipsec-attributes
pre-shared-key *
peer-id-validate cert
chain
trust-point ASDM_TrustPoint0
tunnel-group VPN1 type remote-access
tunnel-group VPN1 general-attributes
address-pool pool1
default-group-policy VPN1
tunnel-group VPN1 ipsec-attributes
pre-shared-key *
tunnel-group 51 type remote-access
tunnel-group 51 general-attributes
address-pool pool1
default-group-policy 51
tunnel-group 51 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c367f64420d2281a8d2a2d51d23cf852
: end
04-03-2012 01:29 PM
Hi,
Your NAT configurations source and destination interface are the wrong way.
static (Outside,inside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
Should be
static (inside,Outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
Please rate if this helped
- Jouni
04-03-2012 01:33 PM
Regarding the VPN Client connection
If possible please change the VPN pool to something else than the LAN network
ip local pool pool1 192.168.1.20-192.168.1.29 mask 255.255.255.0
for example
ip local pool pool1 192.168.100.1-192.168.100.254 mask 255.255.255.0
Also you could change the NAT0 configurations for the VPN Client Pool the following way
no nat (Outside) 0 192.168.1.0 255.255.255.0
access-list NO-NAT-INSIDE permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list NO-NAT-INSIDE
And do the NAT for VPN users Internet traffic the following way
nat (Outside) 1 192.168.100.0 255.255.255.0
- Jouni
04-03-2012 01:36 PM
Regarding the ICMP problem
Please add the following configuration:
policy-map global_policy
class inspection_default
inspect icmp
- Jouni
04-03-2012 06:22 PM
Ok. I tried the commands for the RDP, and now I'm getting this when I try to remote in from the outside.
2 Apr 03 2012 21:19:40 106001 xxxx xxxx Inbound TCP connection denied from x.x.x.x/3335 to x.x.x.x/3389 flags SYN on interface Outside
I'm still working with the VPN.
04-03-2012 11:48 PM
Hi,
To be hones I'm not sure whats causing the problem with the NAT. I have configured the same type of port forward before. Though its not common in our environments.
Even the syslog message description for that message is a bit vague for me.
Isn't SYN supposed to be the only flag set when a remote host initiates a TCP connection through the firewall to a local host.
Can you check if theres any mention of the NAT in the xlate table with "show xlate"
Can you also try to change the "static" command so that the "interface" is replaced with the actual IP address of the Outside interface.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide