Recommended Posts

I am looking for some configuration help with a Cisco PIX 501 version 6.3(3). It is currently set up with IP 192.168.1.1 and a subnet mask of 255.255.255.0, and all clients are have IP addresses in the 192.168.1.xxx range. All clients are connecting via an unmanaged switch to the PIX, which in turn connects to the internet.

I am trying to accomplish two things. FIRST, I am trying to add an internal client with an IP address of 192.168.10.10, and allow that client to access everything (both internal and external). I also want to be able to RDP to this client from the internet. SECOND, once I accomplish this, I would like to prohibit the new client from accessing the server at 192.168.1.10 (and vice verse).

I have made an attempt to do this, but so far, no luck. So far, I have done the following:

- added (via the PDM) an inside host/network of 192.168.10.0 255.255.255.0

- added (via the PDM) an Access Rule allowing port 3389 to make it through to the client at 192.168.10.10

- changed (via the PDM) the inside interface to a subnet of 255.255.0.0 (was 255.255.255.0)

- added (via telnet) route inside 192.168.10.0 255.255.255.0 192.168.1.1 1.

Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1. (I didn't start to try to limit access for this client to the server at 192.168.1.10, as I still haven't accomplished my first goal.) The current PIX config is detailed below.

I cannot RDP to this client, nor can I ping this client from any other computer on the 192.168.1.xxx subnet. I must have configured something wrong, just not sure what it is. Thanks for your help.

void# wr t

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password [omitted] encrypted

passwd [omitted] encrypted

hostname void

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.1.11 Server2010

access-list outside-in permit tcp any interface outside eq 3389

access-list outside-in permit tcp any interface outside eq 5900

access-list outside-in permit tcp any interface outside eq smtp

access-list outside-in permit tcp any interface outside eq www

access-list outside-in permit tcp any interface outside eq https

access-list outside-in permit tcp any interface outside eq pop3

access-list outside-in permit tcp any interface outside eq ftp

access-list outside-in permit icmp any any echo

access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.240

access-list splittunnel permit ip 192.168.1.0 255.255.255.0 any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.162 255.255.255.0

ip address inside 192.168.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.50-192.168.1.60

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.168.1.200 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.1.111 255.255.255.255 inside

pdm location 192.168.1.10 255.255.255.255 inside

pdm location 192.168.10.0 255.255.255.0 inside

pdm location 192.168.10.10 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 5900 192.168.1.200 5900 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 3389 192.168.10.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp 192.168.1.10 ftp netmask 255.255.255.255 0 0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.2.253 1

route outside xxx.xxx.0.0 255.255.0.0 66.166.39.221 1

route inside 192.168.10.0 255.255.255.0 192.168.1.1 1

route outside xxx.xxx.104.0 255.255.254.0 66.166.39.221 1

route outside xxx.xxx.176.0 255.255.248.0 66.166.39.221 1

route outside xxx.xxx.246.0 255.255.255.0 66.166.39.221 1

route outside xxx.xxx.161.0 255.255.255.0 66.166.39.221 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup vpngroup idle-time 1800

vpngroup aravpn address-pool vpnpool

vpngroup aravpn dns-server 192.168.1.10 206.141.192.60

vpngroup aravpn wins-server 192.168.1.10

vpngroup aravpn default-domain mydomain.local

vpngroup aravpn split-tunnel splittunnel

vpngroup aravpn idle-time 1800

vpngroup aravpn password ********

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.101-192.168.1.109 inside

dhcpd dns 192.168.1.10 64.105.189.26

dhcpd wins 192.168.1.10

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain mydomain.local

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:

: end

[OK]

void#

Off the top, I don't believe the 501 supports vlans -- I do believe vlan support was added on the pix line with 6.3, so your IOS is ok -- but I don't believe you can actually do vlans on the 501??

Its been a while since I have played with a 501, but I don't think it can do what you want.. I don't believe you can even route with it like that with a 501.

I would think a easier solution with the hardware you have on hand would be to just put the this new client on the same network as every thing else -- you stated you wanted it to be able to access everything on the network except the server at .10 -- so on the .10 firewall just prevent this client.

On the pix just setup a rule to allow the RDP access to this client.

1st don't use the pdm, you can mess up your config pretty good with that.

2nd you will have to create vlans (please do not use the pdm for this), I am not sure that the 501 is capable, but this is what is needed.

interface ethernet2 auto

nameif ethernet2 secure_vlan security100

ip address secure_vlan 192.168.10.1

---------------------

With this secuity level on the ethernet2 port being at the same security level as ethernet1 this should deny access between the two.

Your gateway is going to be 192.168.10.1 for the pc, not 192.168.1.1

you mentioned the subnets you have applied to the PIX but what about the client

If you changed the ip to "Finally, I changed the IP on this client to 192.168.10.10, but left the gateway as 192.168.1.1" but the subnet is 255.255.255.0 then it probably cannot see the PIX at 192.168.1.1

it is usually something I forget to overlook, change the subnet to 255.255.0.0 and it will spring to life

this could cause you problems with preventing it from performing the other things you want to do.

I would say best thing to do would be to set a secondary ip on the internal interface (if you can) to give you a gateway of something like 192.168.10.1

But I really don't know much about a cisco PIX and am probably completely going down the wrong path with this advice

**Edit** ohh look beaten by sc302 while posting :D lol, said my advice was probably wrong :D

Thanks for the replies. Looks like I need to track down whether the 501 supports vlans.

