PIX 501 Remote Desktop Assistance Problem

By default the PIX allows outgoing TCP connections. If you have configured the PIX -not- to allow that, then we will need to see your (sanitized) configuration in order to advise you on how to adjust it.

A question: does the client happen to be behind NAT? If so then when they issue the invitation to you, the IP address that is going to be in the invitation is going to be the -internal- IP address. You can literally use a text editor to change that in the invitation.

Remote Desktop invitations also include the remote hostname (as known to the remote host), so an alternative to editting the invitation is to set up name resolution for that remote hostname. You could use a common WINS server, or you could set up DNS, or you could edit your LMHOSTs file.

Sorry for the delay in getting back.

The situation is we have an internal machine we want to use for remote assistance. It connects through a pix to a router to the internet. The client connection will change each time it could be any configuration.

We have been sitting in the server room with a direct connection to via the router, so it is definately the pix which is our issue and not the client end.

The pix config is shown below:

PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxx encrypted passwd xxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name xx.xx.xx.204 server2 name xx.xx.xx.203 server name xx.xx.xx.206 remoteassist access-list 101 permit tcp any host remoteassist eq www access-list 101 permit tcp any host remoteassist eq 3389 access-list 101 permit tcp any host server2 eq www access-list 101 permit tcp any host server eq www access-list 101 permit tcp any host server eq pptp access-list 101 permit tcp any eq 47 host server eq 47 access-list inside_access_in permit ip any any access-list acl-out permit tcp any host remoteassist eq www access-list acl-out permit tcp any host remoteassist eq 3389 access-list acl-out permit tcp any host server2 eq www access-list acl-out permit gre any host server access-list acl-out permit tcp any host server eq www access-list acl-out permit tcp any host server eq pptp access-list acl-out permit tcp any host server eq 82 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.202 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.11 255.255.255.255 inside pdm location 192.168.1.12 255.255.255.255 inside pdm location server 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 1 server nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) server2 192.168.1.12 netmask 255.255.255.255 0

0 static (inside,outside) server 192.168.1.11 netmask 255.255.255.255 0 0

static (inside,outside) remoteassist 192.168.1.99 netmask

255.255.255.255 0 0 access-group acl-out in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.201 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec isakmp enable outside isakmp key apple address 0.0.0.0 netmask 0.0.0.0 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn username xxx password xxx dhcpd address 192.168.1.100-192.168.1.131 inside dhcpd dns 195.112.4.4 195.112.4.7 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 Cryptochecksum:15ce4bc67b95efdaa78abd9727380d15 : end

Thanks in advance,

Stuart

As an aside: 6.3(3) has known security difficulties, which are fixed in the free update 6.3(4).

There are also a fair number of bug fixes in 6.3(5) but that version requires a support contract to obtain.

you do not apepar to use that access-list 101 in your configuration.

You apply that "in" the inside interface. Because you are permitting all ip with it, use of it is redundant upon the default PIX behaviour when no access-group inside is present. I would suggest removing the access-group statement and the access

That static conflicts with the second global (outside) statement. It is not permitted to static the entire IP of any IP which appears in a global PAT or global pool. It -is- permitted to static individual ports of an IP that appears in a global statement, but I don't think you want to do that in your case. The effect of the second global statement would be to use server as the outside IP for packets at the point where there were no more available ports in the first global PAT (the interface address.) If you are driving a PIX 501 to that many connections, the PIX 501 is probably the wrong device for the situation. I would suggest just deleting the second global statement.

You do not have a vpdn enable statement, and you have no crypto map statements, so the vpdn is not going to have any effect and the isakmp is unneeded (and possibly dangerous to have sitting there without further configuration, though I cannot think of any attacks on it.) The sysopt is not consistant with the use of vpdn, as vpdn is only pptp or l2tp and not ipsec.

This suggests that either you chopped some statements out of your configuration or else that your configuration used to include some VPN tunnels and has not been completely purged of them. If those tunnels are still there and you chopped them out of the posting, then we are trying to give advice based upon an incomplete description of the situation.

Thanks for you post Walter.

I am a complete novice to the PIX, half the stuff in our config I dont understand and I'm currently on cisco.com trying to learn what the config is doing.

Here is the basic requirement:

Forward requests on xx.xx.xx.203 to server 1 which is hosting a website Forward requests on xx.xx.xx.204 to server 2 which is hosting a website

Allow VPN connections to be established with server 1 from anywhere on the internet

Latest requirement - connect to clients via remote desktop assistance.

Its very possible as you have already pointed out that there is old and redundant information in the config. I would appreciate whilst I am trying to understand the config if you could either guide me or post a stipped down config with an explaination of what each line does.

Thanks again,

Stuart

Walter

I have managed to get a remote desktop session established from my machine inside the firewall to a client machine. When I tried to use remote desktop assistance the client machine returned an error that it couldnt find the host. Is this because the remote assistant is sending my internal IP address to the client and the client is trying to use that to connect? If so how do I change it?

Any ideas?

P.S I can also remote desktop in from a client to xx.xx.xx.206 so it definately works both ways just a problem with remote assistant.

Thanks in advance, Stuart