Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Advice on Configure Terminal Service on PIX506E.

Status
Not open for further replies.
rolmank

rolmank

Vendor
Sep 16, 2002
86
Hi all, I'm new to the Cisco PIX Firewall. In a week time, I need to configure a Terminal Service to use an application from outside to the internal Application Server.I do not know how to go about it on the configuration.

Btw the PIX 506E was configured by previous IT Vendor.I have the configuration below:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx/xxxxxxxxx/x encrypted
passwd xxxxxxxxx.xxxxx encrypted
hostname xx-xx-pix
domain-name company.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.192
255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.192
255.255.255.224
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 203.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.1.201-192.168.1.210
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 203.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup hol-ab-vpn address-pool vpn-pool
vpngroup hol-ab-vpn dns-server 192.168.1.3
vpngroup hol-ab-vpn wins-server 192.168.1.3
vpngroup hol-ab-vpn default-domain company.com
vpngroup hol-ab-vpn idle-time 1800
vpngroup hol-ab-vpn password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:458eddd063130aba7c4874e78ac4f11e
: end


Hope to hear from all ASAP.

Million of Thanks
RolmanK




Thanks and Regards
RolmanK
 
Sort by date Sort by votes
All you need to add is a ACL bound to the outside interface and a static map to the server

access-list acl_inbound permit tcp any host 203.xxx.xxx.xxx 255.255.255.248 eq 3389

access-group acl_inbound in interface outside

static (inside,outside) tcp 203.xxx.xxx.xxx 3389 [Internal host address] 3389 netmask 255.255.255.255

Just as a precaution, I would log the connections in the ACL as alerts or change the outside connection port to something other than 3389. Script kiddies always hit RDP.


Brent
Systems Engineer / Consultant
CCNP
 
Upvote 0 Downvote
Hi Supergrrover, thanks for replying and advices.

Can I just add in the below followings into the Configuration?

access-list acl_inbound permit tcp any host 203.xxx.xxx.xxx 255.255.255.248 eq 3389

access-group acl_inbound in interface outside

static (inside,outside) tcp 203.xxx.xxx.xxx 3389 [Internal host address] 3389 netmask 255.255.255.255

So sorry that I never touch on the PIX. :-(

Million of Thanks
RolmanK

Thanks and Regards
RolmanK
 
Upvote 0 Downvote
Yep,

Just substitute the IP's you want to have in there and those should get you going.




Brent
Systems Engineer / Consultant
CCNP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
304
Johnkite
Johnkite
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
90
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
101
mcisar
mcisar
cbsarge
  • Locked
  • Question
SonicWALL Mobile Connect on Chromebooks
Replies
1
Views
123
jcarmichael1203
jcarmichael1203

Part and Inventory Search

Sponsor

Back
Top