Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 736
  • Last Modified:

Opening port 3389 on a pix 501

        This sould be a piece of cake question. How do I open port 3389 (or any other for that matter) on a Pix 501 through the Graphical user interface? I basically need to be able to terminal service to a computer with an ip of behind the pix 501 from the internet cloud.
        Will this work:
                    access-list outside_access_in permit tcp any interface outside eq 3389
                    static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask
                    access-group outside_access_in in interface outside

  • 17
  • 13
1 Solution
Your syntax is exactly right. You can cut/paste this into the multipl line command line utility in the GUI, or straight to the command prompt from telnet or console..

                    access-list outside_access_in permit tcp any interface outside eq 3389
                    static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask
                    access-group outside_access_in in interface outside
MichaelSwitzerAuthor Commented:
Can I copy/paste these 3 lines (changing the the last octect of the ip address to the corresponding computer) as many times as needed or do i just need to add solely the line of:

   static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask

Thank you so much for your help,
MichaelSwitzerAuthor Commented:
I believe i am not quite clear how i will "terminal Service" to from out side the pix. Do i just use the IP address of the PIX (, not changing) in Remote Desktop? If so, how then do I connect specifically to the computer?
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

You can only create one static port xlate to the same port, but you can change the port that RDC listens on for other computers and forward those ports, i.e.
   static (inside,outside) tcp interface 3389 3389 netmask
   static (inside,outside) tcp interface 3390 3390 netmask
   static (inside,outside) tcp interface 3391 3391 netmask

How to change the listening port:;en-us;306759

Yes, in your Remote Desktop client, you just put in the IP address of the outside
If you go the route of changing ports, then just add the port number when you connect, ie.  connects to .100  (default port not required to be specified) connects to .101 connects to .102

Just remember that you also need to include an access-list entry for each port:
   access-list outside_access_in permit tcp any interface outside eq 3389
   access-list outside_access_in permit tcp any interface outside eq 3390
   access-list outside_access_in permit tcp any interface outside eq 3391

MichaelSwitzerAuthor Commented:
You are amazing Irmoore.

I am going to go impliment these lines and I 'll give you an up date... (notice i have to "go" somewhere to access the router because i havent figured out how to admin the Pix remotely :(

Or, you could use different ports on the outside (3389, 3390, etc) and map them to different IP addresses (keeping the same port of 3389) so you don't have to change the listening port on your servers.

MichaelSwitzerAuthor Commented:
That's helpful..

Thank you Eric
Interesting twist, Eric. Thanks.
MichaelSwitzerAuthor Commented:
After i get to "pixfirewall#" do i then enter the lines or do i need to go to another subcommand
MichaelSwitzerAuthor Commented:
On the second line of code  (static (inside,outside) tcp interface 3389 3389 netmask             ... i received:

Error: static overlaps with to

* sounds like a bogus dhcp ip
how can i get rid of the what seems to be exhisting listening dhcp
You have to go to config mode:

pixfirewall#config term
pixfirewall(config)#     <=== now you can paste the config
pixfirewall# clear xlate

MichaelSwitzerAuthor Commented:
I am still receiveing the same error... is there more info i need to give you?
Do you already have a static xlate for that?
  Can you post your whole config? Be sure to remove any passwords and real public IP's...
MichaelSwitzerAuthor Commented:
Building configuration...
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
hostname pixfirewall
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
name annon. computer1
name annon. computer2

**the next lines block internet to (in the actual sense) 6 computers **not shown**

object-group network NoInternet
  description Live Update is Allowed
  network-object annon. computer1
object-group service TerminalServices tcp
  description Terminal Service Port for Remote Admin
  port-object eq 3389
access-list inside_access_in deny tcp object-group NoInternet any eq www
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip Residence
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location annon computer1 inside
pdm group NoInternet inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
nat (inside) 1 0 0
access-group inside_access_in in interface inside
rip inside default version 2
route inside BHCameras AdTran 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http CountryClub inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
isakmp enable outside
isakmp keepalive 100 10
isakmp nat-traversal 20
telnet CountryClub inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username **not given** privilege 15
terminal width 80
: end

I removed all real names and ip's. (the dhcp that is enabled is true)...

:)    Irmoore: here is my problem and what i need:
       -The Ip address that was assigned to me by my ISP "is" It is static. The gate way they assigned 'is'

       -Strangly enough, the internet only work when DHCP is waiting for an assigned IP address; however, like i said earlier, the returning ip address is bogus. I dont want the ip address to be determined by dhcp but when i "think" i have statically assigned the Pix's ip address to the, i get no internet.

        -as soon as the ip address can be established correctly, our Point of sale tech support is waiting to RDC (hopefully through the PIX).
         I am extremely greatful for all your help. Ask, and i will give you whatever you need.
MichaelSwitzerAuthor Commented:
I have taken 3 semesters of cisco but it did jack for me.   I have, up to this point, been using the GUI for most of my config........  grrrrr.......
If you do have a static IP, then this should be your config (you must have both lines):
   ip address outside 255.255.255.???
   route outside

They take the place of this single line:
  >ip address outside dhcp setroute retry 4

You have no other static xlate's so a "clear xlate" should allow you to put the new statics in...
  just cut/paste this. We'll try just one to start with:

  static (inside,outside) tcp 3389 3389 netmask
  access-list outside_access_in permit tcp any eq 3389


MichaelSwitzerAuthor Commented:
>>ip address outside
     route outside

                 ^------------Severed my internet connection

im doing something incorrectly with the assigning of the static ip. ;.(....
MichaelSwitzerAuthor Commented:
are you familiar with the gui for the pix 501?
>ip address outside
You cannot use a host mask on the interface! You'll have to ask your ISP what your mask is supposed to be.
For now, try it with:
    ip address outside

Yes, I am familiar with the GUI...

MichaelSwitzerAuthor Commented:
i had actually tried that different subnet (Not to mention every other possibility that comes to mind) and the connection is still severing. is there a possibility that some of the information that i am giving you is incorrect? would the ISP have any role in this?  
**i feel like im blindfolded and my hands are tied behind my back***

again, thank you for all your help
If it works using dhcp client, then let it get an IP address, and use "show interface" to see what IP /mask you get...
MichaelSwitzerAuthor Commented:
This is the most puzzling part to me.... even though the internet works, even thought the ipadddress is what i expect (when i go to '') the pix says it ip is, obviously a mistake.
MichaelSwitzerAuthor Commented:
what on earth am i doing incorrectly/??!?

What do you see with "show interface"
 169.254.x.x is APIPA address that WINDOWS XP/2000 machines default to if no dhcp server can be found....
MichaelSwitzerAuthor Commented:
i got something....:)
APIPA addresses are not routeable on the Internet just like Private IP's...
I can't see how the PIX would function with this on the interface, unless the DSL modem is in "gateway" mode instead of bridge mode and IT is giving you an IP addres, and IT has the 12.x.x. ip address on it's WAN side...???
MichaelSwitzerAuthor Commented:
you hit the nail on the head... we have a T3 connection and the transreceiving radio has what i call a psuedo router that i didnot know about. I just thought it bridged the connection. So i called the ISP and he was like " ya... the radio has NAT enabled..." shoot me now..... after that, everything worked very well. all the code you gave me worked like a charm.

Again, thank you a million times for all your help and support

Great news!

Glad to help any time!
MichaelSwitzerAuthor Commented:
one more quickie....

to open port 80, i just need :

access-list outside_access_in permit tcp any interface outside eq 80   ?
You got it, but you need the static to go along with it...
  static (inside,outside) tcp interface http <inside IP> http netmask

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 17
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now