PIX of Server Terminal server acccess thro

Dear all

I need to open a port for microsoft terminal server located inside the pix 515E to give external users access. Should which port I open?

Please give me the details of configuration if you have.

Thanks in advance

Swamy

If the ip addresses available is limited, it does damage to retain the polo on adsl and use the firewall just for protection.

But don't forget there will be 2 NATing for packets from the inside for Internet access. It is one on PIX and the other on ADSL.

Tags: Cisco Security

Similar Questions

  • termination of VPN client 4.0 on pix 515

    I am trying to connect the cisco 4.0 vpn client to a worm of pix 515 6.1 and receive as a result of errors that I guess are the related hashing algorithm but am not sure. Only DES is not enabled 3DES. Config output Cisco post interprets but apparently no error in config.

    Journal of VPN client:

    Cisco Systems VPN Client Version 4.0 (Rel)

    Copyright (C) 1998-2003 Cisco Systems, Inc. All rights reserved.

    Customer type: Windows, Windows NT

    Running: 5.0.2195

    1 10:58:34.890 25/09/03 Sev = Info/4 CM / 0 x 63100002

    Start the login process

    2 10:58:34.906 25/09/03 Sev = Info/4 CVPND/0xE3400001

    Microsoft's IPSec Policy Agent service stopped successfully

    3 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100004

    Establish a connection using Ethernet

    4 10:58:34.906 25/09/03 Sev = Info/4 CM / 0 x 63100024

    Attempt to connect with the server "x.x.x.226".

    5 10:58:35.953 25/09/03 Sev = Info/6 IKE/0x6300003B

    Attempts to establish a connection with x.x.x.226.

    6 10:58:36.000 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Nat - T), VID (Frag), VID (Unity)) at x.x.x.226

    7 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700008

    IPSec driver started successfully

    8 10:58:36.000 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    9 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    10 10:58:41.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

    11 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    12 10:58:46.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

    13 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000021

    Retransmit the last package!

    14 10:58:51.093 25/09/03 Sev = Info/4 IKE / 0 x 63000013

    SEND to > ISAKMP OAK AG (Retransmission) to x.x.x.226

    15 10:58:56.093 25/09/03 Sev = Info/4 IKE / 0 x 63000017

    Marking of IKE SA delete (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    16 10:58:56.593 25/09/03 Sev = Info/4 IKE/0x6300004A

    IKE negotiation to throw HIS (I_Cookie = 20FC277498A5D2DC R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    17 10:58:56.593 25/09/03 Sev = Info/4 CM / 0 x 63100014

    Could not establish the Phase 1 SA with the server 'x.x.x.226' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.

    18 10:58:56.593 25/09/03 Sev = Info/5 CM / 0 x 63100025

    Initializing CVPNDrv

    19 10:58:56.593 25/09/03 Sev = Info/4 IKE / 0 x 63000001

    Signal received IKE to complete the VPN connection

    20 10:58:56.625 25/09/03 Sev = critique/1 CVPND/0xE3400001

    Service Microsoft's IPSec Policy Agent started successfully

    21 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    22 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    23 10:58:57.093 25/09/03 Sev = Info/4 IPSEC / 0 x 63700014

    Remove all keys

    24 10:58:57.093 25/09/03 Sev = Info/4 IPSEC/0x6370000A

    IPSec driver successfully stopped

    Journal of Pix:

    crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

    Peer VPN: ISAKMP: approved new addition: ip:x.x.x.194 Total VPN peer: 1

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 1 Total VPN EEP

    RS: 1

    Exchange OAK_AG

    ISAKMP (0): treatment ITS payload. Message ID = 0

    ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform against the policy of priority 1 2

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 3 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 4 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 5 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 6 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 7 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 8 against the policy of priority 1

    ISAKMP: encryption... What? 7?

    ISAKMP: MD5 hash

    ISAKMP: default group 2

    ISAKMP: preshared auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4 0x9b

    ISAKMP: attribute 3584

    ISAKMP (0): atts are not acceptable. Next payload is 3

    ISAKMP (0): audit ISAKMP transform 9 against the policy of priority 1

    ISAKMP: 3DES-CBC encryption

    ISAKMP: hash SHA

    ISAKMP: default group 2

    ISAKMP: preshared extended auth

    ISAKMP: type of life in seconds

    ISAKMP: lifespan (IPV) 0x0 0 x 20 0xc4

    crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

    RS: 1

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

    RS: 1

    crypto_isakmp_process_block: CBC x.x.x.194, dest x.x.x.226

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt is incremented to peers: 2 Total VPN EEP

    RS: 1

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 1 Total VPN EEP

    RS: 1

    ISAKMP (0): retransmission of phase 1...

