1. Home
  2. Cisco Systems
  3. Pix Remote Assistance Problem

Pix Remote Assistance Problem

Hi,

Could anyone help with a sample configuration which will allow a remote

desktop assistance session from within a pix 501 firewalled network to an outside client:

Assistance provider --- PIX 501 --- Router --- Internet --- Router --- Client needing assistance

I tried several forums and spent a good deal of time studying and reconfiguring the PIX to allow port 3389, however I could not establish a remote assitance session. Any help is most appreciated.

We have been sitting in the server room with a direct connection to via

the router, so it is definately the pix which is our issue and not the client end.

The pix config is shown below:

PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxx encrypted passwd xxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name xx.xx.xx.204 server2 name xx.xx.xx.203 server name xx.xx.xx.206 remoteassist access-list 101 permit tcp any host remoteassist eq www access-list 101 permit tcp any host remoteassist eq 3389 access-list 101 permit tcp any host server2 eq www access-list 101 permit tcp any host server eq www access-list 101 permit tcp any host server eq pptp access-list 101 permit tcp any eq 47 host server eq 47 access-list inside_access_in permit ip any any access-list acl-out permit tcp any host remoteassist eq www access-list acl-out permit tcp any host remoteassist eq 3389 access-list acl-out permit tcp any host server2 eq www access-list acl-out permit gre any host server access-list acl-out permit tcp any host server eq www access-list acl-out permit tcp any host server eq pptp access-list acl-out permit tcp any host server eq 82 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.202 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.11 255.255.255.255 inside pdm location 192.168.1.12 255.255.255.255 inside pdm location server 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 1 server nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) server2 192.168.1.12 netmask 255.255.255.255 0

0 static (inside,outside) server 192.168.1.11 netmask 255.255.255.255 0 0

static (inside,outside) remoteassist 192.168.1.99 netmask

255.255.255.255 0 0 access-group acl-out in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.201 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec isakmp enable outside isakmp key apple address 0.0.0.0 netmask 0.0.0.0 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn username xxx password xxx dhcpd address 192.168.1.100-192.168.1.131 inside dhcpd dns 195.112.4.4 195.112.4.7 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 Cryptochecksum:15ce4bc67b95efdaa78abd9727380d15 : end

Thanks in advance,

Stuart

Reply to
Stuart
Loading thread data ...

stuart,

the config which you have on the pix is absolutely fine. any host from the outside world can establish RDP session to remoteassist IP address.

just try to go to

formatting link
from the host 192.168.1.99 and see what is the public IP.

probably you might wanna do clear xlate and clear local.

Reply to
rave

Noway, Rave ! Check the Cfg again ...

Stuart: From what I understand, there is a mixup from what you have on your drawing, and the cfg.

Given this senario:

-The client-in-need are behind a router, connects to the Net

-The I-can-helpout are behind the PIX and connects to the Net

- The I-can-helpout wants to use RDP on client-in-need

This is done via normal inside outbound config, i.e. Inside ACL, Nat and Global and/or Static But what you miss is the remote router needs to forward tcp/3389 into the client-in-need Also I am pussled over : global (outside) 1 server as you allready have a : global (outside) 1 interface The NAT says: nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Which then would goto both globals, as the numer "1" is in both globals Try delete global (outside) 1 server and clear xlate If the I-can-helpout are the: static (inside,outside) remoteassist 192.168.1.99 netmask 255.255.255.255 0

0, the remote end must accept connection from Names remoteassist. i.e. from x.x.x.206

HTH Martin

Reply to
Martin Bilgrav

Thanks Martin,

I am a complete novice when it comes to PIX, if I'm honest I dont know what half the stuff means in the config, which is the root of my problem. My illustration is correct I will explain it again. We are trying to provide remote desktop assistance from our site to clients in need. We have a network of PC's and ideally want any one of them to be able to establish the connection to control the clients PC. Our internal network is connected to a pix which in turn is connected to the internet, how the client connects to the internet we can not control and if their config stops this being possible that is out of our control, all we can offer it to try to help.

The PIX config needs to support VPN clients connecting to server 1 from the internet, access to websites on server 1 and 2 from inside and outside.

I assume we can currently establish remote desktop connections from outside in and vice versa because they are passed through the VPN tunnel?

Thanks for you help guys, I am going to the Cisco site to learn about PIX configing now!

Look forward to your replys.

Stuart

Reply to
Stuart

Ok, so the senario is normal inside outbound access from your end towards client on the Net. and the port 3389 needs to be forwarded in the remote end, if they are behind NAT/router/firewall etc

fair enough ...

VPN you say ... The determent point is WHERE the VPN terminates. Your present config imply that no VPN clients terminates on the PIX. If you need help, you need to clarify this alot more. From what I can read of your config you have "SERVER" = 192.168.1.11 (xx.xx.xx.203) where GRE and PPTP are forwarded. But what the tunnels are used for I can not tell.

Outside Access to websites are done via outside inbound ACL and Statics Inside Access to websites are done locally, i guess. You may have DNS problems or you may not. But the PIX can remedy that if you have.

I normally say, Assume notthing.

8)

Does not quite make sense to me ... Your config has port 3389 forwarded into a server, hence no VPN needed (this could be wrong) Still you need to clarify your VPN senario. Fx a senario could be that Clients-In-Need makes a VPN connection to you and you then RDP the remote clients. In your given senario the server holds the tunnels and all access then needs to pass this server into the PPTP tunnel and onto the remote clients.

But I am still unsure of what you want to do ...

regards Martin

Reply to
Martin Bilgrav

OK the VPN terminates at Server 1, so I think you are right and we are forwarding all traffic to for VPN to server 1.

I setup remoteassistant so that I could configure a specfic internal machine with the 192.168.1.99 internal IP to static to xx.xx.xx.206 and test to see if I could remote desktop to it.

I dont want to give the client VPN access I simply want a method of passing a remote assistance session through the firewall so we dont freeze to death in the server room bypassing the pix!

I hope this makes sense.

Thanks again, bear with me guys!

Reply to
Stuart

OK the VPN terminates at Server 1, so I think you are right and we are forwarding all traffic to for VPN to server 1.

I setup remoteassistant so that I could configure a specfic internal machine with the 192.168.1.99 internal IP to static to xx.xx.xx.206 and test to see if I could remote desktop to it.

I dont want to give the client VPN access I simply want a method of passing a remote assistance session through the firewall so we dont freeze to death in the server room bypassing the pix!

I hope this makes sense.

Thanks again, bear with me guys!

Reply to
Stuart

OK I can establish a remote desktop connection to a client machine but when I try to do remote assistance the client machine says it cant find the host. Is this because my machine behind the firewall and it is publishing its internal IP address for the remote session & the client is trying to connect using my internal IP address? If so how do I force it to use the external IP address?

Thanks,

Stuart

Reply to
Stuart

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.