Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote Desktop through PIX 501

Status
Not open for further replies.
DHamaker

DHamaker

Technical User
Joined
Feb 14, 2003
Messages
4
Location
US
I've got one public IP address and am having an issue trying to use port forwarding on a Cisco PIX 501. I've got 4 PC's behind the PIX that want to be able to RDP to their machines from an external network. Can anyone help with the configuration needed to open up those ports?

If not, I'm willing to allow Remote Desktop to one machine and then have RDP within another RDP.

Thanks!
 
Sort by date Sort by votes
Here's my config:

sh config
: Saved
: Written by enable_15 at 10:32:20.703 UTC Thu May 1 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xgc3YXnUEEHvPoU4 encrypted
passwd xgc3YXnUEEHvPoU4 encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.1.1.20 franklin
name 10.1.1.21 john
name 10.1.1.22 frontdesk
name 10.1.1.23 susan
name 10.1.1.24 hobbyserver
access-list 100 permit icmp any any
access-list termsrv permit tcp any host john eq 3389
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 24.172.60.xxx 255.255.255.xxx
ip address inside 10.1.1.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 john 321 netmask 255.255.255.255 2 0
access-group termsrv in interface outside
route outside 0.0.0.0 0.0.0.0 24.172.60.218 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 24.199.xxx.xxx 255.255.xxx.xxx outside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c2ee344840e72cd5a956bcb4ae020337

pixfirewall(config)#

Thanks Again,

Derek
 
Upvote 0 Downvote
HI.

> ip address outside 24.172.60.xxx 255.255.255.xxx
What subnet mask do you have?

> static (inside,outside) tcp interface 3389 john 321
* If you have more registered ip addresses, use them instead of "interface".
* I think that it should be "john 3389" instead of "john 321"

> access-list termsrv permit tcp any host john eq 3389
In the access-list statement, you should specify the external ip address (whether it is "interface" or another registered ip), and not the internal addresss ("john" in the config you have). For example:
access-list termsrv permit tcp any host 24.172.60.xxx eq 3389
Or:
access-list termsrv permit tcp any interface eq 3389

I suggest that you use VPN for 2 reasons:
> You can protect access to your network with additional level of authentication and encryption.
> A single VPN tunnel can be used between remote client and the pix, and then the user can use that tunnel to open RDP connection to each internal host using their private addresses, so you will not need those "static" and "access-list" commands.



Yizhar Hurwitz
 
Upvote 0 Downvote
> ip address outside 24.172.60.xxx 255.255.255.xxx
>What subnet mask do you have?

The subnet mask is 255.255.255.242

> static (inside,outside) tcp interface 3389 john 321
>* If you have more registered ip addresses, use them >instead of "interface".
>* I think that it should be "john 3389" instead of "john >321"

I manually changed my port number to 321 for this PC. The other PC's were changed to different numbers. This was so that if the off-site client tried to RDP to the IP:port#, it would forward the connection to his/her machine.


I will try using interface instead of the hostname in my access-list

I've looked into using a VPN, but I've never set it up before. My users are completely dependent on exact instructions so I figured the RDP connection would be easiest. What is the ease of use for a VPN using the software Cisco has?

Thanks again for the response! I appreciate the help.

Derek Hamaker
 
Upvote 0 Downvote
HI.

> What is the ease of use for a VPN using the software Cisco has?
It is easy to setup for users, once you provide them the software and the needed details.
However, sometimes troubleshooting can be difficult and time consuming.

If the clients are behind another firewall/nat device (including personal firewall software), these can make things more complicated.
The newer pix OS version 6.3x has some new features for VPN behind NAT (NAT Traversal).

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
> A single VPN tunnel can be used between remote client and the pix, and then the user can use that tunnel to open RDP connection to each internal host using their private addresses, so you will not need those "static" and "access-list" commands.

I agree. I'm running this scenario right now. I have clients loaded with the Cisco VPN Client 3.6.3 Once they initiate the VPN they can then connect to any XP Pro or (If I give them permission) Terminal server using the RDC that comes installed with XP or is downloadable from
to use on Win 95* (I havn't tested it on 95) 98, or 2000. It allows you to connect to the Computer by name or Ip address and has configuration settings to help control the bandwidth it uses. It also features redirected printing (as long as the printer driver of the remote machine is loaded on the host) and some other nice features. The great thing about doing it this way, is you configure the VPN once and don't have to worry about port mapping or additional access lists. Also by using the PIX 501 you should have five available VPN Client Connections & if you upgrade to the 6.3.1 PIX OS then it is supposed to allow ten Client connections.

For how to use RDC see this link.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ChrisFairley
  • Locked
  • Question Question
Downloads failing through ASA 5520
Replies
1
Views
328
iggsterman
iggsterman
xwray
  • Locked
  • Question Question
PIX 501 DHCP Server function
Replies
0
Views
257
xwray
xwray
brownmab53
  • Locked
  • Question Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
310
brownmab53
brownmab53
Russtoleum
  • Locked
  • Question Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
375
Russtoleum
Russtoleum
Tommy_T
  • Locked
  • Question Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
960
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top