    ISAKMP (0): retransmission of phase 1...

    ISAKMP (0): delete SA: src x.x.x.194 dst x.x.x.226

    ISADB: Reaper checking HIS 0x80db91c8, id_conn = 0 DELETE IT!

    Peer VPN: ISAKMP: ip:x.x.x.194 Ref cnt decremented to peers: 0 Total of VPN EEP

    RS: 1

    Peer VPN: ISAKMP: deleted peer: ip:x.x.x.194 VPN peer Total: 0

    ISAKMP: Remove the peer node for x.x.x.194

    Thanks for any help

    Hello

    Pix isakmp policy should have DES, MD5, and group 2 for the 4.x to connect Cisco VPN client, these are proposals that the client sends to the server...

    http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/rel4_0/admin_gd/vcach6.htm#1157757

    This link will show you IKE proposals be configured on the PIX (VPN server)

    Arthur

  • Two vpnadmin vpngroup dns server addresses

    Has anyone or does anyone know how to put two vpngroup vpnadmin addresses of dns on a PIX 515E Server?  I'm trying to set up a second DNS server and without the command in the PIX my VPN clients cannot authenticate through the PIX on the second DNS server.  I tried several times to put the command but he continues to remove the existing and to replace it with one that I try to put in.  Any help would be appreciated.

    Randy L Brown

    Great to hear and thanks for the update.

    Pls kindly marks the message as answered while others may learn from your post. Thank you.

  • Limits of pix 506 for VPN client connections

    Hello. My company is looking to move away from using Microsoft's RRAS to workers to remote VPN connections. We have a 506th Pix currently serving 2 site VPN connections and client connections. Nobody knows what the limit for concurrent client vpn connections on a 506e and if having 10 to 20 clients connected at the same time (on a user base of 100 +) would cause problems. Any thoughts would be greatly appreciated.

    There is no license for the number of connections limit, this is more a limitation of resources. Check that the data sheet a 506E can handle 16 MB of 3DES VPN. It's marketing plug so the actual throughput will be lower.

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/product_data_sheet09186a0080091b13.html

    Hope that helps.

  • ASA at PIX VPN - routing

    Hi all, I built a site 2 site between an ASA 5510 and a PIX IPsec tunnel.  The tunnel is up, and most of the time the traffic flow between source and destination LANs as planned. The problem is that we need the ASA to send syslog messages in the VPN tunnel to a syslog on PIX site server.  If I get a router on the ASA website, I ping the site of PIX syslog server.   The following statement is in the ASA:

    Route out of pix.net.addr sub.net.mask next.hop

    But in the journal of the ASA, I see messages "Routing failed" for the traffic of the SAA on the syslog server.

    April 8, 2010 08:32:01 ASA5510: % ASA-6-110003: routing could not locate the next hop for icmp NP identity Ifc:10.xx.x.xx/0 to inside:172.xx.x.xx/0

    Any thoughts?

    Thank you

    Robert

    Hello

    Public IP address of the ASA must be in interesting for this tunnel traffic (since it's the INVESTIGATION period where newspapers are going to be sent from).

    Also, the IP address of the syslog server must be in the interesting traffic.

    In other words, you should be able to PING from the ASA to syslog (through the tunnel) server.

    Federico.

  • How to see the pix log information

    environment like this:

    PIX 7.0 are configed for logserver.

    PFS install on Windows XP.

    How can I see the information of the newspaper of pfss.did anyone have this experience.

    The log files are stored in the \Program Files\Cisco\PIX Syslog server to default firewall or any other directory you have installed PFS in. Search for files with the .log extension.

  • VPN Tunnel to the TOP but no traffic passing (PIX515)

    I'll put up a remote engineers access to off-site to access my network (using the cisco vpn client). I use PIX 515E software version 7.0 (3) 20 as a vpn server. I can establish a tunnel, but I can't access network resources. I can ping the external interface of the PIX. This is my setup: internet-router-pix-dmz(server farm). Please find attached my setup. Thanks in advance.

    After a glance at your policy, it seems that the Pool of IP, that is assigned to the clients behind the outside interface, runs behind the DMZ. I don't think it will work.

