Re: Route traffic from a Dynamic WAN address on Pix 501

From: Warren Tochor (Warren_at_Tochor.com)
Date: 02/10/04


Date: Tue, 10 Feb 2004 04:13:05 GMT

Well I tried your suggestion with some mixed results but was not able to
connect. For starters I'm just working on Terminal Services rules only,
once I get them down I'm sure I can get the rest. I had some trouble with
the access-list syntax. I was eventually able to enter in the access-list
with then help of the GUI. Here is what was added.

name 209.xxx.xxx.xxx remoteuser2
access-list outside_access_in permit tcp host remoteuser2 eq 3389 host
10.21.55.5 eq 3389
access-group outside_access_in in interface outside
static (inside, outside) tcp interface 3389 10.21.55.5 3389 netmask
255.255.255.255 0 0

At the end of my reply is the running config.

I am not able to connect via terminal Services. Terminal Services works
behind the firewall but not from the outside address. I have a sonicwall
device on the outside address (209.xx.xxx.xxx) doing one-to-one NAT to my
workstation that I am not able to connect from.

Any Suggestions as to why this doesn't work?

Someone else originally set up the domain-name tgs.com in the PIX. This is
not their domain name. Does the PIX do any domain name resolution that
could be causing the problem?

You mentioned I cannot redirect telnet, how can I configure the PIX to allow
me to telnet from the outside address (209.xx.xxx.xxx) so I can manager it?

Is the order you entered important? I assume you enter the commands in the
configuration mode.

You have been a great help, any additional help would be appreciated.

Warren

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cBLalUer5EqAPcp3 encrypted
passwd cBLalUer5EqAPcp3 encrypted
hostname tgs-sd1
domain-name tgs.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 209.xxx.xxx.xxx remoteuser2
access-list outside_access_in permit tcp host remoteuser2 eq 3389 host
10.21.55.5 eq 3389
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.21.55.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.21.55.0 255.255.255.0 inside
pdm location 10.21.55.0 255.255.255.255 inside
pdm location 10.21.55.5 255.255.255.255 inside
pdm location remoteuser2 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 10.21.55.5 3389 netmask
255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.21.55.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community t1pt0p
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 10.21.55.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd address 10.21.55.33-10.21.55.64 inside
dhcpd dns 63.240.76.4 204.127.198.4
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:cf2727c57c100279d753d7f3e4cc7332
: end

"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:c00kk9$j9$1@canopus.cc.umanitoba.ca...
> In article <1027cvcgq7tuj37@corp.supernews.com>,
> Warren Tochor <wtochor@inacompcs.com> wrote:
> : Do I need to create access-lists for the ports to allow it through
the
> :firewall and specify what IP address I will allow for the source of the
IP
> :traffice? I assume I will use the private (10.21.55.x) to specify the
> :destination since I have a dynamic WAN address.
>
> Yes, you need to create the appropriate access list entries.
> However, as the destination, you should specify the phrase
>
> interface outside if you are using 6.3
> interface if you are using 6.2
>
> For example,
>
> access-list out2in permit tcp host xxx.xxx.xxx.xxx interface outside 5631
> access-list out2in permit udp host xxx.xxx.xxx.xxx interface outside 5632
>
>
> : I have used dynamic DNS with a sonicWALL with no problems. Do yse
see
> :any problems with the Pix?
>
> The PIX doesn't have any built-in support for dynamic DNS -- that is,
> the PIX itself has no ability to contact something like dydns.org
> to update a record. I don't -think- it tries to do a DNS update
> in response to DHCP either, but perhaps they snuck that in.
> --
> Warning: potentially contains traces of nuts.
"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
news:c00kk9$j9$1@canopus.cc.umanitoba.ca...
> In article <1027cvcgq7tuj37@corp.supernews.com>,
> Warren Tochor <wtochor@inacompcs.com> wrote:
> : Do I need to create access-lists for the ports to allow it through
the
> :firewall and specify what IP address I will allow for the source of the
IP
> :traffice? I assume I will use the private (10.21.55.x) to specify the
> :destination since I have a dynamic WAN address.
>
> Yes, you need to create the appropriate access list entries.
> However, as the destination, you should specify the phrase
>
> interface outside if you are using 6.3
> interface if you are using 6.2
>
> For example,
>
> access-list out2in permit tcp host xxx.xxx.xxx.xxx interface outside 5631
> access-list out2in permit udp host xxx.xxx.xxx.xxx interface outside 5632
>
>
> : I have used dynamic DNS with a sonicWALL with no problems. Do yse
see
> :any problems with the Pix?
>
> The PIX doesn't have any built-in support for dynamic DNS -- that is,
> the PIX itself has no ability to contact something like dydns.org
> to update a record. I don't -think- it tries to do a DNS update
> in response to DHCP either, but perhaps they snuck that in.
> --
> Warning: potentially contains traces of nuts.



Relevant Pages

  • Re: Interesting problem with pix 515 UR
    ... Consider diabling Proxy arp on inside interface. ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Interesting problem with pix 515 UR
    ... This pix have only 2 ethernet interfaces; i have connected the ethernet0via a cross cable ... interface FastEthernet0/21 ... fixup protocol dns maximum-length 512 ... ntp server 194.100.206.70 source outside ...
    (comp.dcom.sys.cisco)
  • Firewall Questions (PIX)
    ... I am new at the PIX so please excuse... ... interface which is subnet 1, ... fixup protocol h323 1720 ...
    (comp.security.firewalls)
  • Remote access vpn using PPTP
    ... I have a PIX 515e version 6.3.The PIX is front end firewall ... with the ISA2004 connected to the inside interface of the PIX. ... fixup protocol dns maximum-length 512 ... access-group outside_access_in in interface outside ...
    (comp.security.firewalls)
  • Re: Pix 501 and Local Network Router (No VPN Needed)
    ... If you are putting a router in between the PC's and the PIX then the inside ... interface of the PIX would have to be on a different subnet from the PC's. ... > fixup protocol dns maximum-length 512 ...
    (comp.dcom.sys.cisco)