PIX 501 with Remote Desktop

I have a PIX 501 Firewall at work directly connected to the internet via a c able modem. It gets its public address from my ISP, and it is also used on the internal side as my DHCP server for internal private addressed clients.

My question may seem rather dumb. Can I use the PIX 501 as a VPN server to grant to outside users addresses that are valid on my internal network, and if so how.

Also, if it cannot be the VPN server how can I pass port 3389 traffic throug h it so I can come from home and connect to a Windows 2003 server with remote desktop.

Obviously, because the 2003 server is on the internal side it has a private address, so I would need to reference the PIX's public address from home to ever get inside any machine at work.

Any help would be greatly appreciated.


Reply to
Loading thread data ...

no problem in that !

Yes, but configuring Client VPN and distributing a VPN client and a PCF file with the connection settings.

You can do this aswell, allthough I recommend the VPN. You portforward tcp3389 from interface to the Ip of the inside server, via a ACL and a Static command.

HTH Martin

Reply to
Martin Bilgrav

With this you will need the vpn client and you can get to anything from the outside in

access-list nonat permit ip inside network

nat (inside) 0 access-list nonat

ip local pool pool-name

sysopt connection permit-ipsec

crypto ipsec transform-set esp-aes-256-sha esp-aes-256 esp-sha-hmac crypto dynamic-map isvpn 10 set transform-set esp-aes-256-sha crypto map ocmap 10 ipsec-isakmp dynamic isvpn crypto map ocmap interface outside

isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 5 isakmp policy 10 lifetime 86400

vpngroup username address-pool pool-name vpngroup username dns-server dns ip vpngroup username default-domain domain name vpngroup username idle-time 1800 vpngroup username password pwd

You should know that with this method anyone can remote desktop to your server from the internet

access-list outside permit tcp any interface outside eq 3389

static (inside,outisde) tcp interface 3389 inside ip 3389 netmask

access-group outside in interface outside

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.