    In addition, defined distribution policy seems to be backward. Im sure that you intend to send traffic FROM the IP pool to 196.26.12.64/26. Your acl split is the opposite.

    In addition, your routing table does not contain a route for the 196 network, so the firewall will use the default route to the outside. If this is intentional, the clients and dst are on the outside, which is considered to be crossed. This is allowed on the SAA only with the same security setting configured.

  • Tunnel from site to site VPN that overlap within the network

    Hi all

    I need to connect 2 networks via a tunnel VPN site to site. On the one hand, there is a 506th PIX by the termination of the VPN. The other side, I'm not too sure yet.

    However, what I know, is that both sides of the tunnel using the exact same IP subnet 192.168.1.0/24.

    This creates a problem when I need to define the Routing and the others when it comes to VPN and what traffic should be secure etc.

    However, read a lot for the review of CERT. Adv. Cisco PIX and noticed that outside NAT can solve my 'small' problem.

    That's all it is said, but I'd really like to see an example of configuration of this or hear from someone who has implemented it.

    Anyone?

    Steffen

    How is it then?

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

  • Enable syslog server behind the PIX

    Could someone tell me a config that allows a server syslog (Kiwi syslog) to get behind the PIX syslogs. I have a 2K with the KIWI syslog server behind a PIX 501.

    I have the static command, the access group and the access-list:

    public static 192.104.109.92 (Interior, exterior) 192.168.15.200 netmask 255.255.255.255 0 0

    Access-group local_server in external interface

    local_server list access permit udp any host 192.104.109.92 eq syslog

    Man, I can't understand it.

    Thanks for any help

    You could:

    1. make a capture of port syslog traffic directed to the syslog server.

    2 Terminal monitor - deny traffic showed clearly when I had not set up the firewall to forward the traffic. (Note: attention on busy firewall)

    3 netstat - a on the syslog server

    4. If you allow, you should be able to portscan the server on port of syslog by your firewall.

    5. is your syslog capture created file? It is not created if the service never started.

    6 - is the service running in the system context or perhaps another account that doesn't have the correct rights?

    The answers seem to indicate a service not started that seemed likely. What you describe happened to me when I had the demon also version; I went to service version and the problem has been resolved (once I opened the port.)

    I love the kiwi syslog. I use with Snare and BacklogIIS and receive alerts within 60 seconds to my mailbox when something bad happens. It always fools of my end users out when I call them with the problem solved when they seek always my number report the problem.

  • Need help setting up a mail server on a pix 501.

    User access audit

    Password:

    Type help or '?' for a list of available commands.

    See the pixfirewall config #.

    : Saved

    :

    PIX Version 6.1 (4)

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    fixup protocol ftp 21

    fixup protocol http 80

    fixup protocol h323 1720

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol sip 5060

    fixup protocol 2000 skinny

    names of

    inside_access_in list of ip 10.0.0.0 access allow 255.255.255.0 any

    list of access allowed smtp tcp any host xx.xx.xx.xx eq smtp

    pager lines 24

    interface ethernet0 10baset

    interface ethernet1 10full

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside xx.xx.xx.xx 255.255.255.248

    IP address inside 10.0.0.1 255.255.255.0

    IP verify reverse path to the outside interface

    alarm action IP verification of information

    alarm action attack IP audit

    location of PDM 0.0.0.0 255.255.255.255 outside

    location of PDM 0.0.0.0 255.255.255.0 outside

    PDM logging 100 information

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    public static tcp (indoor, outdoor) interface smtp 10.0.0.2 netmask 255.255.255.255 www

    0 0

    inside_access_in access to the interface inside group

    Route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx1

    Timeout xlate 0:05:00

    Timeout conn 0 half-closed 01:00:10: 00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 TR

    p 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    URL-cache dst 1 KB

    Enable http server

    http 10.0.0.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    No sysopt route dnat

    Telnet 10.0.0.0 255.255.255.0 inside

    Telnet timeout 5

    SSH timeout 5

    Terminal width 80

    Cryptochecksum:3ae6d538123b8ad8ec4fc5bbd0df3ab0

    > outdoor access smtp in interface list

  • Firefox crashes when starting on Win2k3 Terminal Server

    Firefox 3.x works, however after upgrading to 10.0.2 it will crash whenever the commissioning.

    Platform: Windows 2003 Terminal Server with Citrix.

    We excluded the firefox.exe to the ctxhook and it does not help (we know this fixes the crash at startup on Xendesktop deployments).

