Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
2
Replies

Remote Access on PIX 501

admin_2
Level 3
Level 3

‎05-13-2004 05:31 AM - edited ‎02-20-2020 11:23 PM

I have a number of issues with my PIX 501 6.2(2). I want to accomplish the following:

1. Terminal Service access (remotely)

2. HTTPS access (internally and remotely)

3. Standard Firewall protection

Please keep in mind that I an extreme "beginner" when it comes to the PIX and it's IOS. I know what the PDM is and I also know how to get a telnet session with the PIX. I'm able to configure the PIX from either utility.

My problem is that I cannot gain access to Terminal Services if I have the HTTPS portion setup. I know it's in my configuration, but I don't know how to correct it.

I was told to place my config file below (see below).

I would appreciate any help.

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname unitedwater

domain-name unitedwater.lan

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host <outside address here> 8 eq smtp

access-list outside_access_in permit tcp any host <outside address here> eq www

access-list outside_access_in permit tcp any host <outside address here> eq ftp

access-list outside_access_in permit esp any any

access-list outside_access_in permit udp any eq isakmp any eq isakmp

access-list outside_access_in permit udp any eq 1701 any eq 1701

access-list outside_access_in permit tcp any eq 1723 any eq 1723

access-list outside_access_in permit tcp any host <outside address here> eq https

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside <outside address here> 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.2 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.252 outside

pdm location 192.168.1.50 255.255.255.255 inside

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.255 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 1 192.168.1.100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 192.168.1.100 3389 netmask 255.255.25

5.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.25

5.255 0 0

static (inside,outside) tcp interface www 192.168.1.100 www netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface ftp 192.168.1.100 ftp netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface https 192.168.1.100 https netmask 255.255.

255.255 0 0

static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 <modem address> 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 255.255.255.255 outside

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.50 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.3-192.168.1.33 inside

dhcpd dns 192.168.1.100 <dns address>

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

0 Helpful
2 Replies 2

mostiguy
Level 6
Level 6

‎05-15-2004 02:18 PM

get rid of the global (inside) statement. Global is for low security interfaces, containing ip addresses for hosts on higher security interfaces to use when traversing the firewall. get rid of it, and try a clear xlate to wipe the translation table clean.

you access list statement does not have a statement permitting access to tcp port 3389 for terminal services.

you static statements look fine, so in conjunction with the access list, i expect that http, https, ftp and smtp would work

0 Helpful

Not applicable
In response to mostiguy

‎05-18-2004 08:15 AM

Thank you.

I have resolved my problems.

Regards,

Kurt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card