Announcement

Collapse
No announcement yet.

Pix 501 terminal server cannot access internet - please help!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pix 501 terminal server cannot access internet - please help!

    I am having trouble accessing the internet from the terminal server on my client's network.

    Here are the lines pertaining to the server from the config.

    access-list 110 permit tcp any host xx.xx.xx4.218 eq 3389
    access-list 110 permit tcp any host xx.xx.xx4.218 eq pptp
    access-list 110 permit tcp any host xx.xx.xx4.218 eq https
    static (inside,outside) xx.xx.xx4.218 192.168.8.4 netmask 255.255.255.255 0 0

    The problem is, when I've got the static entry in the config, I can't get out to the internet from that machine (192.168.8.4). Also, I cannot get to the machine from the internet. If I take it out internet access works fine, but I still not cannot access the server by it's external ip.

    The other entries in the access list and the other static work correctly. They are directed towards the SBS server, and they work fine.

    The complete config is below, can somebody tell my why this isn't working?

    xx = public ip address
    : Written by enable_15 at 20:32:43.957 UTC Mon Feb 1 2010
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname cimpix
    domain-name ciscopix.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list 110 permit icmp any any echo-reply
    access-list 110 permit icmp any any time-exceeded
    access-list 110 permit icmp any any unreachable
    access-list 110 permit tcp any host xx.xx.xx4.217 eq smtp
    access-list 110 permit tcp any host xx.xx.xx4.217 eq pptp
    access-list 110 permit tcp any host xx.xx.xx4.217 eq 3389
    access-list 110 permit tcp any host xx.xx.xx4.217 eq https
    access-list 110 permit tcp any host xx.xx.xx4.218 eq 3389
    access-list 110 permit tcp any host xx.xx.xx4.218 eq pptp
    access-list 110 permit tcp any host xx.xx.xx4.218 eq https
    access-list 110 permit tcp any host xx.xx.xx4.217 eq 8002
    access-list 110 permit tcp any host xx.xx.xx.217 eq ftp
    access-list 110 permit tcp any host xx.xx.xx4.217 eq imap4
    access-list 110 permit tcp any host xx.xx.xx4.217 eq 52397
    access-list 120 permit ip 192.168.8.0 255.255.255.0 172.28.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside xx.xx.xx4.216 255.255.255.240
    ip address inside 192.168.8.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn-pool 172.28.1.100-172.28.1.155
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 120
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) xx.xx.xx4.217 192.168.8.3 netmask 255.255.255.255 0 0
    static (inside,outside) xx.xx.xx4.218 192.168.8.4 netmask 255.255.255.255 0 0
    access-group 110 in interface outside
    route outside 0.0.0.0 0.0.0.0 xx.xx.xx4.209 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.8.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
    crypto dynamic-map map2 10 set transform-set trmset1
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 client configuration address initiate
    crypto map map1 interface outside
    crypto map map1 interface inside
    isakmp enable outside
    isakmp enable inside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup cimtronics address-pool vpn-pool
    vpngroup cimtronics dns-server 192.168.8.3
    vpngroup cimtronics default-domain cimtronics.local
    vpngroup cimtronics split-tunnel 120
    vpngroup cimtronics idle-time 1800
    vpngroup cimtronics password ********
    vpngroup split-tunnel idle-time 1800
    telnet 192.168.8.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    vpdn group 1 accept dialin pptp
    vpdn group 1 ppp authentication chap
    vpdn group 1 ppp authentication mschap
    vpdn group 1 ppp encryption mppe auto required
    vpdn group 1 client configuration address local vpn-pool
    vpdn group 1 client configuration dns 192.168.8.3
    vpdn group 1 pptp echo 60
    vpdn group 1 client authentication local
    vpdn username cimtronics password ********
    vpdn enable outside
    vpdn enable inside
    terminal width 80
    Cryptochecksum:a8b728d9e85bb683de89f696a78127e8

  • #2
    Re: Pix 501 terminal server cannot access internet - please help!

    moved to the correct forum.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Pix 501 terminal server cannot access internet - please help!

      I am not exceptionally strong on the pix config but at first glance it looks right.

      What is the gateway address of the server that is having trouble?

      Comment

      Working...
      X