Enabling Remote Desktop access in PIX 525

Hi,

I wanted to open my PIX 525 so that I can Remote Desktop to any PC in my DMZ. Currently, I have only one available IP and using PAT to do this job. I thought I have done the right thing's but kept on falling. Anyone can tell me where did I when wrong...

Here the code I add to my PIX 525 :

name 10.88.88.20 IBMConsole
name 10.88.88.21 PCOne

access-list outside_access_in permit tcp any interface outside eq 3300
access-list outside_access_in permit tcp any interface outside eq 3301

static (dmz,outside) tcp interface 3300 IBMConsole 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3301 PCOne 3389 netmask 255.255.255.255 0 0
daisanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
Did you try with one host ? and you are opening up the RDP session to connect at port 3300 ?

name 10.88.88.20 IBMConsole
name 10.88.88.21 PCOne

access-list outside_access_in permit tcp any interface outside eq 3300
access-list outside_access_in permit tcp any interface outside eq 3389

static (dmz,outside) tcp interface 3300 IBMConsole 3389

Just in case: http://www.petri.co.il/use_rdp_client_to_connect_to_a_different_port.htm

Cheers,
Rajesh
daisanAuthor Commented:
Rajesh,

I did try with one host and I still could not connect.

Is there any other possible reason for the connection could not be establish ?

rsivanandanCommented:
you do have the access-list assigned to the interface right?

access-group outside_access_in in interface outside

Try first with default port 3389 and see if that works.

access-list outside_access_in permit tcp any interface outside eq 3300
access-list outside_access_in permit tcp any interface outside eq 3389

static (dmz,outside) tcp interface 3389 IBMConsole 3389

Cheers,
Rajesh
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

daisanAuthor Commented:
Rajesh,

I try with single host and using default port but still could not connect...

Anything that I may forgot to open. The IBMConsole remote desktop service also have been open.

What do I do next ?

Thanks,
Darlien
rsivanandanCommented:
Okay, lets see it;

1. Have you applied the access-list to the *correct* interface ?

2. Are you able to open up the RDP to IBMConsole from inside the network ?

3. From outside, try this 'telnet <PIXInterfaceIP> 3389', do you get connected ?

Answer them all please.

Cheers,
Rajesh
daisanAuthor Commented:
Rajesh, here is a portion of our firewall configuration,

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50

names
name 10.88.88.16 dns-web
name 10.88.88.15 exchange
name 216.136.173.169 Y2
name 128.121.0.0 Blubster
name 66.163.168.117 Y1
name 216.155.193.0 Y3
name 206.190.50.139 Y5
name 216.155.193.164 Y4
name 10.88.88.20 IBMConsole
name 10.88.88.21 PCONE

access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0
access-list dmz_access_in permit ip 10.88.88.0 255.255.255.0 10.88.0.0 255.255.0.0
access-list dmz_access_in permit tcp 10.88.88.0 255.255.255.0 any
access-list dmz_access_in permit ip 10.88.88.0 255.255.255.0 any
access-list nonat permit ip 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0
access-list nonat permit ip 10.88.0.0 255.255.0.0 10.88.99.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq domain
access-list outside_access_in permit udp any interface outside eq domain
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any any
access-list outside_access_in permit tcp any interface outside eq 3389

ip address outside 219.94.120.150 255.255.255.240
ip address inside 10.88.1.254 255.255.255.0
ip address dmz 10.88.88.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.88.0.0 255.255.0.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 10.88.88.0 255.255.255.0 0 0
static (dmz,outside) tcp interface smtp exchange smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface domain dns-web domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface www dns-web www netmask 255.255.255.255 0 0
static (dmz,outside) udp interface domain dns-web domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3389 IBMConsole 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 219.94.120.149 1
route inside 10.88.0.0 255.255.0.0 10.88.1.1 1
route inside 192.168.0.0 255.255.0.0 10.88.1.1 1

telnet 10.88.99.0 255.255.255.0 inside
telnet 10.88.3.12 255.255.255.255 inside
telnet 10.88.3.27 255.255.255.255 inside



I can remote desktop to the IBMConsole from the inside using 10.88.88.20 .

But cannot remote desktop using 219.94.120.150 port 3300 from the outside.

I try to telnet  from outside, but cannot get in.

What do I do next ?

Thanks,
Darlien Apolonius
rsivanandanCommented:
Darlien,

  With the configuration above you should be trying to connect with port 3389 and not with 3300. So try to use RDP with default port (3389) and see if you get connected.

If not, then try to do 'telnet 219.94.120.150 3389', you should get connected.

Cheers,
Rajesh
daisanAuthor Commented:
Rajesh,

Can you telnet for me or remote desktop, and tell me if it you can manage to get connected.

I been trying to do the same thing but keep on falling.

Darlien
rsivanandanCommented:
Yes sure,

I just did and I get connected. To make sure I opened up an RDP session and it goes straight in to an XP box.

So it is working. The box is XP right ?

What you do is just open up an RDP client and put in this ip address 219.94.120.150 (no password, no username and no domain). See if you get to the login prompt.

Cheers,
Rajesh

daisanAuthor Commented:
Thanks Rajesh,

This sounds good news from you. If you can see the XP box, that mean the connection is there.

I will configure my firewall so people can remote desktop to 5 PC in my dmz. Would you help me to test the connection later.

Thanks,
Darlien
rsivanandanCommented:
Yeah not a problem, but I'm leaving to my home town today so when I would be responding is not known. I'm on my free time now as I'll be moving to US this month end.

You're not able to connect ? Still ?

Use the link above to configure the servers to listen on different ports.

Cheers,
Rajesh
daisanAuthor Commented:
Rajesh,

OK. I have open the connection.

Try remote desktop to :
1. 219.94.120.150 to connect to IBMConsole
2. 219.94.120.150 port 3300 to connect to PCONE
3. 219.94.120.150 port 3311 to connect to PC Two
4. 219.94.120.150 port 3322 to connect to PC Three

Please let me know if you can see the XP box.

Thanks a million... Rajesh.
rsivanandanCommented:
Yes My friend, tried on all the ports and it works :-)

I'm in a train with a low speed wireless internet :-)

Cheers,
Rajesh

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
daisanAuthor Commented:
Thank you so much rajesh....

Happy Valentine ... Hope you have a good time today...
rsivanandanCommented:
thnx for the points.

Cheers,
Rajesh
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.