?
Solved

I have problems with allowing remote desktop connecton to my PC at work which is behind PIX

Posted on 2007-08-08
18
Medium Priority
?
251 Views
Last Modified: 2013-11-05
I cant add an specific address to connecto to remote desktop can you please help me out
0
Comment
Question by:munemgumen
  • 9
  • 9
18 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19654058
Can you elaborate a little more on what is involved and what is that you want ?

By default if you want to allow rdp access to a machine inside the PIX from internet, you need to have static defined for nat and an access-list to allow that traffic.

For example, if we want to do this with the ip assigned on the outside interface, we'd do it this way;

static (inside,outside) tcp interface 3389 <PrivateIP_Internal_Desktop> 3389

access-list <Name> permit tcp any interface outside eq 3389

access-group <Name> in interface outside

Where <Name> would be replaced by the acl which you already would be having and in the acl, you can replace 'any' with 'host x.x.x.x' if you want to allow access from a specific ip in the internet.

The same if you want to do using an available public ip address which is not assigned on the outside interface then you do it this way;

static (inside,outside) tcp <Public_IP> 3389 <Private_IP> 3389

access-list <Name> permit tcp any host <Public_IP> eq 3389

access-group <Name> in interface outside



Cheers,
Rajesh
0
 

Author Comment

by:munemgumen
ID: 19654464
Well i want this IP : 217.16.90.116 - Outside IP

to connect behined my PIX to : 10.2.1.29

what to configure on the PIX
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19654560
static (inside,outside) tcp interface 3389 10.2.1.29 3389

access-list <Name> permit tcp any interface outside eq 3389

access-group <Name> in interface outside

Replace the <Name> with the acl name that is applied on the outside interface. If you still have confusion, post your PIX config.

Cheers,
Rajesh
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:munemgumen
ID: 19654651
I'm still confused about that <Name> should be my outside IP or what ????
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19654675
No the name part is the access-list.

Look for the access-list that is applied on the outside interface.

access-group <Name> in interface outside

There should be a line like above in your configuration. So you can find the <Name> part from it. Just replace.

If still problem please post your configuration.

Cheers,
Rajesh
0
 

Author Comment

by:munemgumen
ID: 19654817
Great works on other thing can you tell can i change the Remote Desktop Port and i need basic connacd so i can allowe just outside specific IP to connect to a specific IP inside and reverse ( specific IP from inside to connect to specif address OutSide ) without that any* in my access-lists i want to restrict it.

thanks a lot.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19655247
access-list <Name> permit tcp host <specific_ip> interface outside eq 3389

The above should be the syntax and yes ofcourse, you can change the port the way you want to.

Cheers,
Rajesh
0
 

Author Comment

by:munemgumen
ID: 19662201
I still cant understande dosent work now i'll past ya out my configuration


PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 62.162.104.10 mail
name 62.162.104.5 db
name 62.162.104.2 ns
name 62.162.104.8 scm
name 62.162.104.6 pp
name 62.162.104.4 swift
access-list 102 permit tcp any interface outside eq 3389
access-list 102 permit tcp host 62.162.221.130 interface outside eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 62.162.100.249 255.255.255.240
ip address inside 62.162.104.1 255.255.255.224
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 62.162.104.17 255.255.255.255 0 0
nat (inside) 0 62.162.104.18 255.255.255.255 0 0
nat (inside) 0 62.162.104.19 255.255.255.255 0 0
nat (inside) 0 62.162.104.20 255.255.255.255 0 0
nat (inside) 0 62.162.104.28 255.255.255.255 0 0
nat (inside) 0 62.162.104.29 255.255.255.255 0 0
nat (inside) 0 62.162.104.241 255.255.255.255 0 0
nat (inside) 0 62.162.104.0 255.255.255.240 0 0
static (inside,outside) tcp interface 3389 62.162.104.29 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) ns ns netmask 255.255.255.255 0 0
static (inside,outside) db db netmask 255.255.255.255 0 0
static (inside,outside) mail mail netmask 255.255.255.255 0 0
static (inside,outside) pp pp netmask 255.255.255.255 0 0
static (inside,outside) 62.162.104.241 62.162.104.241 netmask 255.255.255.255 0
0
access-group 102 in interface outside
conduit permit tcp host ns 10.1.0.0 255.255.0.0
conduit permit tcp host db 10.1.0.0 255.255.0.0
conduit permit tcp host mail 10.1.0.0 255.255.0.0
conduit permit tcp host scm eq smtp any
conduit permit tcp host mail eq domain any
conduit permit udp host mail eq domain any
conduit permit udp host mail eq www any
conduit permit tcp host pp 10.1.0.0 255.255.0.0
conduit permit icmp any any
conduit permit udp any host 62.162.104.241 eq isakmp
conduit permit esp any host 62.162.104.241
conduit permit udp host 62.162.104.241 eq isakmp any
conduit permit esp host 62.162.104.241 any
conduit permit udp any host swift eq isakmp
conduit permit esp any host swift
conduit permit udp host swift eq isakmp any
conduit permit esp host swift any
route outside 0.0.0.0 0.0.0.0 62.162.100.250 1
route outside 62.162.104.0 255.255.255.0 62.162.100.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set UNI esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 set peer 195.178.53.18
crypto map transam 1 set transform-set UNI
! Incomplete
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 195.178.53.18 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

I need to connect remote desktop from 62.162.221.130 to 62.162.104.29
and i still cant connect anyone to help out?
0
 

Author Comment

by:munemgumen
ID: 19662377
This is what i added
----------------------------------

static (inside,outside) tcp interface 3389 62.162.104.29 3389
access-list 102 permit tcp any interface outside eq 3389
access-group 102 in interface outside
------------------------

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19662693
No, that is wrong since your mapping is incorrect.

static (inside,outside) tcp interface 3389 10.2.1.29 3389

access-list 102 permit tcp any interface outside eq 3389
access-group 102 in interface outside

The above is how it should be; First you'll have to remove what you have and add this; so you could just copy paste the below;

no static (inside,outside) tcp interface 3389 62.162.104.29 3389
static (inside,outside) tcp interface 3389 10.2.1.29 3389
access-list 102 permit tcp any interface outside eq 3389
access-group 102 in interface outside

Then try to RDP to this ip address 62.162.100.249

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19662712
But hang in there, you mentioned you wanted to connect to 10.2.1.29 address but your inside interface is having a public ip assigned. So all your machines inside the pix firewall is having public ip ?

Please clarify your network setup, as this is getting more confusing.

Cheers,
Rajesh
0
 

Author Comment

by:munemgumen
ID: 19662759
Well i have my network behind the PIX with public range and i use private so my question is
how i can connect to my public ip behind the pix with IP: 62.162.104.29
and i want to connect from my home public IP : 62.162.221.130

please hit me up with some answers how i can resolve this.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19662878
I've been asking to post the configuration from the beginning, the problem is I can't see where you have 10.x network.

Now, I'm going to assume that you want to connect 62.162.104.29 which is on the inside of your PIX, so you do this;

static (inside,outside) 62.162.104.29 62.162.104.29 netmask 255.255.255.255

access-list 102 permit tcp host 62.162.221.130 host 62.162.104.29 eq 3389

access-group 102 in interface outside

Cheers,
Rajesh
0
 

Author Comment

by:munemgumen
ID: 19662995
Ok let me explane ya from begining.

