Need to setup remote access through PIX 515E

[sapper1]

I need to setup either RDP or a VPN on my PIX so I am able to connect to my network from anywhere and manage my servers. But I have never done this before so I need help. If I go with RDP I want the traffic to be routed to a specific internal IP address. For security reasons I would perfer to have a VPN setup. Just by looking at the config it looks like this has been setup or at least attemted but it does not work. It would also appear that the PDM has been setup but I cannot access it either. If I could access the PDM I could setup the VPN myself, I'm not good with command line, I will post a "show run" shortly. Any help would be greatly appreciated.

 

[unclerico]

Once we see the config we'll be able to help you out.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sapper1]

Here are the results of the "show run". we have a block of public IP addresses that range from .163 to .167. The IP that is assigned to the outside interface is .164.

pix# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host "Public IP" eq www
access-list 100 permit tcp host "Public IP" host "Public IP" eq 3389
access-list 100 permit tcp any host "Public IP" eq 90
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 3389
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq www
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 8080
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 11001
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq www
access-list 100 permit tcp host "Public IP" host "Our PUblic IP" eq 8080
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 11001
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 3389
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq www
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 8080
access-list 100 permit tcp host "Public IP" host "our Public IP" eq 11001
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 3389
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq www
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 8080
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 11001
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq www
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq 8080
access-list 100 permit tcp host "Our Public IP" host "Our Public IP" eq 11001 (both IPs are the same)
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq ftp
access-list 100 permit tcp host "Public IP" host "Our Public IP" eq ftp
access-list 100 permit tcp host "Public IP" host "Our Public IP.163" eq ftp-data
access-list 100 permit tcp host "Public IP" host "Our Public IP.163" eq ftp-data
access-list 100 permit tcp any host "Our Public IP.166" eq www
access-list 100 permit tcp any host "Our Public IP.166" eq smtp
access-list 100 permit tcp any host "Our Public IP.166" eq https
access-list 100 permit tcp host "Public IP" host "Our Public IP.166" eq 3389
access-list 100 permit tcp any host "Our Public IP.167" eq 442
access-list 100 permit tcp any host "Our Public IP.167" eq 446
access-list 100 permit tcp any host "Our Public IP.167" eq 81
access-list 100 permit tcp any host "Internal IP" eq 3389
access-list 100 permit tcp host "Our Public IP.164" host "Internal IP" eq 3389
access-list vpntunnel permit ip x.x.0.0 255.255.0.0 x.x.0.0 255.255.255.0
access-list vpntunnel permit ip x.0.0.0 255.0.0.0 x.x.0.0 255.255.255.0
access-list 101 permit ip any any
access-list incoming permit icmp any any echo-reply
access-list incoming permit icmp any any time-exceeded
access-list incoming permit icmp any any unreachable
access-list incoming permit tcp any host "Our Public IP.163" eq www
access-list incoming permit tcp host "Public IP" host Our Public IP.164" eq 3389
access-list incoming permit tcp any host "Our Public IP.163" eq 90
access-list incoming permit tcp host "Public IP" host "Our Public IP.164" eq 3389
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq www
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 8080
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 11001
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq www
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 8080
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 11001
access-list incoming permit tcp host "Public IP" host "Our Public IP.164" eq 3389
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq www
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 8080
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 11001
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 3389
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq www
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 8080
access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 11001
access-list incoming permit tcp host "Public IP" host "Our Public IP.163" eq ftp
access-list incoming permit tcp host "Public IP" host "Our Public IP.163" eq ftp
access-list incoming permit tcp host "Public IP" host "Our Public IP.163" eq ftp-data
access-list incoming permit tcp host "Public IP" host "Our Public IP.163" eq ftp-data
access-list incoming permit tcp any host "Our Public IP.166" eq www
access-list incoming permit tcp any host "Our Public IP.166" eq smtp
access-list incoming permit tcp any host "Our Public IP.166" eq https
access-list incoming permit tcp host "Public IP" host "Our Public IP.166" eq 3389
access-list incoming permit tcp host "Public IP" host "Our Public IP.163" eq 3389
access-list incoming permit tcp any host "Our Public IP.167" eq 81
access-list incoming permit tcp any host "Our Public IP.167" eq 442
access-list incoming permit tcp any host "Our Public IP.167" eq 446
access-list incoming permit tcp any host "Internal IP" eq 3389
access-list incoming permit tcp host "Our Public IP.164" host "Internal IP" eq 3389
access-list outside_access_in permit udp any any eq domain
pager lines 24
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside "Our Public IP.164" 255.255.255.255
ip address inside x.x.x.254 255.255.255.255
ip address dmz x.x.x.x 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool x.x.x.1-x.x.x.254 (not with in internal subnet)
pdm location x.x.x.251 255.255.255.255 inside
pdm location x.x.x.253 255.255.255.255 inside
pdm location x.x.x.254 255.255.255.255 inside
pdm location x.x.x.0 255.255.240.0 inside
pdm location xxx.xxx.x.x 255.255.255.0 inside
pdm location x.x.x. 255.255.255.255 outside
pdm location xxx.xxx.xxx.251 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp "Our Public IP.165"

http://www "Internal

IP"

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp "Our Public IP.165" 8080 "Internal IP" 8080 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Our Public IP.165" 11001 "Internal IP" 11001 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Our Public IP.165" 3389 "Internal IP" 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp "Our Public IP.166"

http://www "Internal

IP"

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp "Our Public IP.166" smtp "Internal IP" smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp "Our Public IP.166" https "internal IP" https netmask 255.255.255.255 0 0
static (inside,outside) "Our Public IP.163" "Internal IP" netmask 255.255.255.255 0 0
static (inside,outside) "Our Public IP.167" "Internal IP" netmask 255.255.255.255 0 0
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside x.0.0.0 xxx.xxx.xxx.0 xxx.xxx.x.xxx 1
route inside xxx.xxx.x.0 255.255.255.0 xxx.xxx.x.xxx 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.2 255.255.255.255 outside
http xxx.xxx.xxx.88 255.255.255.255 outside
http xxx.xxx.xxx.3 255.255.255.255 outside
http xxx.xxx.xxx.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set desset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set desset
crypto map map 10 ipsec-isakmp dynamic dynmap
crypto map map client configuration address initiate
crypto map map client configuration address respond
crypto map map client authentication LOCAL
crypto map map interface outside
isakmp enable outside
isakmp identity address;
isakmp client configuration address-pool local vpnpool outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup address-pool vpnpool
vpngroup idle-time 1800
vpngroup password
telnet xxx.xxx.xxx.254 255.255.255.255 inside
telnet xxx.xxx.xxx.251 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
username password encrypted privilege 2
terminal width 132
Cryptochecksum:
: end
usd320pix#

 

[unclerico]

So can you go explain a little further about "it doesn't work"?? Are you able to connect at all?? Are you able to connect but not access internal resources??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sapper1]

I cannot connect at all.

 

[sapper1]

I can RDP into my servers internally so RDP is enabled on them.

 

[unclerico]

Are you using the Cisco client software on your PC to initiate the VPN connection or are you using some other VPN client software??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sapper1]

The only way I have tried to connect is through RDP from an outside source. I have not tried connecting via VPN as I do not have any password info on the VPNs that appear to be setup. I just got off of the phone with the tech company that set it up and they were not able to connect either and they are the ones who setup the VPNs including one for themselves. The more I look at the config the more I think that there is a lot of stuff that is not setup correctly or is just not needed.

 

[unclerico]

1) You only have a single static NAT entry for RDP access and that is to your .165 address

static (inside,outside) tcp "Our Public IP.165" 3389 "Internal IP" 3389 netmask 255.255.255.255 0 0

The ACL that matches this is allowing the RDP traffic only from a particular host:

access-list incoming permit tcp host "Public IP" host "Our Public IP.165" eq 3389

If you want to make this accessible from more than the single host do this:

no access-list incoming line 18 permit tcp host "Public IP" host "Our Public IP.165" eq 3389
access-list incoming line 18 permit tcp any host "Our Public IP.165" eq 3389

2) Your IP addresses given to your inside, outside, and DMZ interfaces should have the subnet mask set according to the prefix gien to you. For example if you've been given a /29 your subnet mask on your outside interface should be 255.255.255.248 not 255.255.255.255. The same goes for inside and dmz; i'm assuming those are for a /24.
3) You could download the Cisco client software and set it up. It looks like with a few modifications your Remote Access VPN may work. Change the vpngroup password to something that you know. Create a new user account on the device for you to use. Add these items to the config:

access-list nonat permit ip <internal_ip_range> <subnet> <vpn_pool> <subnet>

nat (inside) 0 access-list nonat

vpngroup <group_name> dns-server <dns_ip_address>
vpngroup <group_name> default-domain <your_dns_domain_name>

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sapper1]

Wouldn't I want to use "our public IP .164" instead of "our public IP .165" since it is the IP that is assigned to the outside interface?

 

[sapper1]

I got the RDP side of things to work. I think I'll wait on the VPN setup for now.