• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 872
  • Last Modified:

Enabling port 3389 on a Cisco PIX 506E for RDC

I have scanned through experts exchange but I still have not quite found the solution.  

I am trying to enable RDC for a server on our local network.  We are using a PIX 506E v.6.3.

When I logged into the pix I tried the following:
Pix# Enable
Pix# Config t
Pix# access-list outside_access_in permit tcp any interface outside eq 3389
Pix# static (inside,outside) tcp interface 3389 10.0.6.5 3389 netmask 255.255.255.255   <--I recieved the error when I entered this line
Pix# access-group outside_access_in in interface outside

This is the error I recieved:

Pix(config)# static (inside,outside) tcp interface 3389 10.0.6.5 3389 netm$
ERROR: static overlaps with 209.172.84.69 to 10.0.6.5
Usage:  [no] static [(internal_if_name, external_if_name)]
            {<global_ip>|interface} <local_ip> [dns] [netmask <mask>]
            [<max_conns> [<emb_limit> [<norandomseq>]]]
            [no] static [(internal_if_name, external_if_name)] {tcp|udp}
            {<global_ip>|interface} <global_port>
            <local_ip> <local_port> [dns] [netmask <mask>]
            [<max_conns> [<emb_limit> [<norandomseq>]]]
Pix(config)#

So taking that error into account, it seems that the commands I tried to enter above would have overwritten a static route.

What is the best way to enable port 3389 on that already existing route?
0
CBIA
Asked:
CBIA
  • 2
  • 2
1 Solution
 
nprignanoCommented:
you should be able to forward multiple ports to a single IP, you cannot however forward a single port to multiple IPs - so you should be able to do this even though there is port forwarding.  From reading the error, it seems like 3389 is already forwarded to your server for 209.172.84.69.  If this is the case, you have to remove that rule before adding the rule to allow any IP to forward to your server on port 3389.

try using the syntax in this solution, its a little different from what you have:
http://www.experts-exchange.com/Security/Firewalls/Q_21707594.html

but if the route exists already, you have to clear it before you can set up the new one.


nprignano
0
 
calvinetterCommented:
>you should be able to forward multiple ports to a single IP, you cannot however forward a single port to multiple IPs
  Agree with nprignano on that.

Just to clarify: the "static (inside,outside)..." config line isn't a static route entry, it's simply defining a static NAT entry: ie, telling the PIX to always translate the server's internal IP to a specific external IP, so it's accessible from the outside (assuming an ACL is also configured to allow this, such as yours is doing).
   And yes it's obvious you already have an existing static NAT entry to the internal server at 10.0.6.5.   If you need to change the static NAT entry for the server:

A) Assuming the current entry is something like:  static (inside,outside) tcp <IP> 3389 10.0.6.5 3389
  Then to make your change, do the following:
clear xlate
no static (inside,outside) tcp <IP> 3389 10.0.6.5 3389
static (inside,outside) tcp interface 3389 10.0.6.5 3389

B) Otherwise, if your current entry is like this: static (inside,outside) <IP> 10.0.6.5
  Then to make your change, do the following:
clear xlate
no static (inside,outside) <IP> 10.0.6.5
static (inside,outside) tcp interface 3389 10.0.6.5 3389

  Just be aware, if scenario B is your situation, then your server at this point is *only* accessible via port 3389, at least until you were to add another line to your 'outside_access_in' ACL & create another static NAT entry for a *different* port to the same server.

NOTE: 'clear xlate' _must_ be run anytime you want to change your NAT configuration, but it will interrupt any traffic through your PIX (in-progress downloads, etc), so it's best to do this after hours or perhaps during the lunch hour.
  If still having problems, please post your entire "sanitized" config (passwords removed, public IPs masked like so: x.x.x.69) & clarify what you need.

cheers
0
 
CBIAAuthor Commented:
Thanks for the great response.  I am not sure why I meant static route but yes, I was talking about a static NAT entry.

So to clarify my question, the server I am trying to open this RDC port up to is a webserver.  I simply want the ability to access that server.  I would prefer to login to the server by visiting the webservers public IP address.

Here is my santized running configuration.

pix# show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ZLph4MsINJxa320n encrypted
passwd ZLph4MsINJxa320n encrypted
hostname pix
domain-name domain.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in permit tcp any host 209.122.12.68 eq www
access-list outside_in permit tcp any host 209.122.12.69 eq www
access-list outside_in permit tcp any host 209.122.12.67 eq www
access-list outside_in permit tcp any host 209.122.12.68 eq smtp
access-list outside_in permit tcp any host 209.122.12.67 eq smtp
access-list outside_in permit tcp any host 209.122.12.69 eq https
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any host 209.122.12.69 eq ftp
access-list outside_in permit tcp any host 209.122.12.68 eq https
access-list outside_in permit tcp any host 209.122.12.70 eq ftp
access-list outside_in permit tcp any host 209.122.12.70 eq https
access-list outside_in permit tcp any host 209.122.12.70 eq www
access-list outside_in permit tcp any any eq 3101
access-list outside_in permit tcp any host 209.122.12.71 eq www
access-list domainGroup_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list acl_outside permit tcp any any eq 3101
pager lines 24
logging on
logging buffered errors
mtu outside 1500
mtu inside 1500
ip address outside 209.122.12.66 255.255.255.192
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool domainPool 192.168.1.1-192.168.1.254
pdm location 192.168.1.3 255.255.255.255 inside
pdm location 192.168.1.4 255.255.255.255 inside
pdm location 192.168.1.5 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 192.168.1.77 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.22 255.255.255.255 inside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) 209.122.12.69 192.168.1.5 netmask 255.255.255.255 0 0
static (inside,outside) 209.122.12.68 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 209.122.12.70 192.168.1.7 netmask 255.255.255.255 0 0
static (inside,outside) 209.122.12.67 192.168.1.22 netmask 255.255.255.255 0 0
static (inside,outside) 209.122.12.71 192.168.1.4 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.122.12.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 192.168.1.77
no snmp-server location
snmp-server contact domain
snmp-server community domainpass
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set caset esp-des esp-md5-hmac
crypto dynamic-map camap 30 set transform-set caset
crypto map newmap 20 ipsec-isakmp dynamic camap
crypto map newmap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup domainGroup address-pool domainPool
vpngroup domainGroup dns-server 192.168.1.6 192.168.1.9
vpngroup domainGroup wins-server 192.168.1.6
vpngroup domainGroup default-domain domain.Local
vpngroup domainGroup split-tunnel domainGroup_splitTunnelAcl
vpngroup domainGroup idle-time 1800
vpngroup domainGroup password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80
Cryptochecksum:9be2dc9959aee8aa66d3df98d0111265
: end
pix#


So how exactly should I approach this?  Can I simply just add the port forward to the pix just like how www is forwarded?

Again thank you both for your time.
0
 
calvinetterCommented:
Unless you need to change the public IP that points to this webserver, you don't need to change your static NAT entries.  So, all you need to do is add an entry in your ACL, then re-apply the ACL to the interface to ensure changes take effect:
  access-list outside_in permit tcp any host <IP> eq 3389
  access-group outside_in in interface outside

cheers
0
 
CBIAAuthor Commented:
That did the trick.  Thank you very much.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now