Solved

configuring Cisco PIX 506 for RDC

Posted on 2004-08-13
7
846 Views
Last Modified: 2010-03-18
We recently purchased and installed a cisco 506e pix firewall, but I am having problems configuring the firewall to allow RDC for windows xp users who want to work from home. I have setup rules so many times now I am utterly confused! :)~ moo? If someone could point me to a source that can walk me throu setting this bad boy up I would sure appreciate it!
0
Comment
Question by:digitalslavery
7 Comments
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11800113
First, open up port 3389
0
 

Author Comment

by:digitalslavery
ID: 11800403
right, I think I ve done that! On the configuration menu I set up an access rule for the computer on my network I want access to.

The rule is setup to allow any outside connection 0.0.0.0 with a mask of 0.0.0.0 port 3389 to inside ip address 192.168.0.23 mask of 255.255.255.255 port = any.

I also added the Translation Rule for inside 192.168.0.23 to one of the ip addresses our ISP provides.(we have a block of addresses).

Nothing is configured under the VPN tab.

Hosts/Networks tab has the compuers ip address that I want to connect to configured with the Basic Info tab setup for the computer on the network that I want to connect to.
IP Address : 192.168.0.23
Mask         : 255.255.255.255
Interface    : inside

The Routing Tab is setup as >
Define Static Route  : checked
Gateway IP Address : 192.168.0.1
Metric                     : 1

The NAT tab is setup as >
Outside     : Static
IP Address : 66.236.157.218

But still not working.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 11802934
Can you post your complete config?
File, Show running config in new window. Cut/Paste then edit out your password hashes and any other private info..
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:digitalslavery
ID: 11803138
this config may have some strange entries since i have been trying to setup access for RDC:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************** encrypted
passwd *************** encrypted
hostname LGMortgagePix
domain-name alff.net
clock timezone MST -7
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.0.20 Mail
name 192.168.0.253 Web
name 66.236.157.216 DaveValdez
name 192.168.1.0 SanSalvidor
name 192.168.0.0 Corporate
name 192.168.0.23 RDC_jason
name 66.236.157.218 jason
name 66.236.157.212 ExcServer
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host ExcServer eq smtp
access-list outside_access_in permit tcp any host 66.236.157.215 eq www
access-list outside_access_in remark Remote Desktop Connection for Jason Lasby
access-list outside_access_in permit tcp any eq 3389 host jason
access-list inside_outbound_nat0_acl permit ip any 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host RDC_jason 192.168.3.0 255.255.255.0
pager lines 24
logging on
logging console alerts
logging monitor alerts
logging buffered alerts
logging trap informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 66.236.157.210 255.255.255.240
ip address inside 192.168.0.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool CorporateRDC 192.168.0.2-Web
pdm location 192.168.0.200 255.255.255.255 inside
pdm location Mail 255.255.255.255 inside
pdm location Web 255.255.255.255 inside
pdm location 207.114.195.34 255.255.255.255 outside
pdm location SanSalvidor 255.255.255.0 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 66.236.157.0 255.255.255.0 outside
pdm location ExcServer 255.255.255.255 outside
pdm location DaveValdez 255.255.255.255 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.0.1 255.255.255.255 outside
pdm location RDC_jason 255.255.255.255 inside
pdm location jason 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 66.236.157.211
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) ExcServer Mail netmask 255.255.255.255 0 0
static (inside,outside) 66.236.157.215 Web netmask 255.255.255.255 0 0
static (inside,outside) jason RDC_jason netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.236.157.209 1
route outside 192.168.0.1 255.255.255.255 66.236.157.209 1
route inside Mail 255.255.255.255 192.168.0.1 1
route inside RDC_jason 255.255.255.255 192.168.0.1 1
route inside Web 255.255.255.255 192.168.0.1 1
route inside SanSalvidor 255.255.255.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http ExcServer 255.255.255.255 outside
http DaveValdez 255.255.255.255 outside
http Corporate 255.255.255.0 inside
http SanSalvidor 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
snmp-server location Corporate
snmp-server contact Jason Lasby
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 20
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn username dvaldez password *********
vpdn username jlasby password *********
vpdn enable outside
terminal width 80
Cryptochecksum:***********************
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11803146
>access-list outside_access_in permit tcp any eq 3389 host jason
Change that to:
access-list outside_access_in permit tcp any host jason eq 3389
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 11809690
If you only have one IP address then only one machine can be configured to use port 3389. Never mind the security risks of having 3389 exposed to the Internet.
If you want more than one user to have access to Remote Desktop at any one time then your best option would be to use a VPN. The users would connect on the VPN, then connect to their own machine using its internal IP address. Secure and allows mutiple users to connect.

Simon.
0
 

Author Comment

by:digitalslavery
ID: 11812361
We have about 5-8 users who need to have access. and since we have a block of address I usually setup the users with one of the address from the block so they can connect directly to their desktops from home or where ever. When I tried to setup a VPN all these options that I have never dealt with before were being presented and so I bypassed trying to figure it out for right now. So I am spending the day reading the docs on ciscos site before posting any more quesitons.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now