Solved

Enable port 3389 to outside

Posted on 2006-07-13
7
388 Views
Last Modified: 2013-11-21
Can someone please give me the PIX commands to enable port 3389 (RDP) for connections from inside our network to a particular external IP address.
0
Comment
Question by:OmaBatlak
7 Comments
 
LVL 2

Expert Comment

by:Zolghadri
ID: 17106331
access-list inbound permit tcp any any eq 3389
access-group inbound in interface inside

good luck
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17106581
Do you have any access-lists on the inside ? By default there is none and all the traffic from your inside network will go through the PIX and reach Internet. So you should be able to unless there is an access-list.

Now if there is an access-list which is blocking, post the configuration (sanitize the public ip and password part), the reason being we don't want to shutdown everything else and once we see it, we'll be able to append to whatever you already have

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17110198
I use Remote Desktop from behind a PIX all the time and rsivanandan is correct, there are not default ACL's that deny it. If you do a show run and just copy the access-list and access-group part we should be able to help. Now if there's a firewall/router on the other side you'll need to create a static route at that location to the machine you're wanting to remote into.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:OmaBatlak
ID: 17116758
First of all, I doubt that there are any routers/firewalls on the other side as I
can RDP into their network from my home network. This makes me believe that there
is a firewall setting inside our PIX that prevents RDP from inside our network to
that private IP. There is one more possibility: our data carrier may have their router/firewall set to block RDP traffic from inside our network, but I doubt it.

Anyway, here is our PIX config:

PIX Version 7.0(1)
*
*
*
*

access-list deny-flow-max 512
access-list inside_outbound_nat0_acl extended permit ip object-group

internal-subnet object-group vpn-clients
access-list inside_outbound_nat0_acl extended permit ip host ****** host

outside-rtr
access-list inside_outbound_nat0_acl extended permit ip object-group

internal-subnet object-group ms-adsl-network
access-list inside_outbound_nat0_acl extended permit ip ******* 255.255.255.0

object-group ms-adsl-network
access-list inside_outbound_nat0_acl extended permit ip object-group *********

DMZ-subnet 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip host ********* host

outside-rtr
access-list outside_inbound_nat0_acl extended permit ip object-group

ms-adsl-network object-group internal-subnet
access-list outside_inbound_nat0_acl extended permit ip object-group

ms-adsl-network corporate 255.255.255.0
access-list outside_cryptomap_dyn_40 remark Allow remote access for vpn clients to

corp
access-list outside_cryptomap_dyn_40 extended permit ip object-group

internal-subnet object-group vpn-clients
access-list outside_cryptomap_dyn_40 remark Allow remote access for vpn clients to

corp
access-list outside_access_in extended deny tcp any object-group blockedports any
access-list outside_access_in extended permit icmp host outside-rtr 203.44.*.*

255.255.255.0 echo-reply log
access-list outside_access_in extended permit udp host outside-rtr host 203.44.*.*

eq tftp
access-list outside_access_in extended permit udp object-group ms-adsl-router host

203.44.*.* eq tftp
access-list outside_access_in extended permit udp host outside-rtr host ***** eq

syslog
access-list outside_access_in extended permit tcp host outside-rtr host

******object-group tacacs
access-list outside_access_in extended permit tcp host outside-rtr host 10.1.*.*

object-group tacacs
access-list outside_access_in extended permit icmp host outside-rtr host 10.1.*.*
access-list outside_access_in extended permit udp host outside-rtr host ****

object-group tacacs
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group ms-adsl-router host

fps-outside eq tacacs log errors
access-list outside_access_in extended permit tcp object-group ms-adsl-router host

203.49.*.* eq tacacs log errors
access-list outside_access_in extended permit tcp object-group ms-adsl-network

object-group *****
access-list outside_access_in extended permit udp object-group ms-adsl-network

object-group *****
access-list outside_access_in extended permit icmp object-group ms-adsl-network

object-group *****
access-list outside_access_in extended permit icmp object-group vpn-clients

corporate 255.255.255.0
access-list outside_access_in extended permit tcp object-group vpn-clients

object-group internal-subnet
access-list outside_access_in extended permit udp object-group vpn-clients

object-group internal-subnet
access-list outside_access_in extended permit icmp object-group vpn-clients

object-group internal-subnet echo
access-list outside_access_in extended permit tcp object-group ddsn-web host

