Solved

access list

Posted on 2006-11-15
2
267 Views
Last Modified: 2013-11-21
hi
iam asking to open port 3389 in my pix 525 to enable remote desktop connection from outside of my network and i get these two answer

static (inside,outside) 172.16.110.2  62.68.65.43
access-list inbound permit tcp any host 62.68.65.43 eq 3389
access-list inbound permit udp any host 62.68.65.43 eq 3389
access-group inbound in interface outside

static (inside,outside) 172.16.110.2 62.68.65.43
access-list outbound permit tcp host 62.68.65.43 any eq 3389
access-list outbound permit udp host 62.68.65.43 any eq 3389
access-group outbound out interface outside

what command i can use
and waht is the diffrent betwen them

thanks
0
Comment
Question by:nasemabdullaa
2 Comments
 
LVL 10

Accepted Solution

by:
Sorenson earned 250 total points
ID: 17947846
The first:
static (inside,outside) 172.16.110.2  62.68.65.43   netmask 255.255.255.255
access-list inbound permit tcp any host 62.68.65.43 eq 3389
access-list inbound permit udp any host 62.68.65.43 eq 3389
access-group inbound in interface outside

allows any host on the outside to RDP (remote desktop) to the outside address of 62.68.65.43 and it will translate to the inside host of 172.16.110.2

The second:
static (inside,outside) 172.16.110.2 62.68.65.43
access-list outbound permit tcp host 62.68.65.43 any eq 3389
access-list outbound permit udp host 62.68.65.43 any eq 3389
access-group outbound out interface outside

is incorrect and not needed.  It would be useful if you want to allow rdp out from 172.16.110.2, but even then it is incorrect.  The access-list should be:
access-list outboune permit tcp host 172.16.110.2 any eq 3389 to allow 172.16.110.2 to RDP to something on the internet.

The return traffic from the outside attempts to reach rdp on the inside server are stateful and therefore do not need an outbound acl to allow them.


RDP does not require UDP 3389 only TCP 3389 so the UDP line can be removed from the config.


0
 

Author Comment

by:nasemabdullaa
ID: 17947907
hi
thanks
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question