pcanywhere and pix 515

[norryguy]

I have a pix 515 in place with my users using pat. They want to be able to start a pcanywhere from their patted machine to one outside of our network. Will this work with PAT. I know that the Cisco VPN will not, that's why I am wondering. Will Mircosoft VPN work with PAT as well, again starting the connection from a PATTED machine.

thanks

 

[bytehd]

outbound connections should work
if not open an ACL

http://www.insyncva.com

 

[norryguy]

okay thanks. I think some of the reasons the vpn traffic is not working when the connection is started from a Patted device is that some port information is being striped. I'm going to upgrade to ios version 6.3 and doing soming call "nat-t

 

[bytehd]

i think Nat-Traversal supports the other side being behind NAT (like most home users are).
Remember in a PIX nothing gets through until you let it.
Having said that, you need to use the
sysopt command to let IPSec through

G

http://www.insyncva.com

 

[bytehd]

OOPS that advice was for IPSec
You are PCA
should work without anything
check the other side for incoming firewall/acl issues

PCA uses TCP 5631/5632

http://www.insyncva.com

 

[norryguy]

Actually your oops might be my answer. The pcanywhere issues I had was resolved by something changing on the remote firewall, because yesterday it didn't work for my users but today it did. Ms vpn still doesn't though. It works if it behind just my router using an overload nat, but not when behind a pix pat. I have not had a chance to see if ms vpn would work either with a global nat range or just a static nat.

so I might be blocking ipsec, which is vpn traffic?

 

[bytehd]

You are talking about all these apps being outbound right?
static nat is to allow a public to private mapping.

http://www.insyncva.com

 

[norryguy]

just outbound. my users support educational software and often have to remote into client networks, some of which require us to use ms vpn. I realize static nat is for publics, but we have 2 clients who have requested we use a static and the cisco vpn to access their network.

 

[bytehd]

can you upload your sanitized config?

http://www.insyncva.com

 

[norryguy]

here is the config. the global nat id 2 (172.16.0.1) is for a wireless vlan that I have behind the network. The large number of statics is for machines that that need to be accessed from the front side of the pix. there is a separate access-list on our 2621 edge router blocking most of those ips. the current access-list should be the one called "newfromoutside"

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password WC59qZeSuCsfbyMR encrypted
passwd ex5SX2Uxh55DI/u5 encrypted
hostname pixfirewall
domain-name x.org
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol ftp 21
names
access-list fromoutside permit icmp any any
access-list fromoutside permit tcp any any
access-list fromoutside permit udp any any
access-list newfromoutside permit ip any any
pager lines 24
interface ethernet0 100full
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 204.186.x.x 255.255.255.0
ip address inside 10.0.0.1 255.0.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 10.0.11.51 255.255.255.255 inside
pdm location 10.0.0.0 255.255.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 204.x.x.x
global (outside) 2 204.x.x.b
nat (inside) 2 172.16.0.0 255.255.255.0 0 0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) 204.186.x.x 10.0.9.21 netmask 255.255.255.255 0 0
static (inside,outside) 204.186.x.x 10.0.30.1 netmask 255.255.255.255 0 0
static (inside,outside) 204.186.x.x 10.0.0.53 netmask 255.255.255.255 0 0
static (inside,outside) 204.186.x.x 10.0.7.202 netmask 255.255.255.255 0 0
static (inside,outside) 204.186.x.x 10.0.5.5 netmask 255.255.255.255 0 0
static (inside,outside) 204.186.x.x 10.0.8.88 netmask 255.255.255.255 0 0

 

[norryguy]

looks like it dropped the bottom half off.

access-group newfromoutside in interface outside
route outside 0.0.0.0 0.0.0.0 204.186.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.11.51 255.255.255.255 inside
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 204.186.x.x 255.255.255.0 outside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:65f0295a8b0f565390a6b90bd3df9cba
: end
[OK]