Re: Allowing PCAnywhere into network that has private IPs

From: Lars M. Hansen (badnews@hansenonline.net)
Date: 03/27/02 

From: Lars M. Hansen <badnews@hansenonline.net>
Date: Wed, 27 Mar 2002 12:10:20 GMT

On 27 Mar 2002 09:31:42 -0000, spike spoketh

>-----BEGIN PGP SIGNED MESSAGE-----
>
>In article <wYco8.119587$af7.63857@rwcrnsc53>
>"OmegaRed" <omegared_xmen@hotmail.com> wrote:
>>
>> I have Cisco 2621 router and PIX 515R firewall. I have the
>proper udp and
>> tcp ports set up for PCA. So PCA works fine going out. Since
>I am using
>> private IP address on the company network, how can I enable
>computers from
>> the accross the internet to access a PCA host? Must I have NAT
>enabled on
>> the Cisco 2621 router? Is so how can I do this? And what must
>I do on the
>> PIX 515R firewall?
>
>Before you read on:
>I strongly recommend _not_ letting computers being controlled
>via PCA directly from the internet ! Try something like
>tunniling in ssh, if possible or allowing these rules manually,
>only if needed.
>
>If your want to do it nevertheless, there are 2 Situation:
>
>1.) You also have unused, publicly accessable IP adresses (not
>only rfc1918) left. Use NAT to point to your box.
>
>2.) You use DHCP adresses from your ISP or you used up your ip
>block. A general answer'd now be: get more adresses. But you
>still can do it like this:
>
>Configure port forwarding on your cisco (does it support that?)
>so that every packet for these ports go to the PCA box.
>
>
>HTH,
>Spike
>

Very good answer, Spike.

Yes, Pix supports port forwarding. The older IOS called it conduit, but
I believe now it's done using access lists.

If you have to allow PCA in from the internet, try to lock down what IP
addresses can connect, ie. only your IP address. That's a little
difficult if you're DHCP'ed on dialup ...

Consider a VPN solution for remote control.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'lars' in e-mail address)

Relevant Pages

  • Re: deny ts connection based on ip?
    ... firewall, b/c that would cut her off from our intranet (which shares ... but Cisco IOS is just ridiculously confusing to ... the outside ports to the inside ports, vice-versa, and keep the bad ... I purchased a PIX book, 'security specialists guide to cisco pix ...
    (microsoft.public.windows.terminal_services)
  • RE: Exhange 2003
    ... Is the PIX smtp fixup protocol enabled? ... > and when the Exchange server actually presented it's 220 banner. ... no restriction on ports or types of traffic just on host... ... >>But if you open a tcp connection and after that run nbtstat command, ...
    (Pen-Test)
  • Re: Port Forwarding with Cisco 871??
    ... > We have a Netopia DSL "modem", which provides us with four static ... The CISCO is ... and 110 from the outside WAN through to a server on the LAN. ... > can access the required ports from the outside. ...
    (comp.dcom.sys.cisco)
  • Re: exchange being switched to static ports due to firewall
    ... this is from memory as I ditched Cisco Pix years ago and I'm ... access-group acl_outside in interface outside ... Cisco, I have to tell exchange to use static ports, and I have to tell my ... I'm sticking a cisco 506e pix in front of my mail server which is stand ...
    (microsoft.public.exchange2000.connectivity)
  • Re: Secure network question???
    ... that a PIX 501 is something that I can afford, Sorry, I was thinking back a ... programed a Cisco router for B-ISDN so you will still hear from me in the ... security and have a sound knowledge of reflexive ACL's. ... I don't yet know what ports that would be. ...
    (comp.dcom.sys.cisco)