Help.. I've been reading thru these groups, google-ing and reading anything I can.
I cannot get RDP to work theu a PIX
Can someone help?
please send strings.. xxx.xxx.xxx.xxx = Outside IP yyy.yyy.yyy.yyy- Inside IP
If xxx.xxx.xxx.xxx is the interface IP, then:
static (inside,outside) tcp interface 3389 yyy.yyy.yyy.yyy 3389 netmask
255.255.255.255 access-list out2in permit tcp any interface outside eq 3389 access-group out2in in interface outsideIf xxx.xxx.xxx.xxx is a distinct IP that is not the interface IP, then:
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 yyy.yyy.yyy.yyy 3389 netmask
255.255.255.255 access-list out2in permit tcp any host xxx.xxx.xxx.xxx eq 3389 access-group out2in in interface outside255.255.255.255
I've seen this string in another post.. When I'm in "configure terminal".. The first line .. Static (....._) comes back with "invalid global IP" lines 2 and 3 seem OK... What am I missing?
-Walter
You have not been clear as to which of the two static that you have tried. Also, you have not indicated which PIX version you are using. You have not indicated the model number either.
The outside IP that you give, xxx.xxx.xxx.xxx, must not be in the same subnet as the inside IP, yyy.yyy.yyy.yyy, unless the inside IP yyy.yyy.yyy.yyy is not in the same subnet as the IP address of the inside interface.
Here's the config..
pixfirewall> enable Password: ****** pixfirewall# write terminal Building configuration... : Saved : PIX Version 5.2(6) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password .9NISgLcqbbWP1BP encrypted passwd Pt3628SS/TRnciSO encrypted hostname pixfirewall domain-name metalcraftersinc.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names name 10.100.0.248 mcgrobbins name 10.100.0.252 mcatucker name 10.100.0.251 mcbtucker name 10.100.0.250 mcmtucker name 10.100.0.247 mcsherburne name 10.100.0.246 mcjmckeon name 10.100.0.245 mcmcollins name 10.100.0.244 mcjberglund name 10.100.0.243 mcbclement name 10.100.0.242 mcelorenz name 10.100.0.241 mcrdurand name 10.100.0.240 mcjgagnon name 10.100.0.239 aironet1 name 10.100.0.238 aironet2 name 10.100.0.235 xerox8830 name 10.100.0.234 recept name 10.100.0.233 mcmjones name 10.100.0.231 mci2 name 10.100.0.237 mci name 10.100.0.230 mcsciuffetti name 10.100.0.229 mcjmarshall name 10.100.0.225 mcmhouston name 10.100.0.253 mcmcooper name 10.100.0.249 mcrbecker name 10.100.0.236 mcplustwerk name 10.100.0.232 mcwvachon name 10.100.0.226 mcbsmith name 10.100.0.224 jortega access-list acl_out permit tcp host mcmjones any eq pop3 access-list acl_out permit udp host mci host 4.2.49.2 eq ntp access-list acl_out permit udp host mci host 4.2.49.3 eq ntp access-list acl_out permit udp host mci host 4.2.49.4 eq ntp access-list acl_out permit tcp host mcmjones any eq ftp access-list acl_out permit tcp host mcmjones any eq smtp access-list acl_out permit tcp host mcmjones any eq domain access-list acl_out permit udp host mcmjones any eq domain access-list acl_out permit tcp host mcmjones any eq www access-list acl_out permit tcp host mcmjones any eq 443 access-list acl_out permit udp host mcmjones any eq 443 access-list acl_out permit tcp host mcmjones any eq 1270 access-list acl_out permit tcp host mcmjones any eq 5190 access-list acl_out permit tcp host mcmjones any eq 9012 access-list acl_out permit tcp host mcmjones any eq 9013 access-list acl_out permit tcp host mcjgagnon any eq ftp access-list acl_out permit tcp host mcjgagnon any eq pop3 access-list acl_out permit tcp host mcjgagnon any eq smtp access-list acl_out permit tcp host mcjgagnon any eq domain access-list acl_out permit udp host mcjgagnon any eq domain access-list acl_out permit tcp host mcjgagnon any eq www access-list acl_out permit tcp host mcjgagnon any eq 443 access-list acl_out permit udp host mcjgagnon any eq 443
