Solved

Port redirect in a Pix 501

Posted on 2013-01-31
15
367 Views
Last Modified: 2013-03-05
I would like to set up our router so that depending on the port that you use in the remote desktop application, it will go to different machine.  

Currently when you use a rdp client and goto our domain name using the default port it goes to a server.

I would like to be able to change the port that the RDP uses and have the router send me to a different IP address if I use a nonstandard port ie 7389 computer X, and 8389 computer Y
0
Comment
Question by:calmoving
  • 8
  • 7
15 Comments
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
you need to do the following commands on the pix:

static (inside,outside) tcp <publicIP> 7389 InternalIP 3389 netmask 255.255.255.255 0 0
access-list outside_interface_acl permit tcp any <publicIP> eq 7389
access-group outside_interface_acl in interface outside

of course, if you already have an acl on the outside, just add the access-list above on your already existent access-list

hope this helps
max
0
 

Author Comment

by:calmoving
Comment Utility
ok I got the static set up no problem (had already added this before I hit the wall)

My access list outside looks like this

"access-list out_in line 18 permit tcp any host <public IP> eq 7389 (hitcnt=13)"

My access-group looks like this

"access-group out_in in interface outside
access-group in_out in interface inside"

when i set up my rdp client on my phone and attempt to connect, it just states that it is unable to connect.  Is there a way that I can find out why it is not connecting?

if I set the port to the default I am able to get into the server with no problem, but when i change the port to 7389 to attempt to control my desktop PC, that is when i get unable to connect.
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
are you sure that rdp client on your phone is able to work on a different port ? Please note that from rdp client point of view, it is connecting to port 7389, while the real server is responding on 3389.

access-list out_in line 18 permit tcp any host <public IP> eq 7389 (hitcnt=13)
this means that firewall is getting the right requests

one more thing you may want to check out is that if you have other nat statements on your pix configuration, then the order of nat operations may have some collateral effect.

After checking the above, if the problem still persists, please post a sanitized config of the pix

max
0
 

Author Comment

by:calmoving
Comment Utility
Thanks Max,  I have tried this with two different rdp clients on my phone and have set them both to the 7389 port.  The error message that I get is that it cannot connect to remote.mydomain.com on port 7389.  

I am using "RDesktop" from the Itunes store and the error message that I receive is "Connection Failure  The operation couldnt be completed. Connection refused remote.mydomain.com:7389

How would I get the sanitized config, is that the "sh run" statment?
0
 

Author Comment

by:calmoving
Comment Utility
update... I attempted again the hitcount on

access-list out_in line 18 permit tcp any host <public IP> eq 7389 (hitcnt=13)
 
is still at 13, so I think that these counts are from the last time that I was attempting to get this to work, I assume that they will auto update is I do a "sh access-list" command?
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
if hit count does not increment, pix is not receiving the request on that port.

please try <publicIP>:7389 instead of remote.mydomain.com:7389
it might be a problem of dns

if no joy, please try an do a rdp connection from a PC, to see if the problem is in rdp client of the phone

if still no joy, please post a sanitized config: put the output of a show run into a text file and cancel the parts you want to hide (i.e. the first 2 octets of public IP addresses and any clear password).

max
0
 

Author Comment

by:calmoving
Comment Utility
I attempted to connect again and the hit count was not going up, so here is a cleansed version of the sh run on the pix

Ron

CAmoversMainPIX# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xxxxxxMainPIX
domain-name xxxxxxMainPIX# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname xxxxxxMainPIX
domain-name publicdomainname.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out_in permit icmp any any
access-list out_in permit tcp any host <public IP> eq smtp
access-list out_in permit udp any host <public IP>  eq 3270
access-list out_in permit tcp any host <public IP> eq 3270
access-list out_in permit tcp any host <public IP> eq https
access-list out_in permit tcp any host <public IP> eq 4125
access-list out_in permit udp any host <public IP> eq 443
access-list out_in permit tcp any host <public IP> eq 9900
access-list out_in permit udp any host <public IP> eq 9900
access-list out_in permit tcp any host <public IP> eq 193
access-list out_in permit udp any host <public IP> eq 993
access-list out_in permit tcp any host <public IP> eq 993
access-list out_in permit udp any  host <public IP> eq 193
access-list out_in permit tcp any host <public IP> eq 444
access-list out_in permit tcp any host <public IP> eq imap4
access-list out_in permit tcp any host <public IP> eq www
access-list out_in permit tcp any host <public IP> eq 7389

access-list Nat_0 permit ip 192.168.254.0 255.255.255.0 10.254.254.0 255.255.255
.0-This is old from previous configuration
access-list 199 permit ip 192.168.254.0 255.255.255.0 10.254.254.0 255.255.255.0-This is old from previous configuration