203.44.*.* object-group ddsn-webports log
access-list outside_access_in extended permit tcp any host 203.49.*.* eq https
access-list outside_access_in extended permit tcp object-group ipfx-support host

203.49.*.* object-group vnc
access-list outside_access_in extended permit tcp object-group messagelabs-group

host 203.49.*.* eq smtp
access-list outside_access_in extended permit tcp *****  255.255.255.0 interface

outside eq https
access-list outside_access_in extended permit tcp host ****** interface outside eq

https
access-list outside_access_in extended permit esp host IM_VPN_RTR_USA host

IM_VPN_RTR log
access-list outside_access_in extended permit gre host IM_VPN_RTR_USA host

IM_VPN_RTR log
access-list outside_access_in extended permit tcp ***** 255.255.255.0 host

203.49.130.101 eq 3389 log errors
access-list outside_access_in extended permit tcp ****** 255.255.255.0

203.49.130.104 255.255.255.252 eq telnet log errors
access-list outside_access_in extended permit tcp ******  255.255.255.0

203.49.130.104 255.255.255.252 eq ssh log errors
access-list outside_access_in extended permit tcp ******* 255.255.255.0 host

203.49.*.* eq 3389 log errors
access-list outside_access_in extended permit tcp host IM_VPN_RTR_USA 203.49.*.*

255.255.255.252 eq ssh log errors
access-list outside_access_in extended permit tcp any host 203.49.*.* eq ftp
access-list outside_access_in extended permit tcp any host 203.49.*.* eq ftp-data
access-list outside_cryptomap_58 extended permit ip object-group ****** ms-kth-net

255.255.255.0
access-list outside_cryptomap_58_1 extended permit ip object-group ***** ms-kth-net

255.255.255.0
access-list outside_cryptomap_75 extended permit ip corporate 255.255.255.0

rmaus-hba-data 255.255.255.0
access-list DMZ_inbound_nat0_acl extended permit ip host ******* object-group

internal-subnet
access-list outside_cryptomap_54 extended permit ip corporate 255.255.255.0 *******

255.255.255.0
access-list outside_mpc_in extended permit tcp object-group messagelabs-group host

203.49.130.100 eq smtp
access-list inside_access_in extended deny tcp object-group internal-subnet any

object-group blockedports
access-list inside_access_in extended permit ip host ***** object-group

ms-adsl-router
access-list inside_access_in extended permit ip host 10.1.*.* object-group

ms-adsl-router
access-list inside_access_in extended permit ip object-group internal-subnet

object-group ms-adsl-network
access-list inside_access_in extended permit ip host 10.1.*.* host outside-rtr
access-list inside_access_in extended permit ip corporate 255.255.255.0

object-group ms-adsl-network
access-list inside_access_in extended permit tcp object-group internal-subnet

object-group vpn-clients
access-list inside_access_in extended permit udp object-group internal-subnet

object-group vpn-clients
access-list inside_access_in extended permit ip corporate 255.255.255.0

object-group ms-adsl-router
access-list inside_access_in extended permit tcp object-group

sirva-co-network-group DMZ-subnet 255.255.255.0 object-group csg-tcp
access-list inside_access_in extended permit udp object-group

sirva-co-network-group DMZ-subnet 255.255.255.0 eq 139
access-list inside_access_in extended permit tcp object-group internal-subnet any

object-group internet-ports
access-list inside_access_in extended permit udp object-group internal-subnet any

object-group internet-udp
access-list inside_access_in extended permit icmp object-group internal-subnet any
access-list inside_access_in extended permit ip host cmcquie host outside-rtr
access-list inside_access_in extended permit tcp host 10.1.*.* object-group

messagelabs-group eq smtp
access-list 21 standard permit corporate 255.255.255.0
access-list 21 standard permit voice-vlan 255.255.255.0
access-list 21 standard permit co-server-vlan 255.255.255.0
access-list 21 standard permit extranet-co 255.255.255.0
access-list 21 standard permit 10.1.136.0 255.255.255.0
access-list 21 standard permit ******* 255.255.255.0
access-list 21 standard permit ******* 255.255.255.0
access-list 21 standard permit ms-bne-network 255.255.255.0
access-list outside_cryptomap_62 extended permit ip corporate 255.255.255.0