access-list acl_out permit tcp host mcjgagnon any eq 1270 access-list acl_out permit tcp host mcjgagnon any eq 5190 access-list acl_out permit tcp host mcrdurand any eq ftp access-list acl_out permit tcp host mcrdurand any eq pop3 access-list acl_out permit tcp host mcrdurand any eq smtp access-list acl_out permit tcp host mcrdurand any eq domain access-list acl_out permit udp host mcrdurand any eq domain access-list acl_out permit tcp host mcrdurand any eq www access-list acl_out permit tcp host mcrdurand any eq 443 access-list acl_out permit udp host mcrdurand any eq 443 access-list acl_out permit tcp host mcrdurand any eq 1270 access-list acl_out permit tcp host mcrdurand any eq 5190 access-list acl_out permit tcp host mcelorenz any eq ftp access-list acl_out permit tcp host mcelorenz any eq pop3 access-list acl_out permit tcp host mcelorenz any eq smtp access-list acl_out permit tcp host mcelorenz any eq domain access-list acl_out permit udp host mcelorenz any eq domain access-list acl_out permit tcp host mcelorenz any eq www access-list acl_out permit tcp host mcelorenz any eq 443 access-list acl_out permit udp host mcelorenz any eq 443 access-list acl_out permit tcp host mcelorenz any eq 1270 access-list acl_out permit tcp host mcelorenz any eq 5190 access-list acl_out permit tcp host mcbclement any eq ftp access-list acl_out permit tcp host mcbclement any eq pop3 access-list acl_out permit tcp host mcbclement any eq smtp access-list acl_out permit tcp host mcbclement any eq domain access-list acl_out permit udp host mcbclement any eq domain access-list acl_out permit tcp host mcbclement any eq www access-list acl_out permit tcp host mcbclement any eq 443 access-list acl_out permit udp host mcbclement any eq 443 access-list acl_out permit tcp host mcbclement any eq 1270 access-list acl_out permit tcp host mcbclement any eq 5190 access-list acl_out permit tcp host mcjberglund any eq ftp access-list acl_out permit tcp host mcjberglund any eq pop3 access-list acl_out permit tcp host mcjberglund any eq smtp access-list acl_out permit tcp host mcjberglund any eq domain access-list acl_out permit udp host mcjberglund any eq domain access-list acl_out permit tcp host mcjberglund any eq www access-list acl_out permit tcp host mcjberglund any eq 443 access-list acl_out permit udp host mcjberglund any eq 443 access-list acl_out permit tcp host mcjberglund any eq 1270 access-list acl_out permit tcp host mcjberglund any eq 5190 access-list acl_out permit tcp host mcmcollins any eq ftp access-list acl_out permit tcp host mcmcollins any eq pop3 access-list acl_out permit tcp host mcmcollins any eq smtp access-list acl_out permit tcp host mcmcollins any eq domain access-list acl_out permit udp host mcmcollins any eq domain access-list acl_out permit tcp host mcmcollins any eq www access-list acl_out permit tcp host mcmcollins any eq 443 access-list acl_out permit udp host mcmcollins any eq 443 access-list acl_out permit tcp host mcmcollins any eq 1270 access-list acl_out permit tcp host mcmcollins any eq 5190 access-list acl_out permit tcp host mcjmckeon any eq ftp access-list acl_out permit tcp host mcjmckeon any eq pop3 access-list acl_out permit tcp host mcjmckeon any eq smtp access-list acl_out permit tcp host mcjmckeon any eq domain access-list acl_out permit udp host mcjmckeon any eq domain access-list acl_out permit tcp host mcjmckeon any eq www access-list acl_out permit tcp host mcjmckeon any eq 443 access-list acl_out permit udp host mcjmckeon any eq 443 access-list acl_out permit tcp host mcjmckeon any eq 1270 access-list acl_out permit tcp host mcjmckeon any eq 5190 access-list acl_out permit tcp host mcsherburne any eq ftp access-list acl_out permit tcp host mcsherburne any eq pop3 access-list acl_out permit tcp host mcsherburne any eq smtp access-list acl_out permit tcp host mcsherburne any eq domain access-list acl_out permit udp host mcsherburne any eq domain access-list acl_out permit tcp host mcsherburne any eq www access-list acl_out permit tcp host mcsherburne any eq 443 access-list acl_out permit udp host mcsherburne any eq 443 access-list acl_out permit tcp host mcsherburne any eq 1270 access-list acl_out permit tcp host mcsherburne any eq 5190 access-list acl_out permit tcp host mcgrobbins any eq ftp access-list acl_out permit tcp host mcgrobbins any eq pop3 access-list acl_out permit tcp host mcgrobbins any eq smtp
access-list acl_out permit tcp host mcgrobbins any eq domain access-list acl_out permit udp host mcgrobbins any eq domain access-list acl_out permit tcp host mcgrobbins any eq www access-list acl_out permit tcp host mcgrobbins any eq 443 access-list acl_out permit udp host mcgrobbins any eq 443 access-list acl_out permit tcp host mcgrobbins any eq 1270 access-list acl_out permit tcp host mcgrobbins any eq 5190 access-list acl_out permit tcp host mcrbecker any eq ftp access-list acl_out permit tcp host mcrbecker any eq pop3 access-list acl_out permit tcp host mcrbecker any eq smtp access-list acl_out permit tcp host mcrbecker any eq domain access-list acl_out permit udp host mcrbecker any eq domain access-list acl_out permit tcp host mcrbecker any eq www access-list acl_out permit tcp host mcrbecker any eq 443 access-list acl_out permit udp host mcrbecker any eq 443 access-list acl_out permit tcp host mcrbecker any eq 1270 access-list acl_out permit tcp host mcrbecker any eq 5190 access-list acl_out permit tcp host mcrbecker any eq nntp access-list acl_out permit tcp host mcmtucker any eq ftp access-list acl_out permit tcp host mcmtucker any eq pop3 access-list acl_out permit tcp host mcmtucker any eq smtp access-list acl_out permit tcp host mcmtucker any eq domain access-list acl_out permit udp host mcmtucker any eq domain access-list acl_out permit tcp host mcmtucker any eq www access-list acl_out permit tcp host mcmtucker any eq 443 access-list acl_out permit udp host mcmtucker any eq 443 access-list acl_out permit tcp host mcmtucker any eq 1270 access-list acl_out permit tcp host mcmtucker any eq 5190 access-list acl_out permit tcp host mcbtucker any eq ftp access-list acl_out permit tcp host mcbtucker any eq pop3 access-list acl_out permit tcp host mcbtucker any eq smtp access-list acl_out permit tcp host mcbtucker any eq domain access-list acl_out permit udp host mcbtucker any eq domain access-list acl_out permit tcp host mcbtucker any eq www access-list acl_out permit tcp host mcbtucker any eq 443 access-list acl_out permit udp host mcbtucker any eq 443 access-list acl_out permit tcp host mcbtucker any eq 1270 access-list acl_out permit tcp host mcbtucker any eq 5190 access-list acl_out permit tcp host mcatucker any eq ftp access-list acl_out permit tcp host mcatucker any eq pop3 access-list acl_out permit tcp host mcatucker any eq smtp access-list acl_out permit tcp host mcatucker any eq domain access-list acl_out permit udp host mcatucker any eq domain access-list acl_out permit tcp host mcatucker any eq www access-list acl_out permit tcp host mcatucker any eq 443 access-list acl_out permit udp host mcatucker any eq 443 access-list acl_out permit tcp host mcatucker any eq 1270 access-list acl_out permit tcp host mcatucker any eq 5190 access-list acl_out permit tcp host mcmcooper any eq ftp access-list acl_out permit tcp host mcmcooper any eq pop3 access-list acl_out permit tcp host mcmcooper any eq smtp access-list acl_out permit tcp host mcmcooper any eq domain access-list acl_out permit udp host mcmcooper any eq domain access-list acl_out permit tcp host mcmcooper any eq www access-list acl_out permit tcp host mcmcooper any eq 443 access-list acl_out permit udp host mcmcooper any eq 443 access-list acl_out permit tcp host mcmcooper any eq 1270 access-list acl_out permit tcp host mcmcooper any eq 5190 access-list acl_out permit tcp host mci any eq www access-list acl_out permit tcp host mci any eq domain access-list acl_out permit udp host mci any eq domain access-list acl_out permit tcp host mci any eq ftp access-list acl_out permit tcp host mci any eq 443 access-list acl_out permit udp host mci any eq 443 access-list acl_out permit tcp host mcsciuffetti any eq ftp access-list acl_out permit tcp host mcsciuffetti any eq pop3 access-list acl_out permit tcp host mcsciuffetti any eq smtp access-list acl_out permit tcp host mcsciuffetti any eq domain access-list acl_out permit udp host mcsciuffetti any eq domain access-list acl_out permit tcp host mcsciuffetti any eq www access-list acl_out permit tcp host mcsciuffetti any eq 443 access-list acl_out permit tcp host mcsciuffetti any eq 1270 access-list acl_out permit tcp host mcsciuffetti any eq 5190 access-list acl_out permit tcp host mcjmarshall any eq ftp access-list acl_out permit tcp host mcjmarshall any eq pop3
