Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall not letting me access

Status
Not open for further replies.
mushtie

mushtie

Technical User
Jan 27, 2011
3
GB
I am trying to configure my firewall to let Remote Desktop through the Pix to our terminal server.

We have 2 machines one an SBS server which uses port 3389 and the TS which uses port 3390. I can't get either to let me through.
Enclosed is a portion of the running config...can anyone help

access-list acl-inside permit tcp any any eq ftp
access-list acl-inside permit udp any any eq isakmp
access-list acl-inside permit udp any any eq ntp
access-list acl-inside permit udp any any eq 4500
access-list acl-inside permit tcp any any eq domain
access-list acl-inside permit tcp any any eq www
access-list acl-inside permit tcp any any eq https
access-list acl-inside permit tcp any any eq pop3
access-list acl-inside permit tcp any any eq smtp
access-list acl-inside permit tcp any any eq 3389
access-list acl-inside permit tcp any any eq 3390
access-list allvpnsites permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside in-LaycocksPix 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnippool 10.0.0.1-10.0.0.254
pdm location 192.168.0.0 255.255.255.0 inside
pdm location in-mail 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list allvpnsites
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp in-mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 in-mail 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 25 in-mail 25 netmask 255.255.255.255 0 0
static (inside,outside) udp interface snmp in-mail snmp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 192.168.0.5 3390 netmask 255.255.255.255 0 0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
 
Sort by date Sort by votes
where is your acl-outside??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Sorry I'll add the full config...
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /4KRbo1PrUVIUYVY encrypted
passwd /4KRbo1PrUVIUYVY encrypted
hostname LaycocksPix
domain-name laycocks.local
clock summer-time BST recurring 4 Sun Mar 2:00 4 Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.254 in-LaycocksPix
name 81.137.205.156 out-LaycocksPix
name 81.137.205.158 router
name 192.168.0.253 in-mail
object-group service BCMUDP udp
port-object range 30000 30999
port-object range 7000 7002
access-list compiled
access-list acl-outside permit icmp any any echo-reply
access-list acl-outside permit icmp any any source-quench
access-list acl-outside permit icmp any any unreachable
access-list acl-outside permit icmp any any time-exceeded
access-list acl-outside permit udp any object-group BCMUDP any object-group BCMUDP
access-list acl-outside permit tcp any host in-mail eq smtp
access-list acl-inside permit icmp any any
access-list acl-inside permit udp host in-mail any eq domain
access-list acl-inside permit tcp host in-mail any eq smtp
access-list acl-inside permit udp any any eq domain
access-list acl-inside permit tcp host in-mail any eq www
access-list acl-inside permit tcp host in-mail any eq https
access-list acl-inside permit tcp any any eq ftp
access-list acl-inside permit udp any any eq isakmp
access-list acl-inside permit udp any any eq ntp
access-list acl-inside permit udp any any eq 4500
access-list acl-inside permit tcp any any eq domain
access-list acl-inside permit tcp any any eq www
access-list acl-inside permit tcp any any eq https
access-list acl-inside permit tcp any any eq pop3
access-list acl-inside permit tcp any any eq smtp
access-list acl-inside permit tcp any any eq 3389
access-list acl-inside permit tcp any any eq 3390
access-list allvpnsites permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside in-LaycocksPix 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnippool 10.0.0.1-10.0.0.254
pdm location 192.168.0.0 255.255.255.0 inside
pdm location in-mail 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 192.168.0.2 255.255.255.255 inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list allvpnsites
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp in-mail smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 in-mail 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 25 in-mail 25 netmask 255.255.255.255 0 0
static (inside,outside) udp interface snmp in-mail snmp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 192.168.0.5 3390 netmask 255.255.255.255 0 0
access-group acl-outside in interface outside
access-group acl-inside in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto dynamic-map map-dynamic 1 set pfs group5
crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 2 set pfs group2
crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 3 set pfs
crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto map map-LaycocksPix 255 ipsec-isakmp dynamic map-dynamic
crypto map map-LaycocksPix interface outside
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption aes-256
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption aes-256
isakmp policy 3 hash sha
isakmp policy 3 group 1
isakmp policy 3 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption aes-192
isakmp policy 11 hash sha
isakmp policy 11 group 5
isakmp policy 11 lifetime 86400
isakmp policy 12 authentication pre-share
isakmp policy 12 encryption aes-192
isakmp policy 12 hash sha
isakmp policy 12 group 2
isakmp policy 12 lifetime 86400
isakmp policy 13 authentication pre-share
isakmp policy 13 encryption aes-192
isakmp policy 13 hash sha
isakmp policy 13 group 1
isakmp policy 13 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption aes
isakmp policy 21 hash sha
isakmp policy 21 group 5
isakmp policy 21 lifetime 86400
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption aes
isakmp policy 22 hash sha
isakmp policy 22 group 2
isakmp policy 22 lifetime 86400
isakmp policy 23 authentication pre-share
isakmp policy 23 encryption aes
isakmp policy 23 hash sha
isakmp policy 23 group 1
isakmp policy 23 lifetime 86400
isakmp policy 31 authentication pre-share
isakmp policy 31 encryption 3des
isakmp policy 31 hash sha
isakmp policy 31 group 5
isakmp policy 31 lifetime 86400
isakmp policy 32 authentication pre-share
isakmp policy 32 encryption 3des
isakmp policy 32 hash sha
isakmp policy 32 group 2
isakmp policy 32 lifetime 86400
isakmp policy 33 authentication pre-share
isakmp policy 33 encryption 3des
isakmp policy 33 hash sha
isakmp policy 33 group 1
isakmp policy 33 lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group vpnpptp accept dialin pptp
vpdn group vpnpptp ppp authentication mschap
vpdn group vpnpptp ppp encryption mppe auto
vpdn group vpnpptp client configuration address local vpnippool
vpdn group vpnpptp client configuration dns in-mail
vpdn group vpnpptp client configuration wins in-mail
vpdn group vpnpptp pptp echo 60
vpdn group vpnpptp client authentication local
vpdn username laycocksvpn password *********
vpdn enable outside
dhcpd dns in-mail
dhcpd wins in-mail
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain laycocks.local
dhcpd auto_config outside
terminal width 80
Cryptochecksum:d609b928595293ecacddd99c3de7460b
: end
[OK]

 
Upvote 0 Downvote
you need to add an ACE to your acl-outside for permitting RDP inbound.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Sorry but I don't understand
I have added the following line...

access-list acl-outside permit tcp any host 192.168.0.5 eq 3390

But it still will not work....although I may be getting mixed up and thinking that this is the ACE.

Thanks for your help so far.
 
Upvote 0 Downvote
It would be permit tcp any interface eq 3390

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
630
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
102
gbayi_omo
gbayi_omo
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
171
hairlessupportmonkey
hairlessupportmonkey
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
115
ChrisHirst
ChrisHirst
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
133
disturbedone
disturbedone

Part and Inventory Search

Sponsor

Back
Top