Question about cisco pix 506e

[ciscopix77]

Hi all

I am new to the world of Cisco pix firewalls. We have just bought a pix 506E and we have a server running windows server 2003 and a cisco 2950T-24 switch. The server will be connected to the switch and they will be behind the firewall.

I was wondering how can I configure the firewall so the server can only accept remote desktop connections and vnc so we can access it remotely. This is what is needed for the moment. What access lists will I need and can I use the pix device manager to do it rather than command line?

Your assistance will be appreciated! Thanks in advance.

 

[fdurham]

Here is a basic overview. I will assume you have more than one static Public IP address.

access-list 100 permit tcp any host (public IP) eq 3389 <-- RDP Ports
access-list 100 permit tcp any host (public IP) range 5900 5905 <-- VNC port

static (inside,outside) <public IP> <internal ip> netmask 255.255.255.255 <--- line translates the public IP to the internal Ip of your server.

ip access-group 100 in interface outside <-- Applies the above access-list to the outside interface.

That should give you access to your server from the outside. To be more secure, if you can nail down what IP address from the outside you are coming from, that will be even more secure.

Let me know if you need more.

Frank

 

[ciscopix77]

Hi Frank

Thanks a lot for the quick reply.This makes sense. I just had a question about this command:

static (inside,outside) <public IP> <internal ip> netmask 255.255.255.255

Is this a command line command that I just type like that?? What if I add a second server? What goes in the internal ip?? 2 addresses? Is the netmask always the same?

Also, if i do these commands using the command line, I know there will be an implicit deny at the end so no need to add anything there. Right? What about pix device manager, how do u add the implicit deny? Just asking to have more info, but the command line will do! Sorry for all this!

Thanks a lot once again!

 

[lgarner]

All ACL's, for IOS and FOS, have an implicit "deny ip any any" at the end. You don't have to do anything.

How you use the static NAT depends partly on whether you have multiple public IP addresses available. If so, you can use the command as shown. If not, you'll have to forward just the required ports, and you can't forward the same port to two servers. I'd suggest using a VPN in that case.

 

[fdurham]

the only thing you substitute in the command is the portiona of the public IP and private IP. This is a one to one mapping so each IP address has to be different. For example, let assume you were assigned a netblock of 14 Ip address usable. Your network ID is 217.55.201.0/28. Your pix is using the ip of 217.55.201.2. You assign one server on the inside to 217.55.201.3 and the second server to .4. Ok we also will assume your internal ip addresses are set up you the following class C of 192.168.1.0/24. Your servers are assigned .5 and .6. So your static statement would look like this.

static (inside,outside) 217.55.201.2 192.168.1.5 netmask 255.255.255.255
static (inside,outside) 217.55.201.3 192.168.1.6 netmask 255.255.255.255

Now of course you also have to create the respective access-list as well.
You are also correct that you do not need to have a deny statement on the end, but you can add it there if you just like to see it there. As far as the PDM goes, to be honest I would learn the command line IOS, because it so much better. Then you can see what it looks like in PDM. There are some differences when doing it in PDM.

Frank

 

[ciscopix77]

Thanks for that! I will give it a go. I just had another question regarding the telnet command:

telnet AllowedIP Mask Inside

Does the allowed IP have to be an internal ip address? What if you want to telnet remotely? Could u put an external ip without the inside at the end of the command?? Sorry for all these questions and thanks for ur help!

 

[fdurham]

You cannot telnet from the outside, you can but you want it to be secure. So you would setup SSH.

ssh 0.0.0.0 0.0.0.0 outside (if you have a specific IP then replace the 0.0.0.0 0.0.0.0 with the IP and subnet mask)
ssh timeout 60

Frank

 

[ciscopix77]

Hi Frank

Thanks again for that. So I don't need to put a telnet statement with the outside command? Only the ssh is enough? Will the one above allow all ip's to telnet or ssh, but obviously there will be a password set(same as the telnet one?). How can I ssh to the firewall?? telnet command??or ssh command??

I hope I am not bombing with too many questions.I really appreciate your responses!

 

[fdurham]

The command above will allow any IP from the outside to ssh into your pix. If you know what IP exactly you will allow in, then good practice to only allow that IP. As far as getting into it, there is an application called PUTTY. If you do a ggogle search for it download it and you can use that client to connect. The username to get into the PIX is pix and the password is your telnet password.

Frank

 

[ciscopix77]

Thanks! Just making sure, no need for a telnet statement then? just ssh?

Thanks

 

[fdurham]

Use telnet from the inside only and even then you could just use the ssh for the inside. Never telnet from the outside.

Frank

 

[lgarner]

The "telnet" statement controls access via telnet, the "ssh" statement does the same for ssh, and the "http" statement for https.