access-list acl_out permit tcp host mcjmarshall any eq smtp access-list acl_out permit tcp host mcjmarshall any eq domain access-list acl_out permit udp host mcjmarshall any eq domain access-list acl_out permit tcp host mcjmarshall any eq www access-list acl_out permit tcp host mcjmarshall any eq 443 access-list acl_out permit udp host mcjmarshall any eq 443 access-list acl_out permit tcp host mcjmarshall any eq 1270 access-list acl_out permit tcp host mcjmarshall any eq 5190 access-list acl_out permit udp host mci any eq ntp access-list acl_out permit tcp host mcmhouston any eq ftp access-list acl_out permit tcp host mcmhouston any eq pop3 access-list acl_out permit tcp host mcmhouston any eq smtp access-list acl_out permit tcp host mcmhouston any eq domain access-list acl_out permit udp host mcmhouston any eq domain access-list acl_out permit tcp host mcmhouston any eq www access-list acl_out permit tcp host mcmhouston any eq 443 access-list acl_out permit udp host mcmhouston any eq 443 access-list acl_out permit tcp host mcmhouston any eq 1270 access-list acl_out permit tcp host mcmhouston any eq 5190 access-list acl_out permit tcp host mcplustwerk any eq ftp access-list acl_out permit tcp host mcplustwerk any eq pop3 access-list acl_out permit tcp host mcplustwerk any eq smtp access-list acl_out permit tcp host mcplustwerk any eq domain access-list acl_out permit udp host mcplustwerk any eq domain access-list acl_out permit tcp host mcplustwerk any eq www access-list acl_out permit tcp host mcplustwerk any eq 443 access-list acl_out permit udp host mcplustwerk any eq 443 access-list acl_out permit tcp host mcplustwerk any eq 1270 access-list acl_out permit tcp host mcplustwerk any eq 5190 access-list acl_out permit tcp host 10.100.0.8 any eq 9013 access-list acl_out permit tcp host mcwvachon any eq ftp access-list acl_out permit tcp host mcwvachon any eq pop3 access-list acl_out permit tcp host mcwvachon any eq smtp access-list acl_out permit tcp host mcwvachon any eq domain access-list acl_out permit udp host mcwvachon any eq domain access-list acl_out permit tcp host mcwvachon any eq www access-list acl_out permit tcp host mcwvachon any eq 443 access-list acl_out permit udp host mcwvachon any eq 443 access-list acl_out permit tcp host mcwvachon any eq 1270 access-list acl_out permit tcp host mcwvachon any eq 5190 access-list acl_out permit tcp host mcwvachon any eq 9012 access-list acl_out permit tcp host mcwvachon any eq 9013 access-list acl_out permit tcp host mcbsmith any eq ftp access-list acl_out permit tcp host mcbsmith any eq pop3 access-list acl_out permit tcp host mcbsmith any eq smtp access-list acl_out permit tcp host mcbsmith any eq domain access-list acl_out permit udp host mcbsmith any eq domain access-list acl_out permit tcp host mcbsmith any eq www access-list acl_out permit tcp host mcbsmith any eq 443 access-list acl_out permit udp host mcbsmith any eq 443 access-list acl_out permit tcp host mcbsmith any eq 1270 access-list acl_out permit tcp host mcbsmith any eq 5190 access-list acl_out permit tcp host mcbsmith any eq 9012 access-list acl_out permit tcp host mcbsmith any eq 9013 access-list acl_out permit udp host mcmjones any eq 8100 access-list acl_out permit tcp host mcgrobbins any eq 8100 access-list acl_out permit udp host mcgrobbins any eq 8100 access-list acl_out permit tcp host mcgrobbins any eq 9012 access-list acl_out permit tcp host mcgrobbins any eq 9013 access-list acl_out permit tcp host mcmjones any eq 8100 access-list acl_out permit tcp host jortega any eq ftp access-list acl_out permit tcp host jortega any eq pop3 access-list acl_out permit tcp host jortega any eq smtp access-list acl_out permit tcp host jortega any eq domain access-list acl_out permit udp host jortega any eq domain access-list acl_out permit tcp host jortega any eq www access-list acl_out permit tcp host jortega any eq 443 access-list acl_out permit udp host jortega any eq 443 access-list acl_out permit tcp host jortega any eq 1270 access-list acl_out permit tcp host jortega any eq 5190 access-list acl_out permit tcp host jortega any eq 8100 access-list acl_out permit udp host jortega any eq 8100 access-list acl_out permit tcp host jortega any eq 9012 access-list acl_out permit tcp host jortega any eq 9013 access-list acl_out permit tcp host mcgrobbins any eq 5500
