PIX only for Remote Desktop

Unanswered Question
Jun 13th, 2008
User Badges:

I need to use PIX only for my Terminal Server with Public IP so that my External Users can access my Terminal Server through windows xp remote desktop. How should i configure PIX 515E to allow only RDP Connection for Terminal Server and block all other traffic?


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 06/13/2008 - 04:46
User Badges:
  • Green, 3000 points or more

static (inside,outside) tcp interface 3389 terminal.server.ip 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside

a-gould Wed, 07/02/2008 - 22:08
User Badges:

Adam, I have a pix 515 and i need to allow an external ip address to access 8 different ip addresses on my internal lan. the 8 internal ip's are private ip's as well. ...so some nat involved too.

during a test i added an access-group (acl) to the outside interface and in doing so was able to connect from outside to inside using rdp (remote desktop , ms term svcs) BUT between those some two host, was UNable to ftp or http. strange that i could do rdp from an outside host to an inside host but NOT ftp or http. does the fact that i have ftp and http fixup statements cause this to not work? not sure. i ask because i read a solution on the web from someone who was able to get h323 voip inbound connections working through a pix515 and one of the steps they suggested was to remove the "fixup protocol h323 1720" statement.


jwalker0594 Thu, 06/26/2008 - 14:17
User Badges:

Microsoft RDP uses port 3389


PIX needs a permit entry on "outside" interface acl. If known source(s) address/subnet better


access-list OUTside_IN permit tcp any host 177.176.175.174 eq 3389


which is this case allows any source address "in" best to limit as much as possible


a static nat is also needed:


static (INTernet,outside) 177.176.175.174 192.168.0.1 netmask 255.255.255.255


It's possible to do this without NAT - assumption here is inside addressing is private. Also NAT hides the true IP.


Caveats:


the rest of the PIX config should follow established rules


The remote desktop host (inside) should have all Microsoft software updates and also have the user account as secure as possible and preferably access verified by AD Domain controller.

Actions

This Discussion