PDM and VPN

in my opinion, PDM is not a good tool to use to try to understand PIX configurations. There are parts of PDM that are confusing, and those are possibly most easily deciphered by *already* knowing the command line interface and entering CLI commands and seeing how they affect what PDM reports. If you start from PDM, you will, I believe, have trouble understanding what the PIX is actually doing, unless the configuration is very simple.

I don't know. The PDM is pretty, but it is very inefficient to use, very inefficient to describe its use, and the PDM fields often don't readily correspond to the CLI (particularily those having to do with NAT.) Hence I found it unproductive to learn PDM thoroughly, and the only way I could answer your question would be to fire up PDM on a PIX and check things out. And the paperwork finally came through for me, so now even on paper I don't have authorized access to any PIX anymore on which to do the experimentation.

I would suggest to you that this is a case where visual is NOT "much faster for [you] than command". You are blocked using the visual route, and people aren't exactly jumping to answer your question, and I can't answer your question because I don't know the visual interface. On the other hand, if you dig around in the visual interface a little you can prod the PIX to show you the actual configuration commands it has stored, and if you post that configuration (with passwords removed) then there are several people who can answer questions about it fairly readily.

Walter, Here is the config file. I am curious on closing the RDP port. I only want people to be able to RDP after they have established a VPN to my VPN server. After I get through with this latest project I want to enable the PIX for VPN itself but that is work for another day. I think the line "access-list outside_in permit tcp any host aegis_ext eq

3389" allows people to RDP in without VPN and that is not what I want. If I remove that and then connect via Microsoft VPN to my VPN server which is 10.0.0.4 and then access RDP will just removing that above line work or if i remvoe that line people won't be able to RDP evne if they use VPN? Aslo you are right about the command line making more sense after I spent a day lookig at it. Thanks for your help. One more question on a PIX 501. If the MS VPN server has two NICS and one has an internal IP address and the other has an external but connects to the PIX directly via the extra LAN ports that come on the side is it protected from the Internet? PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.0.0.5 mail name 10.0.0.4 aegis name 24.242.139.114 mail_ext name 24.242.139.115 aegis_ext object-group icmp-type icmp-grp icmp-object echo-reply icmp-object unreachable icmp-object source-quench icmp-object time-exceeded access-list outside_in permit tcp any host aegis_ext eq www access-list outside_in permit tcp any host aegis_ext eq pptp access-list outside_in permit gre any host aegis_ext access-list outside_in permit tcp any host mail_ext eq smtp access-list outside_in permit tcp any host mail_ext eq 4422 access-list outside_in permit tcp any host mail_ext eq imap4 access-list outside_in permit tcp any host mail_ext eq https access-list outside_in permit icmp any interface outside object-group icmp-grp access-list outside_in permit tcp any host aegis_ext eq 3389 access-list outside_in permit tcp host 65.182.34.85 any eq 5000 access-list outside_in permit udp host 65.182.34.85 any eq 5000 pager lines 24 logging on logging buffered debugging no logging message 710005 no logging message 302014 no logging message 302016 icmp deny any outside mtu outside 1500 mtu inside 1500 ip address outside 24.242.139.118 255.255.255.248 ip address inside 10.0.0.252 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location aegis 255.255.255.255 inside pdm location mail 255.255.255.255 inside pdm location 12.14.141.96 255.255.255.252 outside pdm location 65.182.34.85 255.255.255.255 outside pdm location 168.215.168.150 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp mail_ext smtp mail smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp mail_ext imap4 mail imap4 netmask 255.255.255.255 0 0 static (inside,outside) tcp mail_ext https mail https netmask 255.255.255.255 0 0 static (inside,outside) tcp mail_ext 4422 mail 4422 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 3389 aegis 3389 netmask 255.255.255.255 0 0 static (inside,outside) aegis_ext aegis netmask 255.255.255.255 0 0 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 24.242.139.113 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 12.14.141.96 255.255.255.252 outside http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 10.0.0.0 255.255.255.0 inside telnet timeout 5 ssh 168.215.168.150 255.255.255.255 outside ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60 console timeout 0 [OK]

Walter Roberson wrote:

You are correct, that line is allowing everyone to access tcp 3389 which is used for Remote Desktop Protocol.

When people are using a VPN to your VPN server, then the traffic that passes through the PIX is the encapsulated and encrypted VPN traffic. The PIX does NOT peer "inside" the encapsulating packets and analyze the encrypted payload: it just passes the packets on to the VPN server.

Yes, the four LAN ports on the PIX 501 are all "inside" ports and are connected together by a switch. They are all equally protected (or not!) from the outside. Also, the four ports can all talk directly to each other without going through the PIX -- there is no way to protect one of the inside ports from another of the inside ports on the 501.

There are some known security issues with that version; it is better to upgrade to the 6.3(5) rebuild. That can be done for free even if you do not have a support contract.

*I* would not include source-quench there. source-quench packets can come from anywhere (by design), and have no authentication mechanism. If you allow source-quench then anyone can forge a quench, and thereby act as a Denial of Service until the timer expires.

You should be permitting those icmp to aegis_ext and mail_ext as well.

It would be better to remove that line at the same time that you remove the 3389 entry from the ACL.

0.0.0.0 0.0.0.0 is a superset of 168.215.168.150, so the second of those lines renders the first redundant ;-)

Ok Walter the 64,000 dollar question how do you do the following?

How do I remove this command?

What commands solve this issue?

Isn't SSH a way for an outside user to connect to the PIX? SO my assumption is that this sets up the user at this IP address the ability to connect to the device? How can I change that to a different IP address ro remove it completely?

One more thing Walter and I think I owe you a starbucks for all of this but how do I change the password?

As always thanks for your help. Alos Walyer s> > > Here is the config file. I am curious on closing the RDP port. I