Solved: Re: Unable To remote

tonny_ecmyy · ‎10-31-2004

Hello there..

Here I have pix506e. I'm unable to remote desktop the server behind the firewall. If i take out the firewall...yes it can. It seems that the firewall doesn't allow any outside user to access inside.

Fixed IP: xxx.xxx.xxx.161

server 192.168.1.9 [ Unable to remote this server ]

Router IP: 10.1.1.1

Outside IP: 10.1.1.2

Inside IP: 192.168.1.1

I've allow any icmp. How i'm going to allow outside to go inside...

I've attach my configurations, please look through..

Thanks

Tonny

sachinraja · ‎11-01-2004

Where are you trying to do the RDC connection from ? (to the server 192.168.1.9) If it is from outside we need to open appropriate ports and do statics. Do let us know where you want the RDC access from ?

View solution in original post

Patrick Iseli · ‎11-01-2004

access-list outside_access_in line 1 permit tcp any host 10.1.1.2 eq 3389

# This will allow any host to RDP into RDPServer

static (inside,outside) tcp 10.1.1.2 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0

#Port Redirect tcp port 3389 RDP to 192.168.1.9

access-group outside_access_in in interface outside

# Apply access-list to interface

sincerely

Patrick

View solution in original post

sachinraja · ‎11-01-2004

As per your configuration posted before 10.1.1.2 is your PIX outside IP address. You should not do a PAT here as shown above. you need to do a static NAT and then allow port 3389 on that IP.

Am taking 10.1.1.3 (hope it is a free IP) in my configuration.

access-list outside_access_in permit tcp any host 10.1.1.3 eq 3389

access-list outside_access_in permit icmp any host 10.1.1.3

access-group outside_access_in in interface outside

static (inside,outside) 10.1.1.3 192.168.1.9 netmask 255.255.255.255 0 0

After doing this, you can telnet on port 3389 to the IP address 10.1.1.3 from the router & ping the server as well.

All the best !!

View solution in original post

Patrick Iseli · ‎11-03-2004

Your config:

ip address outside 10.1.1.2 255.0.0.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 10 218.xxx.xxx.162-218.xxx.xxx.172

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

What is that global ? I do not understand why do have configured this IP Range 218.xxx.xxx.162 - 218.xxx.xxx.172. I mean this looks like a public range that is usually on an outside interface, right.

I would expect something like that:

global (outside) 10 10.1.1.3

or

global (outside) 10 interface

Please could you explain me that.

Your access-list and static is ok. But you cannot route a Private range (10.1.1.0) on the Internet. So I suppose that this is an internal network, or you NAT or PAT somewhere else.

You should be able to connect from the 10.1.1.0 Network to IP 10.1.1.9 on RDP.

sincerely

Patrick

View solution in original post

sachinraja · ‎11-01-2004

Where are you trying to do the RDC connection from ? (to the server 192.168.1.9) If it is from outside we need to open appropriate ports and do statics. Do let us know where you want the RDC access from ?

Patrick Iseli · ‎11-01-2004

access-list outside_access_in line 1 permit tcp any host 10.1.1.2 eq 3389

# This will allow any host to RDP into RDPServer

static (inside,outside) tcp 10.1.1.2 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0

#Port Redirect tcp port 3389 RDP to 192.168.1.9

access-group outside_access_in in interface outside

# Apply access-list to interface

sincerely

Patrick

tonny_ecmyy · ‎11-01-2004

Hi,

I want to make the Remote Desktop Connection from outside. I've try your config, but still i can't remote the server from outside and also can't ping it. For your information, In the router i've enable dmz with dmz host ip 192.168.1.9 (server that i want to remote) and then from outside..I remote the server with remote desktop connection and fill in the fixed ip address xxx.xxx.xxx.161, without the firewall yes it can...but with the firewall..its block. Please help

Thanks

Tonny

tonny_ecmyy · ‎11-01-2004

Below are the further details of my config:

show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

access-list outside_access_in; 2 elements

access-list outside_access_in line 1 permit tcp any host 10.1.1.2 eq 3389 (hitcn

t=0)

access-list outside_access_in line 2 permit icmp any any (hitcnt=4)

show xlate

1 in use, 31 most used

PAT Global 10.1.1.2(1537) Local 192.168.1.9(2855)

show route

outside 0.0.0.0 0.0.0.0 10.1.1.1 1 OTHER static

outside 10.0.0.0 255.0.0.0 10.1.1.2 1 CONNECT static

inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

show nat

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

I'm not using NAT. Pls check, what's wrong with my config. Thanks a million for helping

Tonny

sachinraja · ‎11-01-2004

As per your configuration posted before 10.1.1.2 is your PIX outside IP address. You should not do a PAT here as shown above. you need to do a static NAT and then allow port 3389 on that IP.

Am taking 10.1.1.3 (hope it is a free IP) in my configuration.

access-list outside_access_in permit tcp any host 10.1.1.3 eq 3389

access-list outside_access_in permit icmp any host 10.1.1.3

access-group outside_access_in in interface outside

static (inside,outside) 10.1.1.3 192.168.1.9 netmask 255.255.255.255 0 0

After doing this, you can telnet on port 3389 to the IP address 10.1.1.3 from the router & ping the server as well.

All the best !!

tonny_ecmyy · ‎11-03-2004

Hi,

I have try everything, i'm so confuse and write erase my config and start from beginning because maybe there is something wrong with other config.

Please look through my attachment and you can modify it (correction) and attach it again.

Thanks for helping the beginner

Tonny

Patrick Iseli · ‎11-03-2004

Your config:

ip address outside 10.1.1.2 255.0.0.0

ip address inside 192.168.1.1 255.255.255.0

global (outside) 10 218.xxx.xxx.162-218.xxx.xxx.172

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

What is that global ? I do not understand why do have configured this IP Range 218.xxx.xxx.162 - 218.xxx.xxx.172. I mean this looks like a public range that is usually on an outside interface, right.

I would expect something like that:

global (outside) 10 10.1.1.3

or

global (outside) 10 interface

Please could you explain me that.

Your access-list and static is ok. But you cannot route a Private range (10.1.1.0) on the Internet. So I suppose that this is an internal network, or you NAT or PAT somewhere else.

You should be able to connect from the 10.1.1.0 Network to IP 10.1.1.9 on RDP.

sincerely

Patrick

tonny_ecmyy · ‎11-03-2004

Thanks for replying, I'm going to erase my config and start a new one again. I'm trying now, hope no problem..

Thanks a million

Tonny

tonny_ecmyy · ‎11-03-2004

Hello Patrick & Sachinraja,

Thanks for helping me, now then i can remote the RDP Server from outside. Thanks for your configuration example. How to save my configuration to floppy?

Thanks for helping the beginner

Tonny

sachinraja · ‎11-04-2004

Hi Tonny,

You can use the write net command on the PIX to export the configuration to a TFTP server. You can run cisco or 3CDaemon TFTP server on a PC and give this command on the PIX. It will transfer all your configurations to that PC. you can copy to the floppy from that PC.

Thanks

Patrick Iseli · ‎11-04-2004

Connect to the console, VT100 9600/8/N/1 using Hyper Terminal or other Terminal emulation.

Type:

enable

write term

# This will show your configuration DRAG SND DROP into wordpad or noteapd.

sincerely

Patrick