Enable RDP to specific IP through PIX 501

plq
plq used Ask the Experts™
on
Hi There,

I want to allow home based employees to VPN into my network which has a cisco 501 firewall (2003).

I got some advice on this thread: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24994630.html but the commands stated dont work, the access-list statement isnt valid.

This is what I want to do:

1. Allow multiple internet based computers (e.g.) 74.1.1.1 and 74.2.2.2  RDP access inside my network - each will have their own machine inside the network to RDP to
2. Use a port different from 3389 outside the network, and translate back to 3389 inside our network
3. The RDP computer inside the LAN is 10.5.0.67 for 74.1.1.1
4. The RDP computer inside the LAN is 10.5.0.69 for 74.2.2.2

I don't want to expose the network to other IP Addresses

I've tried adding through PDM and I've tried access-list and static commands in line with what was recommended in that other thread, but it just won't work.

If you can give me the static and accesslist commands I would be very grateful..

thanks

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
"I want to allow home based employees to VPN into my network which has a cisco 501 firewall" --> Statics and ACl's have nothing to do with a VPN.

Do you want your employees to connect via vpn out the outside address and a port? My recommendation would be VPN as you will have port issues  doing outside to inside PAT.

Regards,

3nerds
typo:

Do you want your employees to connect via vpn or through the outside address and a port.

3nerds
plq

Author

Commented:
Well VPN sounds like more work, so I would just like to let them into the network via RDP.

But vpn would also be ok
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Problem with Static/Port for RDP is 2 fold.

One. It is open to the outside world and anyone once they find the open port can attempt to us it to gain access to your network.
Two. If you have only 1 outside IP then it is all one for one, meaning if you want Joe to RDP into computer one and Janie to RDP into Computer 2 then you will have to assign each of them either a seperate IP address or a seperate Port number.

There is a third possibility if you have a Windows SMB server?

The VPN bypasses both of the above problems, but is slightly more complicated to setup.

Regards,

3nerds
plq

Author

Commented:
Separate port number would be fine.

I don't have ISA server or similar.

thanks
Taking some assumptions here, but this is basically what you need. Don't forget to enable RDP on the PC itself. Normall for this to would I would have you change the port the PC is currently using (3389) to the port you are going to use (XXXX).

static (inside,outside) tcp interface XXXX Y.Y.Y.Y XXXX netmask 255.255.255.255  ---> XXXX will be what ever port you decide to use Y.Y.Y.Y is the ip address of the Computer.
access-list acl_out extended permit tcp any host Z.Z.Z.Z eq XXXX --> Z.Z.Z.Z is your outside address. and XXXX is the port you specified in the statement above.

You will need to do this for each PC you want to allow, and you will have to change the port for each one.

Good Luck,

3nerds
plq

Author

Commented:
Thanks I'll give it a go an report back tomorrow
plq

Author

Commented:
I just tried this. It didnt' like the word extended.

So I took out extended, but it didnt' work.

This is what I issued (replaced the web facing ip)

static (inside,outside) tcp interface 60733 10.5.0.67 60733 netmask 255.255.255.255  
access-list acl_out permit tcp any host 74.1.1.1 eq 60733

74.1.1.1 is the web facing ip of the "employee" who wants to log in. Is that right,or should it be our isp web facing IP, or the IP of the cisco outside port ??

thanks
plq

Author

Commented:
This worked:

access-list outside_access_in permit tcp host 74.1.1.1 interface outside

But I fear this is a bit too generic. Can I cut this back ?

nearly there.. thanks
This:

access-list acl_out permit tcp any host 74.1.1.1 eq 60733

should have been:

access-list acl_out permit tcp host 74.1.1.1 interface outside eq 60733

If you want it more specific that is.

ACL's work on the idea of From and then to, so you want to allow from 74.1.1.1 to or through the outside interface on port 60733.


Your getting it though.

Regards,

3nerds



plq

Author

Commented:
Great - thanks

Just one more question. 10.5.0.67 is on DHCP - can it be replaced with a computername instead of an ip address ?

thanks
plq

Author

Commented:
OK I think my commands didnt work because I was missing the access-group when I was issuing via command line, but it was creating the access group for me in the PDM interface

name 74.1.1.1 dys
access-group outside_access_in in interface outside
access-list outside_access_in permit tcp host dys interface outside eq 60733
static (inside,outside) tcp interface 60733 10.5.0.67 60733 netmask 255.255.255.255 0 0
plq

Author

Commented:
still - please let me know if I can use a DNS name instead of hard coding 10.5.0.67

thanks for helping
I have honestly never tried to use a name. In the pix you can assign an IP a name but it has nothing to do with DNS. It would probably be easier to set it static on the PC or to create reservations on your DHCP server.

Regards,

3nerds
plq

Author

Commented:
thank you !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial