Hello,
I would like to allow communication on port 3389 back and forth between a server in the DMZ (172.16.24.8) and a server (192.168.1.16) in the inside network. I cannot get it to work ;-( Could anybody help?
Thanks a lot!
Here is my config:
PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security50 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.254.0 ORT access-list Outside permit icmp any any access-list Outside permit tcp any host 62.x.y.163 eq smtp access-list Outside permit tcp any host 62.x.y.163 eq https access-list Outside permit tcp any host 62.x.y.163 eq www access-list Outside permit tcp any host 62.x.y.164 eq https access-list Outside permit tcp any host 62.x.y.166 eq www access-list Outside permit tcp any host 62.x.y.166 eq https access-list Outside permit tcp any host 62.x.y.166 eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.1.0
255.255.255.0 ORT 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.224 access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 192.168.200.0 255.255.255.224 access-list inside_outbound_nat0_acl permit ip 10.0.10.0 255.255.255.0 192.168.200.0 255.255.255.224access-list ex permit ip host 172.16.24.8 host 192.168.1.16 eq 3389 access-list ex permit tcp any host 172.16.24.8 eq http access-list ex permit tcp any host 172.16.24.8 eq https access-list ex permit tcp any host 172.16.24.8 eq 3389
access-list outside_cryptomap_dyn_20 permit ip any 192.168.200.0
255.255.255.224 access-list DMZ_outbound_nat0_acl permit ip 172.16.24.0 255.255.255.0 192.168.200.0 255.255.255.224 access-list DMZ_outbound_nat0_acl permit ip 172.16.24.0 255.255.255.0 ORT 255.255.255.0 access-list DMZ_outbound_nat0_acl permit ip 172.16.24.0 255.255.255.0 192.168.1.0 255.255.255.0access-list tchvpn_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any access-list tchvpn_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any access-list tchvpn_splitTunnelAcl permit ip 10.0.10.0 255.255.255.0 any access-list outside_cryptomap_50 permit ip 192.168.1.0 255.255.255.0 ORT 255.255.255.0 access-list outside_cryptomap_50 permit ip 172.16.24.0 255.255.255.0 ORT 255.255.255.0 pager lines 24 logging on logging timestamp logging buffered warnings mtu outside 1500 mtu inside 1500 mtu DMZ 1500 ip address outside 62.x.y.162 255.255.255.224 ip address inside 172.16.254.1 255.255.255.252 ip address DMZ 172.16.24.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool RemoteVPN 192.168.200.1-192.168.200.30
pdm history enable arp timeout 14400
global (outside) 1 interface global (DMZ) 1 172.16.24.100 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 172.16.254.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 nat (DMZ) 0 access-list DMZ_outbound_nat0_acl nat (DMZ) 1 172.16.24.0 255.255.255.0 0 0
static (DMZ,outside) 62.x.y.166 172.16.24.8 netmask 255.255.255.255 0
0 static (inside,DMZ) 192.168.1.225 192.168.1.225 netmask 255.255.255.255 0 0 static (inside,outside) 62.x.y.163 192.168.1.225 netmask 255.255.255.255 0 0 static (inside,outside) 62.x.y.164 192.168.1.240 netmask 255.255.255.255 0 0access-group Outside in interface outside access-group ex in interface DMZ
route outside 0.0.0.0 0.0.0.0 62.x.y.161 1 route inside 10.0.0.0 255.255.255.0 172.16.254.2 1 route inside 10.0.10.0 255.255.255.0 172.16.254.2 1 route inside 192.168.1.0 255.255.255.0 172.16.254.2 1
http server enable http 192.168.1.0 255.255.255.0 inside http 10.10.20.0 255.255.255.0 inside http 192.168.200.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map_3 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map_3 20 set transform-set ESP-3DES-MD5 crypto map outside_map 50 ipsec-isakmp crypto map outside_map 50 match address outside_cryptomap_50 crypto map outside_map 50 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_3 crypto map outside_map client authentication partnerauth crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share vpngroup tchvpn address-pool RemoteVPN vpngroup tchvpn dns-server 192.168.1.202 192.168.1.228 vpngroup tchvpn default-domain toto.com vpngroup tchvpn split-tunnel tchvpn_splitTunnelAcl telnet 192.168.1.0 255.255.255.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60