In some situations, it may be necessary to permit access to a device through a PIX/ASA Firewall using PCAnywhere. By default, such connections are denied, so you must configure the PIX/ASA to allow PCAnywhere traffic to be permitted from the outside interface to the inside interface.
In most PIX/ASA scenarios, the inside interface and network uses private addressing, while the outside interface and network uses public addressing. Therefore, a static mapping must be created to establish the relationship between the outside and inside addresses. Moreover, an Access Control List (ACL) must define the traffic that is permitted through the PIX/ASA.
PCAnywhere uses ports 5631 (Data port or Transmission Control Protocol [TCP]) and 5632 (Status port or User Datagram Protocol [UDP]) to communicate. Therefore, these ports must be explicitly permitted on the PIX.
Consider the example of a device on the inside interface of the firewall with an IP address of 10.1.1.10, which is mapped to an external (global) IP address of 126.96.36.199. In this case, traffic destined for 188.8.131.52 arrives at the firewall, is translated to 10.1.1.10, and is passed to the inside interface.
Based on the above factors, the configuration necessary for this scenario follows:
static(inside,outside) 184.108.40.206 10.1.1.10 netmask 255.255.255.255! --- The static mapping between 220.127.116.11 (outside address) and 10.1.1.10 (inside address).access-list 101 permit tcp any host 18.104.22.168 eq 5631! --- Permits TCP traffic to 22.214.171.124, port 5631.access-list 101 permit udp any host 126.96.36.199 eq 5632! --- Permits UDP traffic to 188.8.131.52, port 5632.access-group 101 in interface outside! --- Apply ACL 101 to the outside interface.
Hello! We have Cisco ASA 5525 in Failover mode (Active/Passive) (SW 184.108.40.206), 4 RDP Servers based on WinServer 2012R2(Serv_Net sec level 50), PCs connected to ASA (PC_Net, sec level 50) and uplink to Corporate Networks (CORP_NET, sec level 0). W...
Does anyone know how can I display the internal ID of the active directory join point?I need for a script (ERS), in the Doc they say: 1. Create a domain join point in ISE. In the "domain" parameter use cisco.com2. Get all defined join points and copy...
Hi, i want to filter out all commands containing "MGMT" on my ASA.But it doesn't work for me, it looks like my regex argument isn't being activated.The command portion seems to work if i test with fixed arguments. I use the following statement: ...