access-list in_out permit tcp host 192.168.254.1 any eq smtp
access-list in_out deny tcp any any eq smtp
access-list in_out permit ip any any
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside <public IP>  255.255.255.248
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pool 10.254.254.10-10.254.254.254-This is old from previous configuration
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Nat_0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp <public IP> smtp 192.168.254.1 smtp netmask 255.
255.255.255 0 0
static (inside,outside) tcp <public IP>  993 192.168.254.1 993 netmask 255.25
5.255.255 0 0
static (inside,outside) udp <public IP> 443 192.168.254.1 443 netmask 255.25
5.255.255 0 0
static (inside,outside) tcp <public IP>  https 192.168.254.1 https netmask 25
5.255.255.255 0 0
static (inside,outside) tcp <public IP> 193 192.168.254.1 193 netmask 255.25
5.255.255 0 0
static (inside,outside) tcp <public IP> 444 192.168.254.1 444 netmask 255.25
5.255.255 0 0
static (inside,outside) udp <public IP> 993 192.168.254.1 993 netmask 255.25
5.255.255 0 0
static (inside,outside) udp <public IP> 193 192.168.254.1 193 netmask 255.25
5.255.255 0 0
static (inside,outside) udp <public IP> 4125 192.168.254.1 4125 netmask 255.
255.255.255 0 0
static (inside,outside) tcp <public IP> imap4 192.168.254.1 imap4 netmask 25
5.255.255.255 0 0
static (inside,outside) udp <public IP> 444 192.168.254.1 444 netmask 255.25
5.255.255 0 0
static (inside,outside) tcp <public IP> 4125 192.168.254.1 4125 netmask 255.
255.255.255 0 0
access-group out_in in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 <public IP> 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set camoversset esp-3des esp-md5-hmac
crypto dynamic-map dynamap 10 set transform-set camoversset
crypto map xxxxxxmap 10 ipsec-isakmp dynamic dynamap
crypto map xxxxxxmap 20 ipsec-isakmp
crypto map xxxxxxsmap 20 set peer 69.104.44.93
crypto map xxxxxxxmap 20 set transform-set xxxxxxsset
! Incomplete
crypto map camoversmap client authentication LOCAL
crypto map camoversmap interface outside
isakmp enable outside
isakmp key ******** address 69.104.44.93 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup cxxxxxxs address-pool cxxxxxxxxpool
vpngroup cxxxxxxs dns-server 192.168.254.1
vpngroup cxxxxxxs split-tunnel 199
vpngroup cxxxxxxs idle-time 1800
vpngroup cxxxxxxs password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
sorry, but in your config i can't see the static i previously asked you to create:
static (inside,outside) tcp <publicIP> 7389 InternalIP 3389 netmask 255.255.255.255 0 0

please configure it and try again (by rdp to public ip address and not dns name)

as a note, when i asked you a sanitized config, you should hide just the first 2 octects of public IPs, otherwise i can't read how many machines are natted in the static statements.

max
0
 

Author Comment

by:calmoving
Comment Utility
Ok I got the static done correctly this time.

I attempted again using my rdp client with the IP address instead of the url, and I still get nothing.

I used one of the port scan tools and it says that the port is closed but it makes the hit count go up, but it also says that port 3389 is closed, and I know that one works.

Do you need a new sanitized readout?
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
hi,
first of all, be sure that the server you're trying to reach has the default gateway set to firewall private IP !
that server must have remote desktop allowed as well.
either of the 2 cases above can lead to hitcount increment on firewall but no connection to server
Please check as well windows firewall issues on the server itself.

if no of the 3 workarounds solve, then you may want to post a sanitized config of the firewall to see if it is everything ok

max
0
 

Author Comment

by:calmoving
Comment Utility
CxxxxxxxxxsMainPIX(config)# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxl encrypted
passwd xxxxxxxxxxxxxxxl encrypted
hostname CxxxxxxxsMainPIX
domain-name cxxxxxxxxxxxxxxxg.com
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out_in permit icmp any any
access-list out_in permit tcp any host xxx.xxx.215.226 eq smtp
access-list out_in permit udp any host xxx.xxx.215.226 eq 3270
access-list out_in permit tcp any host xxx.xxx.215.226 eq 3270
access-list out_in permit tcp any host xxx.xxx.215.226 eq https
access-list out_in permit tcp any host xxx.xxx.215.226 eq 4125
access-list out_in permit udp any host xxx.xxx.215.226 eq 443
access-list out_in permit tcp any host xxx.xxx.215.226 eq 9900
access-list out_in permit udp any host xxx.xxx.215.226 eq 9900
access-list out_in permit tcp any host xxx.xxx.215.226 eq 193
access-list out_in permit udp any host xxx.xxx.215.226 eq 993
access-list out_in permit tcp any host xxx.xxx.215.226 eq 993
access-list out_in permit udp any host xxx.xxx.215.226 eq 193
access-list out_in permit tcp any host xxx.xxx.215.226 eq 444
access-list out_in permit tcp any host xxx.xxx.215.226 eq imap4
access-list out_in permit tcp any host xxx.xxx.215.226 eq www
access-list out_in permit tcp any host xxx.xxx.215.226 eq 7389
access-list out_in permit tcp any host xxx.xxx.215.226 eq 3389
access-list Nat_0 permit ip 192.168.254.0 255.255.255.0 10.254.254.0 255.255.255
.0
access-list 199 permit ip 192.168.254.0 255.255.255.0 10.254.254.0 255.255.255.0

