Port forwarding on Pix 515e

Answered Question
Apr 14th, 2010
User Badges:

Hi


We have a Pix 515e running v7 and one of our external contractors want to access multiple servers on our internal network. They currently do this for one internal server by a static mapping from one of our external IP addresses to the internal IP of the server then RDP onto it. The problem is that there is now a requirement for them to manage a number of other internal servers but I dont have any more public IPs to do one-to-one mappings. Is there any way I can RDP (port 3389) onto multiple internal servers using one public IP address using something like port forwarding (e.g. public_ip:3389 forwards to private_ip1:3389, public_ip:3390 forwards to public_ip2:3389 if that makes sense)?



Thanks, Rex

Correct Answer by JORGE RODRIGUEZ about 7 years 2 weeks ago

Hello Rex,


Should be no problem to accomplish your requirements, and yes it can be done.. you may either use PIX  outside interface as your public IP entity for port forwarding , or use a single spare public IP, either or, implementation is similar. Be aware that this implementation does not entails encryption and you probably  should consider implementing  Ipsec , remote access VPN  or L2L VPN  using VPN filters so  traffic is encrypted as suppose to wide open unencrypted RDP sessions, unless your hosts are on a DMZ environment segregated from inside network.


As for port forwarding you can do as follow:


Example using outside interface:

Assume you have 3 servers on your inside subnet:

Inside Hosts:  192.168.1.10, 192.168.1.11, 192.168.1.12


static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.12 3389 netmask 255.255.255.255

access-list 101 extended permit tcp any interface outside eq 3389
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-group 101 in interface outside


Or Using spare public IP, replace the keyword interface above with actual public IP.

static (inside,outside) tcp 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp 3391 192.168.1.12 3389 netmask 255.255.255.255


access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq 3390
access-list 101 extended permit tcp any host eq 3391
access-group 101 in interface outside



here is additional information on port forwarding
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml





Lastly, once again you may consider RA VPN or L2L VPN  in conjunction of using VPN filters to control port access
using per user vpn filters etc.., more secure.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml



Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Wed, 04/14/2010 - 10:41
User Badges:
  • Green, 3000 points or more

Hello Rex,


Should be no problem to accomplish your requirements, and yes it can be done.. you may either use PIX  outside interface as your public IP entity for port forwarding , or use a single spare public IP, either or, implementation is similar. Be aware that this implementation does not entails encryption and you probably  should consider implementing  Ipsec , remote access VPN  or L2L VPN  using VPN filters so  traffic is encrypted as suppose to wide open unencrypted RDP sessions, unless your hosts are on a DMZ environment segregated from inside network.


As for port forwarding you can do as follow:


Example using outside interface:

Assume you have 3 servers on your inside subnet:

Inside Hosts:  192.168.1.10, 192.168.1.11, 192.168.1.12


static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.12 3389 netmask 255.255.255.255

access-list 101 extended permit tcp any interface outside eq 3389
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-group 101 in interface outside


Or Using spare public IP, replace the keyword interface above with actual public IP.

static (inside,outside) tcp 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp 3391 192.168.1.12 3389 netmask 255.255.255.255


access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq 3390
access-list 101 extended permit tcp any host eq 3391
access-group 101 in interface outside



here is additional information on port forwarding
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml





Lastly, once again you may consider RA VPN or L2L VPN  in conjunction of using VPN filters to control port access
using per user vpn filters etc.., more secure.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml



Regards

Rex Biesty Thu, 04/15/2010 - 06:17
User Badges:

Thanks for the very comprehensive answer. Looks like it will suit us just fine. Thanks again.

Actions

This Discussion