Hi,
Could anyone help with a sample configuration which will allow a remote
desktop assistance session from within a pix 501 firewalled network to an outside client:
Assistance provider --- PIX 501 --- Router --- Internet --- Router --- Client needing assistance
I tried several forums and spent a good deal of time studying and reconfiguring the PIX to allow port 3389, however I could not establish a remote assitance session. Any help is most appreciated.
We have been sitting in the server room with a direct connection to via
the router, so it is definately the pix which is our issue and not the client end.
The pix config is shown below:
PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxx encrypted passwd xxx encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name xx.xx.xx.204 server2 name xx.xx.xx.203 server name xx.xx.xx.206 remoteassist access-list 101 permit tcp any host remoteassist eq www access-list 101 permit tcp any host remoteassist eq 3389 access-list 101 permit tcp any host server2 eq www access-list 101 permit tcp any host server eq www access-list 101 permit tcp any host server eq pptp access-list 101 permit tcp any eq 47 host server eq 47 access-list inside_access_in permit ip any any access-list acl-out permit tcp any host remoteassist eq www access-list acl-out permit tcp any host remoteassist eq 3389 access-list acl-out permit tcp any host server2 eq www access-list acl-out permit gre any host server access-list acl-out permit tcp any host server eq www access-list acl-out permit tcp any host server eq pptp access-list acl-out permit tcp any host server eq 82 pager lines 24 logging on mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.202 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.11 255.255.255.255 inside pdm location 192.168.1.12 255.255.255.255 inside pdm location server 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 1 server nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) server2 192.168.1.12 netmask 255.255.255.255 0
0 static (inside,outside) server 192.168.1.11 netmask 255.255.255.255 0 0static (inside,outside) remoteassist 192.168.1.99 netmask
255.255.255.255 0 0 access-group acl-out in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.201 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec isakmp enable outside isakmp key apple address 0.0.0.0 netmask 0.0.0.0 telnet timeout 5 ssh timeout 5 console timeout 0 vpdn username xxx password xxx dhcpd address 192.168.1.100-192.168.1.131 inside dhcpd dns 195.112.4.4 195.112.4.7 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80 Cryptochecksum:15ce4bc67b95efdaa78abd9727380d15 : endThanks in advance,
Stuart