Map Specific IP to port 3389

Hello All,

I am trying to allow only 2 IP addresses in via 3389 to our server. here are lines I have:

access-list letmein permit udp any host x.x.x.251 eq 3389
access-list letmein permit tcp any host x.x.x.251 eq 3389

and

static (inside,outside) udp interface 3389 serv01 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 serv01 3389 netmask 255.255.255.255 0 0

This works fine for anyone connecting to 3389, but i need to limit it to to ip addresses on the same remote outside net.

I tried using the specific IP's in place of interface, but that didn't seem to work. The command took with no error, but no connection with RDP.

Thanks in advance,
Cepolly
LVL 1
cepollyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nodiscoCommented:
hi Cepolly

You don't need to change the static translations for this to work - If you want to allow only specific ip addresses in  - you change the access-lists above: e.g.

conf t
no access-list letmein permit udp any host x.x.x.251 eq 3389
no access-list letmein permit tcp any host x.x.x.251 eq 3389
access-list letmein permit udp host y.y.y.y host x.x.x.251 eq 3389
access-list letmein permit tcp host y.y.y.y host x.x.x.251 eq 3389
#Where y.y.y.y is the outside ip address of the client you wish to allow in

#Or in the case of allowing a specific range of ip addresses in :
access-list letmein permit udp y.y.y.y 255.255.255.0 host x.x.x.251 eq 3389
access-list letmein permit tcp y.y.y.y 255.255.255.0 host x.x.x.251 eq 3389
#This will allow ip range y.y.y.0-y.y.y.255 access to RDP

Hope this helps






harbor235Commented:
I agree with nodisco, you just need to manipulate your netmask for the source address, nodisco's entries are good for /24s only.
What size network block are teh remote systems on? Also, if you are performing term serv to these devices you do not need udp
 port 3389 only tcp is needed see below:

access-list letmein permit tcp y.y.y.y 255.255.255.0 host x.x.x.251 eq 3389       <this is all you need for term serv>

harbor235

Tim HolmanCommented:
Use the NAT commands to setup NAT, and access lists to setup restrictions.
Also, you don't need udp 3389 for RDP, just tcp 3389.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

lrmooreCommented:
Let's put this all together....
Given your existing configuration:

>access-list letmein permit udp any host x.x.x.251 eq 3389
>access-list letmein permit tcp any host x.x.x.251 eq 3389
>static (inside,outside) udp interface 3389 serv01 3389 netmask 255.255.255.255 0 0
>static (inside,outside) tcp interface 3389 serv01 3389 netmask 255.255.255.255 0 0

And your desire:
>but i need to limit it to to ip addresses on the same remote outside net

Let's call the outside net Y.Y.Y.0/24 for demo purposes.

Tim is correct, you only need TCP, not UDP for RDP.

Let's get rid of your existing access-list
  no access-list letmein

Let's create a new one that does what you want, using keyword "interface" just like the static
 access-list letmein permit tcp Y.Y.Y.0 255.255.255.0 interface outside eq 3389

Now, re-apply the acl to the interface any time there is a change
  access-group letmein in interface outside

Keep your static just the way it is, no change
>static (inside,outside) tcp interface 3389 serv01 3389 netmask 255.255.255.255 0 0

Remove the unnecessary UDP port static
  no static (inside,outside) udp interface 3389 serv01 3389 netmask 255.255.255.255

Then, clear xlates because you made a change to the statics:
  clear xlate

! done !

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cepollyAuthor Commented:
Thanks all for the replies. I'm going to try it out and see what I was doing wrong.

One question lrmoore:

i will be configuring the pix remotely. when i run 'no access-list letmein' or 'clear xlate' will that bump me out?

lrmooreCommented:
Not if you're using ssh or the web interface, it should not because you are connecting directly to the outside interface irrespective of acls or xlates...
cepollyAuthor Commented:
Sorry guys not sure how to do an assisted answer. If you know please tell me so that I can adjust.

Thanks go to Nodisco and Lrmoore.

Thanks again,
Cepolly

cepollyAuthor Commented:
Sorry guys just found out how to do it.

Moderator can you split the points between lrmoore and nodisco?
cepollyAuthor Commented:
Thanks again.
lrmooreCommented:
No problem. We're here to help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.