Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


PIX 515E

Posted on 2006-05-11
Medium Priority
Last Modified: 2009-02-24
I have a Pix 515e setup at my company.  I need to be able to RDP to a server behind the Pix by the address from my home.  The internal address of the server is  I have pasted my config below.  If anyone has any suggestions on how it would be greatly appreciated.    

User Access Verification

Type help or '?' for a list of available commands.
cph-pix> enable
Password: ******
cph-pix# show run
: Saved
PIX Version 6.3(3)
interface ethernet0 16baset
interface ethernet1 16baset
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security160
nameif ethernet2 intf2 security16
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password Yn8Esq3NcXIHL35v encrypted
passwd XLcDKg3X8eBKlimL encrypted
hostname cph-pix
fixup protocol dns maximum-length 1536
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit tcp any host eq smtp
access-list acl_out permit tcp any host eq 5800
access-list acl_out permit tcp any host eq 5900
access-list acl_out permit tcp any host eq 16319
access-list acl_out permit tcp any host eq 9002
access-list acl_out permit tcp any host eq domain
access-list acl_out permit udp any host eq domain
access-list acl_out permit tcp any host eq 3389
access-list acl_out permit udp any host eq 3389
access-list acl_out permit udp host any eq 3389
access-list acl_out permit tcp host any eq 3389
access-list outside_cryptomap_160 permit ip 2
access-list inside_outbound_nat0_acl permit ip 172.172.0.
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside
ip address inside
ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group acl_out in interface outside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:16:00 udp 0:02:00 rpc 0:16:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host timeout 20 protocol TCP ve
rsion 4
filter url http allow
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 160 ipsec-isakmp
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set peer
crypto map outside_map 160 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key address netmask no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption aes
isakmp policy 16 hash sha
isakmp policy 16 group 2
isakmp policy 16 lifetime 86400
telnet inside
telnet inside
telnet inside
telnet inside
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:JaybirdJets

Accepted Solution

redgun earned 1200 total points
ID: 16661478
you only need to add another access list to allow the outside interface receive your specific traffic for your server
translation is already configured with this line
static (inside,outside) netmask 0 0

so you will have to add something like this

access-list acl_out permit tcp any host eq RDP

I put RDP because did not know this specific port application so you must know if it is tcp/udp and the required port. (if this application uses more than 1 port you must also add another accesslist for each one)

If you have a valid and static ip addres for the source you can restrict more doing it like
access-list acl_out permit tcp host x.y.z.w host eq RDP


Assisted Solution

n8ptt earned 800 total points
ID: 16661725
Not to rain on how you connect but you would probably be better off (security wise) to VPN into the pix (using cisco vpn client) and THEN do remote desktop to the server. Opening port 3389 to the internet I would consider a possible security problem. An idea to consider.

Author Comment

ID: 16661914
Thanks.  So I am not going crazy then.  I have added the needed access list already --- access-list acl_out permit tcp any host eq 3389 and access-list acl_out permit udp any host eq 3389 and still wasnt able to connect.  Maybe RDP does use another port that I didnt know of or my static ip isnt configured correctly.  Either way i definetly agree with you both about security issues with opening port 3389 to the whole world.  Both of your guys expert advice have confirmed a suspicion I had, that connecting this way is not secure and should be avoided if possible.  I will keep using the VPN client software as suggested.

Thanks graciously.

Expert Comment

ID: 16662260
static (inside,outside) tcp 3389 3389 netmask 0 0
access-list acl_inbound permit tcp any host eq 3389
access-group acl_inbound in interface outside

This will allow RDP to your server.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question