One other thing: I mis-stated one fact in my summary above (although if the 501 doesn't support vlans, it probably won't matter). The outside port on the PIX does not connect directly to the internet, it connects to another internal router over which I have no control. The PIX has an outside IP of 192.168.2.162. No machines on the 192.168.1.xxx network (or 192.168.10.xxx) need to access any resources on the 192.168.2.xxx network. When data leaves the outbound port on the PIX, it is destined for the internet. Don't know if that changes anyone's thoughts.

well you are going to have to see the 2.x network. they can limit you if they want on their end. being that you are double natting (192.168.2.x----->192.168.1.x & 10.x) I highly doubt that you are going to be able to give rdp access from the internet to your pc's, unless they have it configured that their equipment passess all port traffic to you and the 2.x network is nothing but a pass through.

that changes things quite a bit from doable, to impossible.

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

  On 22/04/2010 at 16:24, gurs said:

According to this site, the 501 does not support any logical interfaces. So I'm down to one option now.

If I put the new client back on the 192.168.1.xxx domain (with an IP of 192.168.1.11 and a subnet mask of 255.255.255.0), what do I need to do in order to allow that client access to only the outside port, but nothing on the inside network?

nothing. your config should be set that no one from the outside will access the inside, but the inside will access the outside.

If you edited your config with a console cable or through telnet just put a no in front of the lines i put here to remove them.

example

no ip address secure_vlan 192.168.10.1 255.255.255.0

You can't with your current hardware.. For starters your connected to some dumb switch are you not? It has not support for ACLs - so the only way from preventing access would be with firewalls on the other machines on the same segment to prevent the access.. Or a firewall on the pc in question preventing access to everything but the pix.. I thought you said you wanted to allow access to everything other than some server on .10?

Also if your behind a double nat like you say, with no access to that 1st router -- unless they have put your PIXs wan IP into a dmz or something were all traffic is forwarded to it.. which I doubt - then it would be impossible for you to setup RDP to anything behind the double nat.

You would have to use something like teamviewer or something where an outside source is the go between for the connection.. Where the pc makes an outbound connection, etc.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • More Microsoft Account headaches: Office 2024 licensing bug finally gets detailed fix by Sayan Sen Microsoft often highlights the benefits of a Microsoft account (MSA) as it points out the unified access users get across devices and services like Windows, Office, OneDrive, and Xbox, which can help in synchronization of files and settings for convenience. That is also why it is a mandatory requirement during Windows 11 installs. However, there can be major problems too. For example, earlier this month, we reported on an incident wherein a Windows user was locked out of their Microsoft Account when Windows flagged their OneDrive upload activities, and apparently there was no way to recover their account. We discussed how, in such a case, users can lose all their data, especially if it's BitLocker encrypted, which is not all that unlikely on Windows 11 24H2. You can read the story in full in this article here. Meanwhile, on the topic of MSA, Microsoft has finally released a detailed step-by-step guide for fixing the Office 2024 licensing bug. The tech giant had already published an update earlier back in December last year. While that was supposed to fix the issue, the problem likely persisted for many users. For those who need a refresher, users whose Microsoft accounts held licenses for both Office 2024 and earlier editions like Office 2021. After upgrading to Office 2024, the MSA continued to display the older version. At the time, Microsoft only stated that installing the latest version of the Office 2024 app would fix the issue. This week, though, a detailed guide has been shared. The company writes: You can find the support article here on Microsoft's official website.
    • Hey Neowin folks, I’m struggling with my Samsung QLED Q80C smart TV’s Wi-Fi dropping randomly. It connects to my 5GHz network but loses signal every 20–30 minutes, interrupting streaming. Details: Device: Samsung QLED Q80C (2023 model), Tizen OS, firmware updated to latest (May 2025). Network: TP-Link Archer AX73 router, Wi-Fi 6, 5GHz band, WPA3 security. Environment: TV ~10 feet from router, no major interference (tested without microwave or cordless phones). Setup: Streaming Netflix, YouTube via built-in apps; issue persists across apps. Steps Tried: Restarted TV, router, and modem. Switched to 2.4GHz band—same issue, slower speed. Assigned static IP to TV in router settings. Reset TV network settings and reconnected. Checked router logs; no disconnect errors logged. Searched Neowin; found a 2024 thread on Wi-Fi issues but no TV-specific fixes. Expected: Stable Wi-Fi connection for uninterrupted streaming. Actual: Wi-Fi drops every 20–30 minutes, requiring manual reconnect. Has anyone faced Wi-Fi dropouts on Samsung QLED TVs or Tizen OS? Could it be a firmware bug or router setting? Any debug tips or workarounds? Thanks for any ideas!
    • I can see why you would need an AI browser
    • if you get your MSA locked and can't recover it, and if you are on win 11 24H2 that can do automatic encryption (on Home editions too), then the BitLocker key goes with that account.
  • Recent Achievements

    • Conversation Starter
      sophiaisabella32 earned a badge
      Conversation Starter
    • First Post
      Brett76 earned a badge
      First Post
    • One Year In
      78andyp earned a badge
      One Year In
    • One Month Later
      Cottonbud earned a badge
      One Month Later
    • One Month Later
      langat earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      594
    2. 2
      ATLien_0
      219
    3. 3
      Michael Scrip
      191
    4. 4
      +FloatingFatMan
      146
    5. 5
      Xenon
      135
  • Tell a friend

    Love Neowin? Tell a friend!