[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Enable port 3389 to outside

Posted on 2006-07-13
7
Medium Priority
?
415 Views
Last Modified: 2013-11-21
Can someone please give me the PIX commands to enable port 3389 (RDP) for connections from inside our network to a particular external IP address.
0
Comment
Question by:OmaBatlak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 2

Expert Comment

by:Zolghadri
ID: 17106331
access-list inbound permit tcp any any eq 3389
access-group inbound in interface inside

good luck
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17106581
Do you have any access-lists on the inside ? By default there is none and all the traffic from your inside network will go through the PIX and reach Internet. So you should be able to unless there is an access-list.

Now if there is an access-list which is blocking, post the configuration (sanitize the public ip and password part), the reason being we don't want to shutdown everything else and once we see it, we'll be able to append to whatever you already have

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:Newsboy
ID: 17110198
I use Remote Desktop from behind a PIX all the time and rsivanandan is correct, there are not default ACL's that deny it. If you do a show run and just copy the access-list and access-group part we should be able to help. Now if there's a firewall/router on the other side you'll need to create a static route at that location to the machine you're wanting to remote into.
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 

Author Comment

by:OmaBatlak
ID: 17116758
First of all, I doubt that there are any routers/firewalls on the other side as I
can RDP into their network from my home network. This makes me believe that there
is a firewall setting inside our PIX that prevents RDP from inside our network to
that private IP. There is one more possibility: our data carrier may have their router/firewall set to block RDP traffic from inside our network, but I doubt it.

Anyway, here is our PIX config:

PIX Version 7.0(1)
*
*
*
*

access-list deny-flow-max 512
access-list inside_outbound_nat0_acl extended permit ip object-group

internal-subnet object-group vpn-clients
access-list inside_outbound_nat0_acl extended permit ip host ****** host

outside-rtr
access-list inside_outbound_nat0_acl extended permit ip object-group

internal-subnet object-group ms-adsl-network
access-list inside_outbound_nat0_acl extended permit ip ******* 255.255.255.0

object-group ms-adsl-network
access-list inside_outbound_nat0_acl extended permit ip object-group *********

DMZ-subnet 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip host ********* host

outside-rtr
access-list outside_inbound_nat0_acl extended permit ip object-group

ms-adsl-network object-group internal-subnet
access-list outside_inbound_nat0_acl extended permit ip object-group

ms-adsl-network corporate 255.255.255.0
access-list outside_cryptomap_dyn_40 remark Allow remote access for vpn clients to

corp
access-list outside_cryptomap_dyn_40 extended permit ip object-group

internal-subnet object-group vpn-clients
access-list outside_cryptomap_dyn_40 remark Allow remote access for vpn clients to

corp
access-list outside_access_in extended deny tcp any object-group blockedports any
access-list outside_access_in extended permit icmp host outside-rtr 203.44.*.*

255.255.255.0 echo-reply log
access-list outside_access_in extended permit udp host outside-rtr host 203.44.*.*

eq tftp
access-list outside_access_in extended permit udp object-group ms-adsl-router host

203.44.*.* eq tftp
access-list outside_access_in extended permit udp host outside-rtr host ***** eq

syslog
access-list outside_access_in extended permit tcp host outside-rtr host

******object-group tacacs
access-list outside_access_in extended permit tcp host outside-rtr host 10.1.*.*

object-group tacacs
access-list outside_access_in extended permit icmp host outside-rtr host 10.1.*.*
access-list outside_access_in extended permit udp host outside-rtr host ****

object-group tacacs
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group ms-adsl-router host

fps-outside eq tacacs log errors
access-list outside_access_in extended permit tcp object-group ms-adsl-router host

203.49.*.* eq tacacs log errors
access-list outside_access_in extended permit tcp object-group ms-adsl-network

object-group *****
access-list outside_access_in extended permit udp object-group ms-adsl-network

object-group *****
access-list outside_access_in extended permit icmp object-group ms-adsl-network

object-group *****
access-list outside_access_in extended permit icmp object-group vpn-clients

corporate 255.255.255.0
access-list outside_access_in extended permit tcp object-group vpn-clients

object-group internal-subnet
access-list outside_access_in extended permit udp object-group vpn-clients

object-group internal-subnet
access-list outside_access_in extended permit icmp object-group vpn-clients

object-group internal-subnet echo
access-list outside_access_in extended permit tcp object-group ddsn-web host

