Solved

Route RDC port 3389 to Terminal Server through Cisco PIX 501

Posted on 2006-06-21
9
1,017 Views
Last Modified: 2013-11-16
I didn't get any response in the networking forum, thought I would try to post here as well.

Having difficulties routing Remote Desktop connections to internal Terminal Server through a Cisco PIX 501. Can anyone tell me where I went wrong? Our Terminal Server is 192.168.1.55. This all runs extremely well using our Linksys router (but it's way easier to configure porting). Here is the config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 69.69.69.69 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.55 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 69.69.69.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:dd94xxxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]
0
Comment
Question by:jefferybush
  • 5
  • 2
9 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 100 total points
Comment Utility
do this
no access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
access-list outside_access_in permit tcp any host interface outside eq 3389
access-group outside_access_in in interface outside
when that acl is evaluated, the dest ip is still the outside IP, it hasn't been translated yet
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
Comment Utility
>access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
You can't reference the private IP address in the acl, you need to address the public IP that you have mapped with a static..
Cyclops3590 almost had it, but don't use "host" in the acl:

no access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
access-list outside_access_in permit tcp any interface outside eq 3389

Be sure to re-apply it to the interface
0
 
LVL 25

Expert Comment

by:Cyclops3590
Comment Utility
oops, thanks for spotting that, copy-and-paste got me again :)

you'll definitely need to reapply the acl to the interface.  reason is that when you run the no command to get rid of that one ace (which is the only one in the acl), it essentially deletes the entire acl and autodeletes the application of that acl to the interface.  After you can't apply an acl to an interface that doesn't exist.  
0
 
LVL 1

Author Comment

by:jefferybush
Comment Utility
I appologize for the slow delay, I just got back from vaca. Thanks for the input,lrmoore and cyclops. I will adjust the firewall accordingly and try the configuration this weekend, then let you know how it went.

Jeff
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:jefferybush
Comment Utility
Thanks for the information, I applied the changes but still cannot access our internal Terminal Server from outside the network. Here is what the security settings look like now. I see traffic hit the external interface but not our Terminal Server which can only mean that it's not getting over the firewall. Anything in quotes I have deliberatly changed for security purposes. First thing on my list for classes is Cisco firewall administration....Really! What am I missing here?

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password "xxxxxxxxxxxxxxxxxxx" encrypted
passwd "xxxxxxxxxxxxxxxxxxxxx" encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any interface outside eq 3389
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside "66.66.66.66" 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.55 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 "66.66.66.66" 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
: end
[OK]

0
 
LVL 1

Author Comment

by:jefferybush
Comment Utility
Disregard last statement! You guys were on the money. I connected (from a domain controller inside our network) to a terminal server on another domain/network to test, then tried to remote desktop back over from it to our terminal server here.

That all seemed well and fine in principal...The operation was a success but the patient died. I got to my home network and was able to connect to our internal Terminal Server from both my regular desktop and through the other company's term server session.

My subscription to Experts Exchange was money well spent. Your team has provided me with a number of solutions that have made the job of an intermediate network admin alot easier.

My thanks to lmoore, and cylops. If it let's me do it, I'll award 100 to cyclops for the answer and 50 to lmoore for the assist.

Thanks again EE.

Jeff

0
 
LVL 1

Author Comment

by:jefferybush
Comment Utility
ADMIN- Please assist. Unable to split points myself it seems, lmoore needs 50 points from the 150. Thanks!
0
 
LVL 1

Author Comment

by:jefferybush
Comment Utility
Done. Thanks, LRMoore
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now