access-list in_out permit tcp host 192.168.254.1 any eq smtp
access-list in_out deny tcp any any eq smtp
access-list in_out permit ip any any
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.215.226 255.255.255.248
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool cxxxxxxspool xxx.xxx.254.10-xxx.xxx.254.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Nat_0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.215.226 smtp 192.168.254.1 smtp netmask 255.
255.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 993 192.168.254.1 993 netmask 255.25
5.255.255 0 0
static (inside,outside) udp xxx.xxx.215.226 443 192.168.254.1 443 netmask 255.25
5.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 https 192.168.254.1 https netmask 25
5.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 193 192.168.254.1 193 netmask 255.25
5.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 444 192.168.254.1 444 netmask 255.25
5.255.255 0 0
static (inside,outside) udp xxx.xxx.215.226 993 192.168.254.1 993 netmask 255.25
5.255.255 0 0
static (inside,outside) udp xxx.xxx.215.226 193 192.168.254.1 193 netmask 255.25
5.255.255 0 0
static (inside,outside) udp xxx.xxx.215.226 4125 192.168.254.1 4125 netmask 255.
255.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 imap4 192.168.254.1 imap4 netmask 25
5.255.255.255 0 0
static (inside,outside) udp xxx.xxx.215.226 444 192.168.254.1 444 netmask 255.25
5.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 4125 192.168.254.1 4125 netmask 255.
255.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 7389 192.168.254.63 3389 netmask 255
.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.215.226 3389 192.168.254.1 3389 netmask 255.
255.255.255 0 0
access-group out_in in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 209.118.215.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set camoversset esp-3des esp-md5-hmac
crypto dynamic-map dynamap 10 set transform-set cxxxxxxsset
crypto map cxxxxxxsmap 10 ipsec-isakmp dynamic dynamap
crypto map cxxxxxxsmap 20 ipsec-isakmp
crypto map cxxxxxxsmap 20 set peer xxx.xxx.44.93
crypto map cxxxxxxsmap 20 set transform-set camoversset
! Incomplete
crypto map camoversmap client authentication LOCAL
crypto map camoversmap interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.44.93 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 25
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup cxxxxxxs address-pool camoverspool
vpngroup cxxxxxxs dns-server 192.168.254.1
vpngroup cxxxxxxs split-tunnel 199
vpngroup cxxxxxxs idle-time 1800
vpngroup cxxxxxxs password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username camovers password xxxxxxxxxxxxxxxx encrypted privilege 2
username cisco password xxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:9xxxxxxxxxxxxxxxxxxxxxxxxx
0
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
the pix configuration you have posted is ok.

are you sure that the server you're trying to reach hasn't exceeded the maximum number of connections (2 is the default).

If you have checked the 3 workaround of my last post, please try and reboot the pix (after saving configuration, of course, by issuing write memory).

If it still doesn't work, then i must assume that the problem lies in your rdp client. To check this last issue, you need to try and connect by a PC with remote desktop connection.

max
0
 

Author Comment

by:calmoving
Comment Utility
if I set up my computer to use a TS gateway, I am able to bounce from the server to the correct desktop.  I used the RDP client in XP and changed the port in the registry, then rebooted.  When I attempted to connect it went to the server (even though I used the 7389 port).

I am at the end of my ideas...I dont know if there is another way to do it?
0
 

Author Comment

by:calmoving
Comment Utility
one thing that I noticed when I was testing last night was that I was getting a certificate from the server (192.168.254.1), I would think that since the static should be bypassing directly to the local machine (192.168.254.63) that it may have something to do with the problem?
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
Comment Utility
calmoving,
the answer is in the very first post of mine.

WRAP UP:

static (inside,outside) tcp xxx.xxx.215.226 7389 192.168.254.1 3389 netmask 255.
255.255.255 0 0

this will publish port 7389 on public ip xxx.xxx.215.226 and map it to port 3389 of 192.168.254.1
if this is your server, that's it.
If your server is 192.168.254.63 then you need
static (inside,outside) tcp xxx.xxx.215.226 7389 192.168.254.63 3389 netmask 255.
255.255.255 0 0
but you need to delete the static on 7389 on server  192.168.254.1
no static (inside,outside) tcp xxx.xxx.215.226 7389 192.168.254.1 3389 netmask 255.
255.255.255 0 0

access-list is the one allowing the public ip:
access-list out_in permit tcp any host <public IP> eq 7389

it's easy, but if you post configurations with missing lines i cannot help you.

max
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now