rdp access

Unanswered Question
Jan 25th, 2008

i have a pix 506e at home and i would like to remote desktop to one of my laptops at home from work...

how do i open port 3389 to the E1505 latop on my network at home.

Current config on the pix

***********************************

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.9.2.202 E1505

pager lines 500

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.9.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.9.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.9.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.9.2.200-10.9.2.210 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 200

Cryptochecksum:xxx

: end

**************************************

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Patrick Iseli Fri, 01/25/2008 - 16:47

example:

access-list outside_access_in permit tcp any host PublicIP eq 3389

# This will allow any host to RDP into RDPServer

static (inside,outside) tcp PublicIP 3389 LocalIP 3389 netmask 255.255.255.255 0 0

#Port Redirect tcp port 3389 RDP to LocalIP

access-group outside_access_in in interface outside

# Apply access-list to interface

sincerely

Patrick

srue Sat, 01/26/2008 - 11:00

you need to use the 'interface' keyword, instead of PublicIP.

Danny Guillory Jr Sat, 01/26/2008 - 11:35

so the command i need to run is:

access-list outside_access_in permit tcp any host interface eq 3389

Is this correct?

srue Sat, 01/26/2008 - 11:37

yes...and change it in your static statement also.

Danny Guillory Jr Sat, 01/26/2008 - 11:51

here is my config. i don;t think there is a static statement in there. My IP address is dynamic from my ISP

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 300

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.9.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 0.0.0.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 10.9.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.9.2.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address 10.9.2.200-10.9.2.250 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

srue Sat, 01/26/2008 - 12:00

access-list outside_acl permit tcp any interface eq 3389

access-group outside_acl in interface outside

static (inside,outside) tcp interface 3389 10.9.2.100 3389

that assumes 10.9.2.100 is your pc on the inside you want to rdp to.

Danny Guillory Jr Sat, 01/26/2008 - 14:15

pixfirewall(config)# access-list outside_acl permit tcp any interface eq 3389

interface does not exist

Usage: [no] access-list compiled

[no] access-list deny-flow-max

[no] access-list alert-interval

[no] access-list compiled

[no] access-list [line ] remark

[no] access-list [line ] deny|permit

|object-group

| interface | object-group

[ [] | object-group ]

| interface | object-group

[ [] | object-group ]

[log [disable|default] | [] [interval ]]

[no] access-list [line ] deny|permit icmp

| interface | object-group

| interface | object-group

[ | object-group ]

[log [disable|default] | [] [interval ]]

Restricted ACLs for route-map use:

[no] access-list deny|permit {any | | host }

srue Sun, 01/27/2008 - 04:59

woops, left out part:

access-list outside_acl permit tcp any interface outside eq 3389

r00KEY73k Thu, 02/14/2008 - 23:16

My customers using rdp cannot access remote pc through my router since I config'd basic acls on router: acl 10 = deny internal network in; acl 11 = permit snmp server; acl 12 permit ssh access. Also, when I applied acl 12 to egress int, snmp polls, blocked. ACL samples follow:

acl 10 deny 10.10.1.0 0.0.0.255 log, acl 10 permit any log; acl 10 applied at ingress port; acl 11 permit 10.10.2.2 log; snmp-server host 10.10.2.2; acl 12 permit remarks ssh access; acl 12 permit 10.10.3.1 log; acl 12 deny any log. Will any of acl's deny rdp on the router? Will config of above sample acl allow rdp traffic? Appreciate your assistance. Thank-you, r00KEY73k

Actions

Login or Register to take actions

This Discussion

Posted January 25, 2008 at 3:57 PM
Stats:
Replies:11 Avg. Rating:5
Views:172 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446