203.44.*.* object-group ddsn-webports log
access-list outside_access_in extended permit tcp any host 203.49.*.* eq https
access-list outside_access_in extended permit tcp object-group ipfx-support host

203.49.*.* object-group vnc
access-list outside_access_in extended permit tcp object-group messagelabs-group

host 203.49.*.* eq smtp
access-list outside_access_in extended permit tcp *****  255.255.255.0 interface

outside eq https
access-list outside_access_in extended permit tcp host ****** interface outside eq

https
access-list outside_access_in extended permit esp host IM_VPN_RTR_USA host

IM_VPN_RTR log
access-list outside_access_in extended permit gre host IM_VPN_RTR_USA host

IM_VPN_RTR log
access-list outside_access_in extended permit tcp ***** 255.255.255.0 host

203.49.130.101 eq 3389 log errors
access-list outside_access_in extended permit tcp ****** 255.255.255.0

203.49.130.104 255.255.255.252 eq telnet log errors
access-list outside_access_in extended permit tcp ******  255.255.255.0

203.49.130.104 255.255.255.252 eq ssh log errors
access-list outside_access_in extended permit tcp ******* 255.255.255.0 host

203.49.*.* eq 3389 log errors
access-list outside_access_in extended permit tcp host IM_VPN_RTR_USA 203.49.*.*

255.255.255.252 eq ssh log errors
access-list outside_access_in extended permit tcp any host 203.49.*.* eq ftp
access-list outside_access_in extended permit tcp any host 203.49.*.* eq ftp-data
access-list outside_cryptomap_58 extended permit ip object-group ****** ms-kth-net

255.255.255.0
access-list outside_cryptomap_58_1 extended permit ip object-group ***** ms-kth-net

255.255.255.0
access-list outside_cryptomap_75 extended permit ip corporate 255.255.255.0

rmaus-hba-data 255.255.255.0
access-list DMZ_inbound_nat0_acl extended permit ip host ******* object-group

internal-subnet
access-list outside_cryptomap_54 extended permit ip corporate 255.255.255.0 *******

255.255.255.0
access-list outside_mpc_in extended permit tcp object-group messagelabs-group host

203.49.130.100 eq smtp
access-list inside_access_in extended deny tcp object-group internal-subnet any

object-group blockedports
access-list inside_access_in extended permit ip host ***** object-group

ms-adsl-router
access-list inside_access_in extended permit ip host 10.1.*.* object-group

ms-adsl-router
access-list inside_access_in extended permit ip object-group internal-subnet

object-group ms-adsl-network
access-list inside_access_in extended permit ip host 10.1.*.* host outside-rtr
access-list inside_access_in extended permit ip corporate 255.255.255.0

object-group ms-adsl-network
access-list inside_access_in extended permit tcp object-group internal-subnet

object-group vpn-clients
access-list inside_access_in extended permit udp object-group internal-subnet

object-group vpn-clients
access-list inside_access_in extended permit ip corporate 255.255.255.0

object-group ms-adsl-router
access-list inside_access_in extended permit tcp object-group

sirva-co-network-group DMZ-subnet 255.255.255.0 object-group csg-tcp
access-list inside_access_in extended permit udp object-group

sirva-co-network-group DMZ-subnet 255.255.255.0 eq 139
access-list inside_access_in extended permit tcp object-group internal-subnet any

object-group internet-ports
access-list inside_access_in extended permit udp object-group internal-subnet any

object-group internet-udp
access-list inside_access_in extended permit icmp object-group internal-subnet any
access-list inside_access_in extended permit ip host cmcquie host outside-rtr
access-list inside_access_in extended permit tcp host 10.1.*.* object-group

messagelabs-group eq smtp
access-list 21 standard permit corporate 255.255.255.0
access-list 21 standard permit voice-vlan 255.255.255.0
access-list 21 standard permit co-server-vlan 255.255.255.0
access-list 21 standard permit extranet-co 255.255.255.0
access-list 21 standard permit 10.1.136.0 255.255.255.0
access-list 21 standard permit ******* 255.255.255.0
access-list 21 standard permit ******* 255.255.255.0
access-list 21 standard permit ms-bne-network 255.255.255.0
access-list outside_cryptomap_62 extended permit ip corporate 255.255.255.0