    How to disable you DgApi.dll? Thank you.

  • Cannot display emoticon with Terminal Server 2008R2

    I installed Skype in 6 different Windows Terminal Server (2008R2 std edition) and in the latest versions, I can see emoticons in the menu but they disappear if I move the mouse.
    If I send an emoticon in the chat I don't see empty space.

    I tried all the solutions, but I can't see the emoticons.
    Can you help me?

    OK based... It was a Setup host remote desktop in 16-bit depth color limit.

    Chenged to 32 and the issue went away

  • Portege M400: He can't sleep because of the Terminal Server keyboard driver

    I can't put my M400 to sleep.
    Error: "because of Terminal Server keyboard driver"
    It provides the error message as above.

    I can't find direct response on the other forum that the roll back.
    My problem is that this situation has been the same from day 1, so I can't really push.

    Any ideas?
    concerning
    R

    This sounds like something wrong with the software or running services.
    However, the Toshiba power saver is responsible for the hibernation and the day before. I would recommend reinstallation of this application.

  • HP Terminal Server M602 list offline

    Since Windows applied defender update KB915597 Friday June 6, model HP printer to the main office 600 does not print.

    There are three same printers at the office here and none of them have been working for this patch was released.

    The driver used is - HP LaserJet 600 M601 M602 M603 PCL6 - both the 32 and 64-bit drivers are installed.

    Have you tried the latest version downloaded from HP and the version of Windows, internal and downloaded from Windows update.

    The driver is installed on a Windows Server 2008 R2 64-bit running as a server terminal server and each HP M600 is affected.

    The VPN network tunnel is managed by routers to SonicWALL.

    Web consoles are available to connect to and manage.

    Have deleted and recreated the queues of the printer, but they show as offline.

    If I disable the SNMP printer shows online, but, when you print to the printer, the job goes to the queue and it is sitting there.

    Printers work when it is used as a local installed IP printer using the driver provided by Microsoft, but only on the local subnet. The copy redirected to this printer on the Terminal Server session fails and that the documents sent there so not go anywhere, they do not appear in the print queue.

    It looks like a firewall/network issue and I hope that you have an idea of what must be the subject of an investigation, the port must be opened in order to get this corrected.

    Applied the printer driver updated to Microsoft as part of the regular correction.

    Restarted the SonicWall router and the system has been able to see the queues printing and printing for devices with standard drivers.

    The solution was a restart of SonicWALL-

  • X 220-problem of server terminal server / 3 G / VPN

    Hi all

    I have two X 220 with identical problems. The procedure to connect to our server terminal server (Windows 7, server = v2008) is:

    -connect to the internet

    -connect to the VPN (using the Version of Cisco VPN Client 5.0.07.0290)

    -connect to the server terminal server

    Everything works well when it connects via WIFI - and everything works well when it connects via the modem to broadband integrated into the X 220 until trying to connect to the terminal server. Then he said: Remote Desktop cannot find the computer XX.

    That is, everything works fine up to this point. This includes plenty of internet work in 3G and VPN connection succesfull.

    Since I have two identical machines - this should exclude material errors. It must be software.

    Ideas? Anyone?

    My colleague has managed to find a solution. Install this update did the trick:

    FTP://files.Citrix.com/dneupdate64.msi

    Best,

    Finn

Maybe you are looking for

  • E-mail address of HP eprint

    I already have an HP eprint e-mail address.  I just replaced my printer and want to use my HP eprint current e-mail address.  Is it possible to do it with the HP Envy 110F?

  • That day did install?

    Hello. 2 or 3 days ago, a new update of the system became available on my razr I device, via the standard update button in the settings. Now, I installed it is but looks like nothing has changed at all. The android version is still 4.0.4 somehow befo

  • Question about the free space left on my C: in my computer

    original title: what it means? what it means? local disc (c :)) 1.56 GBfree 37.2 GB? does this mean I don't have a lot of space left? If so, please tell me how to solve this problem? I am running windows vista, I hope you can help me thank you

  • I have a HP Deskjet D2680 how to align cartridges

    try to maintain my printer won't let me align cartridges

  • Combining several FWSMs on simple C6509 for higher flow

    Hello I know that the FWSM has a flow rate of 5 GB max. I want to increase the flow rate beyond 5 GB by adding another module FWSM. How to combine the FWSMs to increase flow? Specifically, how to configure the feature? Thanks in advance!