[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1030
  • Last Modified:

Route RDC port 3389 to Terminal Server through Cisco PIX 501

I didn't get any response in the networking forum, thought I would try to post here as well.

Having difficulties routing Remote Desktop connections to internal Terminal Server through a Cisco PIX 501. Can anyone tell me where I went wrong? Our Terminal Server is 192.168.1.55. This all runs extremely well using our Linksys router (but it's way easier to configure porting). Here is the config:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside 69.69.69.69 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.55 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 69.69.69.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:dd94xxxxxxxxxxxxxxxxxxxxxxxxx
: end
[OK]
0
jefferybush
Asked:
jefferybush
  • 5
  • 2
2 Solutions
 
Cyclops3590Commented:
do this
no access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
access-list outside_access_in permit tcp any host interface outside eq 3389
access-group outside_access_in in interface outside
when that acl is evaluated, the dest ip is still the outside IP, it hasn't been translated yet
0
 
lrmooreCommented:
>access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
You can't reference the private IP address in the acl, you need to address the public IP that you have mapped with a static..
Cyclops3590 almost had it, but don't use "host" in the acl:

no access-list outside_access_in permit tcp any host 192.168.1.55 eq 3389
access-list outside_access_in permit tcp any interface outside eq 3389

Be sure to re-apply it to the interface
0
 
Cyclops3590Commented:
oops, thanks for spotting that, copy-and-paste got me again :)

you'll definitely need to reapply the acl to the interface.  reason is that when you run the no command to get rid of that one ace (which is the only one in the acl), it essentially deletes the entire acl and autodeletes the application of that acl to the interface.  After you can't apply an acl to an interface that doesn't exist.  
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
jefferybushAuthor Commented:
I appologize for the slow delay, I just got back from vaca. Thanks for the input,lrmoore and cyclops. I will adjust the firewall accordingly and try the configuration this weekend, then let you know how it went.

Jeff
0
 
jefferybushAuthor Commented:
Thanks for the information, I applied the changes but still cannot access our internal Terminal Server from outside the network. Here is what the security settings look like now. I see traffic hit the external interface but not our Terminal Server which can only mean that it's not getting over the firewall. Anything in quotes I have deliberatly changed for security purposes. First thing on my list for classes is Cisco firewall administration....Really! What am I missing here?

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password "xxxxxxxxxxxxxxxxxxx" encrypted
passwd "xxxxxxxxxxxxxxxxxxxxx" encrypted
hostname pixfirewall
domain-name ciscopix.com
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any interface outside eq 3389
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside "66.66.66.66" 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.55 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 "66.66.66.66" 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
: end
[OK]

0
 
jefferybushAuthor Commented:
Disregard last statement! You guys were on the money. I connected (from a domain controller inside our network) to a terminal server on another domain/network to test, then tried to remote desktop back over from it to our terminal server here.

That all seemed well and fine in principal...The operation was a success but the patient died. I got to my home network and was able to connect to our internal Terminal Server from both my regular desktop and through the other company's term server session.

My subscription to Experts Exchange was money well spent. Your team has provided me with a number of solutions that have made the job of an intermediate network admin alot easier.

My thanks to lmoore, and cylops. If it let's me do it, I'll award 100 to cyclops for the answer and 50 to lmoore for the assist.

Thanks again EE.

Jeff

0
 
jefferybushAuthor Commented:
ADMIN- Please assist. Unable to split points myself it seems, lmoore needs 50 points from the 150. Thanks!
0
 
jefferybushAuthor Commented:
Done. Thanks, LRMoore
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now