access-list acl_out permit udp host mcgrobbins any eq 5500 access-list acl_out permit tcp host mcgrobbins any eq 5900 access-list acl_out permit udp host mcgrobbins any eq 5900 access-list acl_out permit tcp host mcsherburne any eq 5500 access-list acl_out permit udp host mcsherburne any eq 5500 access-list acl_out permit tcp host mcsherburne any eq 5900 access-list acl_out permit udp host mcsherburne any eq 5900 access-list acl_out permit tcp host mcsherburne any eq 8100 access-list acl_out permit udp host mcsherburne any eq 8100 access-list acl_out permit tcp host mcsherburne any eq 9012 access-list acl_out permit tcp host mcsherburne any eq 9013 access-list acl_out permit tcp host mcsciuffetti any eq 3389 access-list acl_in permit udp any host mci eq ntp access-list acl_in permit tcp host 216.99.233.71 any eq smtp access-list acl_in permit tcp any host mcsciuffetti eq 3389 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap logging history errors logging facility 20 logging queue 512 interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 66.106.2.98 255.255.255.248 ip address inside 10.100.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface inside route outside 0.0.0.0 0.0.0.0 66.106.2.97 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat isakmp identity hostname telnet mcgrobbins 255.255.255.255 inside telnet mci 255.255.255.255 inside telnet timeout 10 ssh timeout 5 terminal width 90 Cryptochecksum:ab84b59c18f27893f8a41be4722a9dfc : end [OK] pixfirewall# exitLogoff
Type help or '?' for a list of available commands.
Walter Roberson wrote:
That's much too old to support PAT (port address translation).
It is also much too old to be asking questions about without stating clearly which version you are using. These days, unless you specify otherwise, people will assume you are using PIX 6.3 or PIX 6.2 (unless something in the syntax or what you say indicates PIX 7.x).
You haven't applied acl_in to the outside interface.
Your addresses 'mci' and 'mcsciuffetti' are on your inside interface. You can't make them accessible to the outside world in PIX 5.2 without using a 'static' and listing the public IP address.
In PIX 5.2, if you want inside hosts to be reachable from the outside, then unless you are using a VPN, you *must* use an additional public address to refer to them. In PIX 5.2, it is impossible to use the outside address of the PIX in order to start connections to inside hosts. That address-saving feature was not added until PIX 6.1.
Thanks.. I appreciate your input.. these "rules" were setup by my customer..
As you can tell, I have little Cisco experience.. Looks like an upgrade is needed... is that a firmware upgrade or something more involved?
--Walter A
Walter Robers> >
It would not be a firmware upgrade, but if the device is sufficiently old then it might require two stages. Based upon the configuration (or, more correctly, what the configuration does NOT contain), and based upon my knowledge of which devices existed at which stage of PIX OS, I would hypothesize that the device is a PIX 506 (but not 506E). Is that correct?
Upgrading a PIX 506 is relatively easy, but there would be a non-trivial cost to upgrading one that old. Cisco's price lists are a maze full of red herrings, so the best I can estimate is $US 1000 to get the software upgrade. It might not be worth it from an investment point of view, as the PIX 506 now seems to be quite unlikely to be supported in PIX 7.x.
Your outside IP address has a netmask of 255.255.255.248 indicating that the ISP has assigned a range of 8 IPs to the connection. Two of those are reserved (by the IP protocols), one would be allocated to your end of the connection, one would be allocated to their end of the connection -- and that leaves 4 unaccounted for.
You may thus *already* have additional public IPs that you can use. If so then you do not need any software upgrade: the restrictions I discussed before had to do with using the PIX outside interface IP -itself- as the target of incoming connections; using a different IP in the same subnet is fair game, if you have the IP.
You are correct... we have additional public addresses that are not in use
Can you point me in a direction ...?
How to assign the inside IP to a differnt public IP..?
Then the rules that you originally sent should work...
--Walter
Walter Robers> > >As you can tell, I have little Cisco experience..
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.