Winner in Firewalls & VPN hardware Category of Readers? Choice Awards: Cisco PIX
August 29, 2007 ? Cisco PIX was selected the winner in the Firewalls & VPN Hardware category of the WindowsNetworking Readers? Choice Awards. Checkpoint VPN-1 UTM and SonicWALL PRO 5060 were first runner-up and second runner-up.
| 1st |
Cisco PIX |
36% |
| 2nd |
Checkpoint VPN-1 UTM |
13% |
| 3rd |
SonicWALL PRO 5060 |
11% |
| 4th |
Juniper Networks Netscreen |
10% |
| 5th |
FortiGate Enterprise Series |
4% |
[ Check Out ]
With the speed networking demands goes-on, traditional administrators have started using Windows’ with 2 networks configured on 2 NIC’s with 2 default gateway’s as well. This is one of the thing which can never be predicted as to how windows will behave.
First of all, Windows is not made to make intelligent decisions if it is done intending to do failover/load balancing. So to say, it is an Operating System developed to make your experience better while working and not as a routing device.
The only time you can have 2 default gateway’s on any windows machine is when both the NIC’s are in the same network, otherwise you might see it working if you’re that lucky but it is unpredicted as to what’ll happen when.
So take the advise in Microsoft’s own words;
http://support.microsoft.com/kb/159168
http://www.microsoft.com/technet/community/columns/cableguy/cg0903.mspx#E3F
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q262397&ID=KB;EN-US;Q262397
Want more supporting info ? Just google for ‘Windows and 2 default gateways’ !
Let networking to be left with networking devices which are made for it and quit complaining about Windows not able to do it 
Attaching modified NetCPS to work with 1Gbps network speed, for a friend;
NewNetCPS [ Click to Download ]
It is nice to use the RDP to be on a different port for security purposes. If a firewall scanner finds out that port 3389 is allowed then it is pretty obvious that it is an RDP hole in the firewall punched in.
So how about port 12345 ?
2 options;
1. Change the port on the windows itself to custom port.
Lets assume you want it on port 12345, This case you change it to;
static (inside,outside) <Public_IP> <Private_IP>netmask 255.255.255.255
access-list 102 permit tcp any host <Public_IP>eq 12345
access-group 102 in interface outside
http://support.microsoft.com/kb/306759
The link above would show you how to change the port in windows.
2. Change the port on the static nat statement so that you connect to a random port but pix would route it to default rdp port.
static (inside,outside) tcp <Public_IP> 12345 <Private_IP>3389 netmask 255.255.255.255
access-list 102 permit tcp any host <Public_IP>eq 12345
access-group 102 in interface outside
Then launch Remote Desktop Client and then type in address as <Public_IP>:12345 Kewl…
Now I have Bandwidth test on my blog and you could utilize it for checking out how much you really are getting for the money paid for.
The source is from www.auditmypc.com, an awesome site for security related information. I would recommend you guys to book mark the same.
So choose ‘Test Your Bandwidth’ link from the top menu and see how it goes. Lemme know.
Juniper has confirmed that its offer of free training to Cisco certified professionals to become Juniper-certified is available to Cisco network pros worldwide. The program was originally reported as only available to qualified folks in Asia Pacific, but inquiries by Cisco Subnet to Juniper corporate HQ in Sunnyvale, Calif., in addition to interest from Cisco Subnet readers, led Juniper’s media relations team to confirm the offer as a worldwide deal and to post details of the program on its Web site.
Read More …
By default if you want to allow rdp access to a machine inside the PIX from internet, you need to have static defined for nat and an access-list to allow that traffic.
For example, if we want to do this with the ip assigned on the outside interface, we’d do it this way;
static (inside,outside) tcp interface 3389 <PrivateIP_Internal_Desktop> 3389
access-list <Name> permit tcp any interface outside eq 3389
access-group <Name> in interface outside
Where <Name> would be replaced by the acl which you already would be having and in the acl, you can replace ‘any’ with ‘host x.x.x.x’ if you want to allow access from a specific ip in the internet.
The same if you want to do using an available public ip address which is not assigned on the outside interface then you do it this way;
static (inside,outside) tcp <Public_IP> 3389 <Private_IP> 3389
access-list <Name> permit tcp any host <Public_IP> eq 3389
access-group <Name> in interface outside
There have been so many questions about how to configure split-tunneling on PIX. So right to the point;
Internal Network :: 10.0.4.0/24
VPN Pool :: 10.1.4.0/24
Config goes here;
access-list nonat permit ip 10.0.4.0 255.255.255.0 10.1.4.0 255.255.255.00
access-list split permit ip 10.0.4.0 255.255.255.0 10.1.4.0 255.255.255.0
nat(inside) 0 access-list nonat
vpngroup <GroupName> split-tunnel split
Now it goes into respective configuration section of nat and vpngroup configuration sections. Question is why 2 access-list ? ‘nonat’ and ‘split’
Cisco recommends it to be that way and otherwise found running into problems at times.