rm-fys-network 255.255.255.0
access-list 10 remark Corp
access-list 10 standard permit corporate 255.255.255.0
access-list 10 remark ********
access-list 10 standard permit ******* 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit ***** 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit rm-bruns-network 255.255.255.0
access-list 10 remark ******
access-list 10 standard permit ******** 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit rm-cbt-network 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit ****** 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit rm-firewall-dmz1 255.255.255.0
access-list 10 standard permit co-server-vlan 255.255.255.0
access-list 12 extended permit ip host 1.1.1.1 10.0.11.0 255.255.255.0
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 corporate 255.255.255.0
access-list 16 extended permit tcp any any object-group internet-ports
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 rm-cbt-network

255.255.255.0
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 ******* 255.255.255.0
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 rm-firewall-dmz1

255.255.255.0
access-list 20 extended permit ip 10.0.11.0 255.255.255.0 object-group

data3-deviceaccess
access-list 22 extended permit ip object-group data3-deviceaccess any
access-list 22 extended permit ip corporate 255.255.255.0 any
access-list 22 extended permit tcp co-server-vlan 255.255.255.0 any
access-list TEST extended permit tcp any any eq 3389
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging buffered warnings
logging trap informational
logging asdm informational
logging queue 10
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu IM_VPN 1500
mtu intf4 1500
ip verify reverse-path interface outside
ip audit name outside-information info action alarm drop
ip audit name outside-attack attack action alarm drop
ip audit interface outside outside-information
ip audit interface outside outside-attack
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2150 disable
ip local pool vpn-win 10.0.11.65-10.0.11.254
failover
failover lan unit primary
failover polltime unit 5 holdtime 15
failover replication http
failover mac address Ethernet0 0011.926a.3917 0009.b75f.882b
failover mac address Ethernet1 0011.926a.3918 0009.b75f.882c
failover mac address Ethernet2 000d.88ee.b508 00e0.b606.badb
failover link stateful-fo Ethernet5.50
failover interface ip stateful-fo 10.0.254.1 255.255.255.0 standby 10.0.254.2
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
monitor-interface IM_VPN
monitor-interface intf4
icmp permit 10.0.11.0 255.255.255.0 echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any traceroute inside
icmp permit CO-Corp-VLAN 255.255.255.0 inside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 203.44.193.105
global (DMZ) 10 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 10.1.176.* 255.255.255.255
nat (inside) 10 0.0.0.0 0.0.0.0 dns tcp 1000 5000
nat (DMZ) 0 access-list DMZ_inbound_nat0_acl outside
nat (IM_VPN) 0 0.0.0.0 0.0.0.0
static (inside,outside) fps-outside ******* netmask 255.255.255.255
static (inside,outside) 203.44.193.106 ******* netmask 255.255.255.255
static (inside,outside) 203.44.193.109 ******* netmask 255.255.255.255
static (inside,DMZ) ******  netmask 255.255.255.255
static (inside,DMZ) ******  netmask 255.255.255.255
static (DMZ,outside) 203.49.130.98 ******* netmask

255.255.255.255
static (inside,outside) 203.49.130.99 ****** netmask 255.255.255.255
static (inside,outside) 203.49.130.100 10.1.*.* netmask 255.255.255.255
static (inside,outside) 203.49.130.101 10.1.*.* netmask 255.255.255.255
static (IM_VPN,outside) 203.49.130.104 ****** netmask 255.255.255.252
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
ID: 17117154
Do this;

access-list inside_access_in permit ip any <Particularipaddresswhereyouwanttordp> eq 3389

Then try;

Cheers,
Rajesh
0
 

Author Comment

by:OmaBatlak
ID: 17118914

You mean

access-list inside_access_in permit ip any host <Particularipaddresswhereyouwanttordp> eq 3389  

?

I did that, but no luck yet. Any other suggestions?




0
 
LVL 6

Expert Comment

by:stevepo
ID: 17141697
Try

access-list outside_access_in permit ip any host <particularip> eq 3389
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
redistribute default route to EIGRP? 2 28
Device same like our heart 12 47
ADMT Intra Forest migration questions 7 74
svg file 10 37
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now