Solved

RDP connection going out through PIX 506E

Posted on 2006-11-17
10
208 Views
Last Modified: 2013-11-16
Hi,

  I have, what I hope, is a simple problem I can't seem to find much information about.  I'm trying to connect
through RDP to a customers public IP address. When I use a connection going through our PIX 506E firewall I cant
get anything.  When I use a connection not going through a firewall I don't get anything.  I've spoken with the
customer and they do not see me hitting their firewall when going through my PIX.  I thought it might be down to
our access-list.  I have added an Inbound & Outbound rule.  I thought if I allow any any going out and any to
one of our public IP's in that would work, but no joy.  could the issue possibly be with the connection coming in
and the fact that x.x.x.102, which I'm trying to get it to come in on, is the same as ftp traffic?  thanks in
advance for any help!

Regards,
Aaron


PIX Version 6.3(3)
access-list InboundAccess permit tcp any host x.x.x.101 eq smtp
access-list InboundAccess permit tcp any host x.x.x.104 eq www
access-list InboundAccess permit tcp any host x.x.x.104 eq https
access-list InboundAccess permit tcp any host x.x.x.101 eq https
access-list InboundAccess permit tcp any host x.x.x.103 eq www
access-list InboundAccess permit tcp any host x.x.x.102 eq ftp
access-list InboundAccess permit tcp any host x.x.x.103 eq https
access-list InboundAccess permit tcp any host x.x.x.102 eq 3389
access-list InboundAccess permit icmp any any
access-list InboundAccess deny ip any any
access-list OutboundAccess permit ip 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list OutboundAccess permit tcp object-group company-Servers any eq www
access-list OutboundAccess permit tcp object-group company-Servers any eq https
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq 3389
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq www
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq 81
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq ftp
access-list OutboundAccess permit tcp host company01 host companyDMZ01 eq smtp
access-list OutboundAccess permit ip 192.168.8.0 255.255.254.0 172.30.0.0 255.255.0.0
access-list OutboundAccess permit ip 192.168.8.0 255.255.254.0 host 10.92.0.45
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 host 194.72.246.6 eq https
access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 host 194.72.246.4 eq https
access-list OutboundAccess deny tcp any any eq www
access-list OutboundAccess deny tcp any any eq https
access-list OutboundAccess permit ip 192.168.8.0 255.255.254.0 any
access-list OutboundAccess permit tcp any any eq 3389
access-list OutboundAccess deny ip any any
0
Comment
Question by:dresch26
  • 6
  • 4
10 Comments
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17971038
In trouble shooting you can hit my RD box that is not behind a firewall to see if it is you or them but as for examining you ACL ..... It makes my head hurt :)
I will not post it for obvious reasons but if you like I can email you my address so you can test with it.
0
 

Author Comment

by:dresch26
ID: 17975679
Sorry about the access-list.  I wanted to make sure I added everything that applied.  The main ACL going IN and OUT are

access-list OutboundAccess permit tcp any any eq 3389
access-list InboundAccess permit tcp any host x.x.x.102 eq 3389


0
 

Author Comment

by:dresch26
ID: 17975699
JRockSolid,  That would be great!  That would def. narrow things down.  Is there a way to private msg here so I can send you my email?

0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17975715
email my junk and i respond

ajhenderson@bellsouth.net
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17975746
That was suposed to say "Email my junk mailbox and i will respond"
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Accepted Solution

by:
JRockSolid earned 100 total points
ID: 17976233
Does this permit work like it is suposed to?

access-list OutboundAccess permit tcp 192.168.8.0 255.255.254.0 10.0.0.0 255.255.255.0 eq 3389

I cannot see anything wrong with the list but i dont have a lot of experience yet with ACLs
0
 

Author Comment

by:dresch26
ID: 17976269
that would probably help you to know the IP's :o)

192.168.9.x - Dublin office
192.168.8.x - UK office
172.x.x.x - VPN users
10.0.0.x - DMZ

This ACL was to allow our UK branch access to publish to our DMZ.

JRockSolid,  Thank you for the email.  I tried it at 23.22 GMT  and it worked fine.  Are you able to see what my IP address was that I came in on?  If so can you please email it.  I'm assuming it's a different public address than our normal traffic.



0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17976482
I was looking at the list some more and noticed that in attempting to troubleshoot you added :

access-list InboundAccess permit tcp any host x.x.x.102 eq 3389

That has in affect allowed users to connect to the RDP service on host x.x.x.102 and i know this iis not what you wanted.

I dont believe you need a inbound entry only an outbound unless you are hosting a RDP box in your network.

When you try to make a connection to the RDP box you are allowed out by :

access-list OutboundAccess permit tcp any any eq 3389

And in the packet there is a source port and IP that makes up a socket.  The destination Ip and port are another socket and two sockets make a connection.

In short if you need to get out then all you need is the outbound access rule.

I am talking through it for me not you.  So just let me know how it goes tommorow since we know you can get out and we know what ip you are coming out on you should be able to track down the prob tommorow.

Cheers!
0
 

Author Comment

by:dresch26
ID: 17978049
That did it.  We made the changes to their allowed IP addresses becasue they were different than what it was coming from and it worked fine.  You're right, the Inbound rule was not needed.  Thanks for all your help!

Aaron
0
 
LVL 3

Expert Comment

by:JRockSolid
ID: 17978927
Great!! I am glad it worked out.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now