Please help me setup my PIX 501 for Netmeeting & Remote Management

[dannieboiz]

I have a PIX 501 with unlimited licenses. I've been trying to figure out how to setup remote management for the router, as well as using Remote Desktop to my personal computer as well as the server from home. Can someone help me figure this out? Thanks

 

[horus42]

We definitely can help you, I'm not sure if everyone really understands your question, are you trying to say you want to configure the firewall so you can have access to your desktop and your server from anywhere. You also said you need to figure out how to configure your router remotely, usually routers sit in front of the firewall which means you need to figure out how to configure your router as well.

the easiest option is to enable client VPN and install the client on your laptop which means you can securely access you devices from anywhere, if you don't have static IP check out

http://www.dyndns.com

Hope that helps

 

[dannieboiz]

This is my first experience with the PIX router, it's been over 7 years since I've touched any cisco equipment.

Let me briefly describe my objectives.

1st. I travel a lot and I often work from home on my personal computer. My desktop in the office is almost always on. I'd like to be able to do Remote Desktop from home to dial into my office desktop.

2nd. I'd like to be able to do Remote Desktop on the company's server while I'm traveling.

3rd. Not as important but nice to know, I'd like to do remote management of the router remotely.



We do have static IP address

what VPN client do I need?

 

[Supergrrover]

Options:
1. You can just use the cisco vpn client and vpn into it your lan.

2. You can port forward 3389 to your internal box/server and then RDP to it from there.

You will need an access-list and static

access-list outside_in permit tcp any 3389 host [ExternalIP] 3389
static (inside,outside) tcp interface 3389 [InternalIP] 3389 netmask 255.255.255.255
access-group outside_in in interface outside

For remote management, use SSH

ssh 0.0.0.0 0.0.0.0 outside
Make sure you create the RSA key or it won't connect.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

So my script should look like this assuming my WAN IP address is 192.168.1.1 and my LAN IP is 192.168.1.2


access-list outside_in permit tcp any 3389 host [192.168.1.1] 3389
static (192.168.1.2,192.168.1.1) tcp interface 3389 [192.168.1.2] 3389 netmask 255.255.255.255
access-group outside_in in interface outside

 

[Supergrrover]

Yep, you would take out the brackets "[". I just put them in to indicate the start and finish of variable info.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

hmm I'm getting and error... I've changed the IP address but this is what I get.

Result of firewall command: "access-list outside_in permit tcp any 3389 host 68.205.183.2 3389"

ERROR: invalid IP address host
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> object-group-search
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
Command failed

Result of firewall command: "static 192.168.1.9,68.205.183.2 tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 "

ERROR: Invalid global IP address 192.168.1.9,68.205.183.2
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns] [norandomseq] [<max_conns> [<emb_lim>]]
Command failed

Result of firewall command: "access-group outside_in in interface outside"

ERROR: access-list <outside_in> does not exist
Usage: [no] access-group <access-list> in interface <if_name> [per-user-override]
Command failed

 

[Supergrrover]

Sorry,
Put the ACL format as the static.

access-list outside_in permit tcp any host 68.205.183.2 eq 3389

For the static, you do need the parenthesis (pix formatting is a little wonky until you get used to it.)

static (inside,outside) tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

I'm feeling really dumb now.

access-list outside_in permit tcp any 3389 host 68.205.183.2 eq 3389
static (inside,outside) tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255 access-group outside_in in interface outside



do I replace the (inside,outside) with an IP address?

 

[Supergrrover]

Nope, just enter it as I posted and you should be good.

The inside,outside is telling it how to map the addresses to each other (what interfaces they are on.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

ok looks like it took it, but I can't do RDP from my laptop to my desktop....

the PIX WAN IP is 68.205.183.2
I would like to work the desktop with IP 192.168.1.9
I would also like to access the PDC @ 192.168.1.2

At this point to simplify things, I'm only trying to access one @ a time.

Looking @ my screen, under hosts/networks the inside interface shows

inside:any
192.168.1.0
inside: 192.168.1.1
(device name)192.168.1.9

the outside interface shows:

outside:any
69.105.183.0
outside 68.205.183.2

so I take it that the script works fine and it updated ok.

On my laptop which is connected through our wireless on a different network in RDC, I tried to connect to 68.105.183.2
I get error could not connect.

 

[Supergrrover]

Have you applied the ACL to the outside interface?

access-group outside_in in interface outside



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

what do you mean? All I did was copy that script to the CLI and send it then apply it. Nothing else was done.

 

[Supergrrover]

That line was in the first config post (where I messed up the syntax.)

Post your config and we'll see what is still missing.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

Result of firewall command: "show running-config"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qBvMx/SLQ0SxO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.9 Desktop
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 68.205.183.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Desktop 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Desktop 3389 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 68.205.183.14 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns 68.94.156.1 68.94.157.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username DParks password rL5OO7pfQ2ZY9Lg2 encrypted privilege 15
terminal width 80
Cryptochecksum:711b5835cc608e173136729f6d7d96df
: end

 

[colinT23]

Hi,

Please take a look at this link:

http://www.tek-tips.com/faqs.cfm?fid=3239

Regards Colin.

 

[dannieboiz]

thanks for the tip, I've gone through the config and changed the IP's address. So those are not true IP addresses. Well at least they aren't mine.

 

[Supergrrover]

OK, all you need is the ACL and to apply it to the outside interface

access-list outside_in permit tcp any host 68.205.183.2 eq 3389
access-group outside_in in interface outside

That should do it.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[dannieboiz]

YIPPI!!! We did it. THANKS A BUNCH! My first successful cisco config. It's actually yours.

Ok next, now that I can access my desktop, Can I set it in a way so that I can access multiple computer? I'd like to log onto the server once in a while as well or do I have to change the internal IP address when want to switch?

If that's the case, then the next thing that I'd like to do is setup remote management for router.

Thanks again.

 

[Supergrrover]

Remote management of the router can be done via SSH.

Change the hostname and the domain to something specific to you then
ca gen rsa key 2048
ca save all
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside

You can then login using Putty or SecureCRT (my fav) with username/password
pix / (your telnet password)

Now for more RDP.
You will make another static but of the form


static (inside,outside) tcp interface 3390 SERVERIP 3389 netmask 255.255.255.255
and add this line to your ACL
access-list outside_in permit tcp any host 68.205.183.2 eq 3390

To connect from your RDP client put EXTERNALIP:3390 in and that will take you to your server instead of the desktop.



Brent
Systems Engineer / Consultant
CCNP, CCSP