My office computer is behind my PIX and my address there is : 62.162.104.29

so from my home i have dymanic ip but in this case the IP at my home is : 62.162.221.130
so i want from my HOME IP ( 62.162.221.130) to connect to my OFFICE IP : 62.162.104.29 which is behind or  inside the PIX. i added thouse lines and i cant connect from my HOME office. here is my PIX configuration again.
----------------------------

: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 62.162.104.10 mail
name 62.162.104.5 db
name 62.162.104.2 ns
name 62.162.104.8 scm
name 62.162.104.6 pp
name 62.162.104.4 swift
access-list 102 permit tcp host 62.162.221.130 host 62.162.104.29 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 62.162.100.249 255.255.255.240
ip address inside 62.162.104.1 255.255.255.224
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 62.162.104.17 255.255.255.255 0 0
nat (inside) 0 62.162.104.18 255.255.255.255 0 0
nat (inside) 0 62.162.104.19 255.255.255.255 0 0
nat (inside) 0 62.162.104.20 255.255.255.255 0 0
nat (inside) 0 62.162.104.28 255.255.255.255 0 0
nat (inside) 0 62.162.104.29 255.255.255.255 0 0
nat (inside) 0 62.162.104.241 255.255.255.255 0 0
nat (inside) 0 62.162.104.0 255.255.255.240 0 0
static (inside,outside) ns ns netmask 255.255.255.255 0 0
static (inside,outside) db db netmask 255.255.255.255 0 0
static (inside,outside) mail mail netmask 255.255.255.255 0 0
static (inside,outside) pp pp netmask 255.255.255.255 0 0
static (inside,outside) 62.162.104.241 62.162.104.241 netmask 255.255.255.255 0
0
static (inside,outside) 62.162.104.29 62.162.104.29 netmask 255.255.255.255 0 0

access-group 102 in interface outside
conduit permit tcp host ns 10.1.0.0 255.255.0.0
conduit permit tcp host db 10.1.0.0 255.255.0.0
conduit permit tcp host mail 10.1.0.0 255.255.0.0
conduit permit tcp host scm eq smtp any
conduit permit tcp host mail eq domain any
conduit permit udp host mail eq domain any
conduit permit udp host mail eq www any
conduit permit tcp host pp 10.1.0.0 255.255.0.0
conduit permit icmp any any
conduit permit udp any host 62.162.104.241 eq isakmp
conduit permit esp any host 62.162.104.241
conduit permit udp host 62.162.104.241 eq isakmp any
conduit permit esp host 62.162.104.241 any
conduit permit udp any host swift eq isakmp
conduit permit esp any host swift
conduit permit udp host swift eq isakmp any
conduit permit esp host swift any
route outside 0.0.0.0 0.0.0.0 62.162.100.250 1
route outside 62.162.104.0 255.255.255.0 62.162.100.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set UNI esp-3des esp-sha-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 set peer 195.178.53.18
crypto map transam 1 set transform-set UNI
! Incomplete
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 195.178.53.18 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:2ee32f50526aae61783feadcc47910ae
: end
bad(config)# $
0
 

Author Comment

by:munemgumen
ID: 19663036
Job is done you got 93092390210930921309 million points.
0
 

Author Comment

by:munemgumen
ID: 19663065
One other thing br0 can you tell me how i can change the port of the RDP 3389 their is some command to add or ? just to set that new port in the access list ?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 19663501
Change the port where ?

2 options;

1. Change the port on the windows itself to custom port.

  Lets assume you want it on port 12345, This case you change it to;

static (inside,outside) 62.162.104.29 62.162.104.29 netmask 255.255.255.255

access-list 102 permit tcp host 62.162.221.130 host 62.162.104.29 eq 12345

access-group 102 in interface outside

http://support.microsoft.com/kb/306759

The link above would show you how to change the port in windows.



2. Change the port on the static nat statement so that you connect to a random port but pix would route it to default  rdp port.

static (inside,outside) tcp 62.162.104.29 12345 62.162.104.29 3389 netmask 255.255.255.255

access-list 102 permit tcp host 62.162.221.130 host 62.162.104.29 eq 12345

access-group 102 in interface outside

Cheers,
Rajesh
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 19663518
Now in the remote desktop client you would connect as below;

In the ip address field, enter as below;

62.162.104.29:12345

Cheers,
Rajesh
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question