Solved

access list

Posted on 2006-11-15
2
269 Views
Last Modified: 2013-11-21
hi
iam asking to open port 3389 in my pix 525 to enable remote desktop connection from outside of my network and i get these two answer

static (inside,outside) 172.16.110.2  62.68.65.43
access-list inbound permit tcp any host 62.68.65.43 eq 3389
access-list inbound permit udp any host 62.68.65.43 eq 3389
access-group inbound in interface outside

static (inside,outside) 172.16.110.2 62.68.65.43
access-list outbound permit tcp host 62.68.65.43 any eq 3389
access-list outbound permit udp host 62.68.65.43 any eq 3389
access-group outbound out interface outside

what command i can use
and waht is the diffrent betwen them

thanks
0
Comment
Question by:nasemabdullaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 250 total points
ID: 17947846
The first:
static (inside,outside) 172.16.110.2  62.68.65.43   netmask 255.255.255.255
access-list inbound permit tcp any host 62.68.65.43 eq 3389
access-list inbound permit udp any host 62.68.65.43 eq 3389
access-group inbound in interface outside

allows any host on the outside to RDP (remote desktop) to the outside address of 62.68.65.43 and it will translate to the inside host of 172.16.110.2

The second:
static (inside,outside) 172.16.110.2 62.68.65.43
access-list outbound permit tcp host 62.68.65.43 any eq 3389
access-list outbound permit udp host 62.68.65.43 any eq 3389
access-group outbound out interface outside

is incorrect and not needed.  It would be useful if you want to allow rdp out from 172.16.110.2, but even then it is incorrect.  The access-list should be:
access-list outboune permit tcp host 172.16.110.2 any eq 3389 to allow 172.16.110.2 to RDP to something on the internet.

The return traffic from the outside attempts to reach rdp on the inside server are stateful and therefore do not need an outbound acl to allow them.


RDP does not require UDP 3389 only TCP 3389 so the UDP line can be removed from the config.


0
 

Author Comment

by:nasemabdullaa
ID: 17947907
hi
thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question