rm-fys-network 255.255.255.0
access-list 10 remark Corp
access-list 10 standard permit corporate 255.255.255.0
access-list 10 remark ********
access-list 10 standard permit ******* 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit ***** 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit rm-bruns-network 255.255.255.0
access-list 10 remark ******
access-list 10 standard permit ******** 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit rm-cbt-network 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit ****** 255.255.255.0
access-list 10 remark *******
access-list 10 standard permit rm-firewall-dmz1 255.255.255.0
access-list 10 standard permit co-server-vlan 255.255.255.0
access-list 12 extended permit ip host 1.1.1.1 10.0.11.0 255.255.255.0
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 corporate 255.255.255.0
access-list 16 extended permit tcp any any object-group internet-ports
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 rm-cbt-network

255.255.255.0
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 ******* 255.255.255.0
access-list 16 extended permit ip 10.0.11.0 255.255.255.0 rm-firewall-dmz1

255.255.255.0
access-list 20 extended permit ip 10.0.11.0 255.255.255.0 object-group

data3-deviceaccess
access-list 22 extended permit ip object-group data3-deviceaccess any
access-list 22 extended permit ip corporate 255.255.255.0 any
access-list 22 extended permit tcp co-server-vlan 255.255.255.0 any
access-list TEST extended permit tcp any any eq 3389
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging buffered warnings
logging trap informational
logging asdm informational
logging queue 10
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu IM_VPN 1500
mtu intf4 1500
ip verify reverse-path interface outside
ip audit name outside-information info action alarm drop
ip audit name outside-attack attack action alarm drop
ip audit interface outside outside-information
ip audit interface outside outside-attack
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2150 disable
ip local pool vpn-win 10.0.11.65-10.0.11.254
failover
failover lan unit primary
failover polltime unit 5 holdtime 15
failover replication http
failover mac address Ethernet0 0011.926a.3917 0009.b75f.882b
failover mac address Ethernet1 0011.926a.3918 0009.b75f.882c
failover mac address Ethernet2 000d.88ee.b508 00e0.b606.badb
failover link stateful-fo Ethernet5.50
failover interface ip stateful-fo 10.0.254.1 255.255.255.0 standby 10.0.254.2
monitor-interface outside
monitor-interface inside
monitor-interface DMZ
monitor-interface IM_VPN
monitor-interface intf4
icmp permit 10.0.11.0 255.255.255.0 echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any traceroute inside
icmp permit CO-Corp-VLAN 255.255.255.0 inside
asdm image flash:/asdm-501.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 203.44.193.105
global (DMZ) 10 interface
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 10.1.176.* 255.255.255.255
nat (inside) 10 0.0.0.0 0.0.0.0 dns tcp 1000 5000
nat (DMZ) 0 access-list DMZ_inbound_nat0_acl outside
nat (IM_VPN) 0 0.0.0.0 0.0.0.0
static (inside,outside) fps-outside ******* netmask 255.255.255.255
static (inside,outside) 203.44.193.106 ******* netmask 255.255.255.255
static (inside,outside) 203.44.193.109 ******* netmask 255.255.255.255
static (inside,DMZ) ******  netmask 255.255.255.255
static (inside,DMZ) ******  netmask 255.255.255.255
static (DMZ,outside) 203.49.130.98 ******* netmask

255.255.255.255
static (inside,outside) 203.49.130.99 ****** netmask 255.255.255.255
static (inside,outside) 203.49.130.100 10.1.*.* netmask 255.255.255.255
static (inside,outside) 203.49.130.101 10.1.*.* netmask 255.255.255.255
static (IM_VPN,outside) 203.49.130.104 ****** netmask 255.255.255.252
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 375 total points
ID: 17117154
Do this;

access-list inside_access_in permit ip any <Particularipaddresswhereyouwanttordp> eq 3389

Then try;

Cheers,
Rajesh
0
 

Author Comment

by:OmaBatlak
ID: 17118914

You mean

access-list inside_access_in permit ip any host <Particularipaddresswhereyouwanttordp> eq 3389  

?

I did that, but no luck yet. Any other suggestions?




0
 
LVL 6

Expert Comment

by:stevepo
ID: 17141697
Try

access-list outside_access_in permit ip any host <particularip> eq 3389
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question