PIX 506e RDP Configuration

Unanswered Question
Jun 12th, 2007
User Badges:

The question I have is regarding the PIX 506e v6.3 and trying to configure RDP to pass through.


Scenario: External IP address 10.1.0.23, internal 192.168.7.23.

Permit Rule source 10.1.0.23 Dest. 192.168.7.23


It builds a translation rule but wants to put 192.168.7.23 on both internal and external ports.


We can manually configure the translation rule to show correctly but RDP still does not work. We are configuring the firewall using the cisco PDM. Please help, thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Tue, 06/12/2007 - 16:04
User Badges:
  • Gold, 750 points or more

Hi ,


As you are doing configuration from PDM, following should be the result of the translation rule-


static (inside,outside) 10.1.0.23 192.168.7.23


You can check this by going to:


Tools -> command line interface -> show static


Next in order to permit traffic, you need to permit as following-


source interface : outside

permit source : any

source port : any

destination interface : inside

destination IP : 192.168.7.23

destination port: 3389

protocol : tcp


Result should be-


access-list permit tcp any host 10.1.0.23 eq 3389


Hope this helps.


Regards,

Vibhor.

sbsi_cisco Wed, 06/13/2007 - 08:58
User Badges:

I followed your advice, but it still doesn't want to work. I tried it both in the PDM and reset the pix back to factory defaults and used the CLI with the following commands:


static (inside,outside) 192.168.7.23 10.1.0.23 netmask 255.255.255.255 0 0


access-list acl permit tcp any host 192.168.7.23 eq 3389


I'm able to ping the firewall but not gain RDP access to the requested server. Thanks in advance

vitripat Wed, 06/13/2007 - 09:05
User Badges:
  • Gold, 750 points or more

Ok .. lemme verify things here ..


- What is the orignal IP address of the RDP server installed on the inside interface of PIX? 192.168.7.23? OR 10.1.0.23?


1) If it is 192.168.7.23, and you need to access this server from outside using 10.1.0.23, following commands are required-


static (inside,outside) 10.1.0.23 192.168.7.23

access-list outin permit tcp any host 10.1.0.23 eq 3389

access-group outin in interface outside


2) If it is 10.1.0.23, and you need to access this server from outside using 192.168.7.23, following commands are required-


static (inside,outside) 10.1.0.23

access-list outin permit tcp any host 192.168.7.23 eq 3389

access-group outin in interface outside


Let me know if that works.


Regards,

Vibhor.

sbsi_cisco Wed, 06/13/2007 - 09:18
User Badges:

works like a charm . . . thanks for your all your help!

Actions

This Discussion