Solved

RDP connection going out through PIX 506E

Posted on 2006-11-17
10
225 Views
Last Modified: 2013-11-16
Hi,

  I have, what I hope, is a simple problem I can't seem to find much information about.  I'm trying to connect
through RDP to a customers public IP address. When I use a connection going through our PIX 506E firewall I cant
get anything.  When I use a connection not going through a firewall I don't get anything.  I've spoken with the
customer and they do not see me hitting their firewall when going through my PIX.  I thought it might be down to
our access-list.  I have added an Inbound & Outbound rule.  I thought if I allow any any going out and any to
one of our public IP's in that would work, but no joy.  could the issue possibly be with the connection coming in
and the fact that x.x.x.102, which I'm trying to get it to come in on, is the same as ftp traffic?  thanks in
advance for any help!

Regards,
Aaron


PIX Version 6.3(3)
access-list InboundAccess permit tcp any host x.x.x.101 eq smtp
access-list InboundAccess permit tcp any host x.x.x.104 eq www
access-list InboundAccess permit tcp any host x.x.x.104 eq https
access-list InboundAccess permit tcp any host x.x.x.101 eq https
access-list InboundAccess permit tcp any host x.x.x.103 eq www
access-list InboundAccess permit tcp any host x.x.x.102 eq ftp
access-list InboundAccess permit tcp any host x.x.x.103 eq https
access-list InboundAccess permit tcp any host x.x.x.102 eq 3389
access-list InboundAccess permit icmp any any
access-list InboundAccess deny ip any any
access-list OutboundAccess permit ip 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list OutboundAccess permit tcp object-group company-Servers any eq www
access-list OutboundAccess permit tcp object-group company-Servers any eq https
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq 3389
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq www
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq 81
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq ftp
access-list OutboundAccess permit tcp host company01 host companyDMZ01 eq smtp
access-list OutboundAccess permit ip 192.168.8.0 255.255.254.0 172.30.0.0 255.255.0.0
access-list OutboundAccess permit ip 192.168.8.0 255.255.254.0 host 10.92.0.45
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 host 194.72.246.6 eq https
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 host 194.72.246.4 eq https
access-list OutboundAccess deny tcp any any eq www
access-list OutboundAccess deny tcp any any eq https
access-list OutboundAccess permit ip 192.168.8.0 255.255.254.0 any
access-list OutboundAccess permit tcp any any eq 3389
access-list OutboundAccess deny ip any any
0
Comment
Question by:dresch26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17971038
In trouble shooting you can hit my RD box that is not behind a firewall to see if it is you or them but as for examining you ACL ..... It makes my head hurt :)
I will not post it for obvious reasons but if you like I can email you my address so you can test with it.
0
 

Author Comment

by:dresch26
ID: 17975679
Sorry about the access-list.  I wanted to make sure I added everything that applied.  The main ACL going IN and OUT are

access-list OutboundAccess permit tcp any any eq 3389
access-list InboundAccess permit tcp any host x.x.x.102 eq 3389


0
 

Author Comment

by:dresch26
ID: 17975699
JRockSolid,  That would be great!  That would def. narrow things down.  Is there a way to private msg here so I can send you my email?

0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Expert Comment

by:JRockSolid
ID: 17975715
email my junk and i respond

ajhenderson@bellsouth.net
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17975746
That was suposed to say "Email my junk mailbox and i will respond"
0
 
LVL 3

Accepted Solution

by:
JRockSolid earned 100 total points
ID: 17976233
Does this permit work like it is suposed to?

access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq 3389

I cannot see anything wrong with the list but i dont have a lot of experience yet with ACLs
0
 

Author Comment

by:dresch26
ID: 17976269
that would probably help you to know the IP's :o)

192.168.9.x - Dublin office
192.168.8.x - UK office
172.x.x.x - VPN users
10.0.0.x - DMZ

This ACL was to allow our UK branch access to publish to our DMZ.

JRockSolid,  Thank you for the email.  I tried it at 23.22 GMT  and it worked fine.  Are you able to see what my IP address was that I came in on?  If so can you please email it.  I'm assuming it's a different public address than our normal traffic.



0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17976482
I was looking at the list some more and noticed that in attempting to troubleshoot you added :

access-list InboundAccess permit tcp any host x.x.x.102 eq 3389

That has in affect allowed users to connect to the RDP service on host x.x.x.102 and i know this iis not what you wanted.

I dont believe you need a inbound entry only an outbound unless you are hosting a RDP box in your network.

When you try to make a connection to the RDP box you are allowed out by :

access-list OutboundAccess permit tcp any any eq 3389

And in the packet there is a source port and IP that makes up a socket.  The destination Ip and port are another socket and two sockets make a connection.

In short if you need to get out then all you need is the outbound access rule.

I am talking through it for me not you.  So just let me know how it goes tommorow since we know you can get out and we know what ip you are coming out on you should be able to track down the prob tommorow.

Cheers!
0
 

Author Comment

by:dresch26
ID: 17978049
That did it.  We made the changes to their allowed IP addresses becasue they were different than what it was coming from and it worked fine.  You're right, the Inbound rule was not needed.  Thanks for all your help!

Aaron
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17978927
Great!! I am glad it worked out.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question