PIX 515E

Posted on 2006-05-11
Last Modified: 2009-02-24
I have a Pix 515e setup at my company.  I need to be able to RDP to a server behind the Pix by the address from my home.  The internal address of the server is  I have pasted my config below.  If anyone has any suggestions on how it would be greatly appreciated.    

User Access Verification

Type help or '?' for a list of available commands.
cph-pix> enable
Password: ******
cph-pix# show run
: Saved
PIX Version 6.3(3)
interface ethernet0 16baset
interface ethernet1 16baset
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security160
nameif ethernet2 intf2 security16
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Yn8Esq3NcXIHL35v encrypted
passwd XLcDKg3X8eBKlimL encrypted
hostname cph-pix
fixup protocol dns maximum-length 1536
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit tcp any host eq smtp
access-list acl_out permit tcp any host eq 5800
access-list acl_out permit tcp any host eq 5900
access-list acl_out permit tcp any host eq 16319
access-list acl_out permit tcp any host eq 9002
access-list acl_out permit tcp any host eq domain
access-list acl_out permit udp any host eq domain
access-list acl_out permit tcp any host eq 3389
access-list acl_out permit udp any host eq 3389
access-list acl_out permit udp host any eq 3389
access-list acl_out permit tcp host any eq 3389
access-list outside_cryptomap_160 permit ip 2
access-list inside_outbound_nat0_acl permit ip 172.172.0.
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside
ip address inside
ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group acl_out in interface outside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:16:00 udp 0:02:00 rpc 0:16:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host timeout 20 protocol TCP ve
rsion 4
filter url http allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 160 ipsec-isakmp
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set peer
crypto map outside_map 160 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key address netmask no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption aes
isakmp policy 16 hash sha
isakmp policy 16 group 2
isakmp policy 16 lifetime 86400
telnet inside
telnet inside
telnet inside
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:JaybirdJets
    LVL 1

    Accepted Solution

    you only need to add another access list to allow the outside interface receive your specific traffic for your server
    translation is already configured with this line
    static (inside,outside) netmask 0 0

    so you will have to add something like this

    access-list acl_out permit tcp any host eq RDP

    I put RDP because did not know this specific port application so you must know if it is tcp/udp and the required port. (if this application uses more than 1 port you must also add another accesslist for each one)

    If you have a valid and static ip addres for the source you can restrict more doing it like
    access-list acl_out permit tcp host x.y.z.w host eq RDP

    LVL 1

    Assisted Solution

    Not to rain on how you connect but you would probably be better off (security wise) to VPN into the pix (using cisco vpn client) and THEN do remote desktop to the server. Opening port 3389 to the internet I would consider a possible security problem. An idea to consider.

    Author Comment

    Thanks.  So I am not going crazy then.  I have added the needed access list already --- access-list acl_out permit tcp any host eq 3389 and access-list acl_out permit udp any host eq 3389 and still wasnt able to connect.  Maybe RDP does use another port that I didnt know of or my static ip isnt configured correctly.  Either way i definetly agree with you both about security issues with opening port 3389 to the whole world.  Both of your guys expert advice have confirmed a suspicion I had, that connecting this way is not secure and should be avoided if possible.  I will keep using the VPN client software as suggested.

    Thanks graciously.
    LVL 5

    Expert Comment

    static (inside,outside) tcp 3389 3389 netmask 0 0
    access-list acl_inbound permit tcp any host eq 3389
    access-group acl_inbound in interface outside

    This will allow RDP to your server.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Suggested Solutions

    I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now