Solved: Port forwarding on Pix 515e

Rex Biesty · ‎04-14-2010

Hi

We have a Pix 515e running v7 and one of our external contractors want to access multiple servers on our internal network. They currently do this for one internal server by a static mapping from one of our external IP addresses to the internal IP of the server then RDP onto it. The problem is that there is now a requirement for them to manage a number of other internal servers but I dont have any more public IPs to do one-to-one mappings. Is there any way I can RDP (port 3389) onto multiple internal servers using one public IP address using something like port forwarding (e.g. public_ip:3389 forwards to private_ip1:3389, public_ip:3390 forwards to public_ip2:3389 if that makes sense)?

Thanks, Rex

JORGE RODRIGUEZ · ‎04-14-2010

Hello Rex,

Should be no problem to accomplish your requirements, and yes it can be done.. you may either use PIX outside interface as your public IP entity for port forwarding , or use a single spare public IP, either or, implementation is similar. Be aware that this implementation does not entails encryption and you probably should consider implementing Ipsec , remote access VPN or L2L VPN using VPN filters so traffic is encrypted as suppose to wide open unencrypted RDP sessions, unless your hosts are on a DMZ environment segregated from inside network.

As for port forwarding you can do as follow:

Example using outside interface:

Assume you have 3 servers on your inside subnet:

Inside Hosts: 192.168.1.10, 192.168.1.11, 192.168.1.12

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.12 3389 netmask 255.255.255.255

access-list 101 extended permit tcp any interface outside eq 3389
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-group 101 in interface outside

Or Using spare public IP, replace the keyword interface above with actual public IP.

static (inside,outside) tcp 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp 3391 192.168.1.12 3389 netmask 255.255.255.255

access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq 3390
access-list 101 extended permit tcp any host eq 3391
access-group 101 in interface outside

here is additional information on port forwarding
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Lastly, once again you may consider RA VPN or L2L VPN in conjunction of using VPN filters to control port access
using per user vpn filters etc.., more secure.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎04-14-2010

Hello Rex,

Should be no problem to accomplish your requirements, and yes it can be done.. you may either use PIX outside interface as your public IP entity for port forwarding , or use a single spare public IP, either or, implementation is similar. Be aware that this implementation does not entails encryption and you probably should consider implementing Ipsec , remote access VPN or L2L VPN using VPN filters so traffic is encrypted as suppose to wide open unencrypted RDP sessions, unless your hosts are on a DMZ environment segregated from inside network.

As for port forwarding you can do as follow:

Example using outside interface:

Assume you have 3 servers on your inside subnet:

Inside Hosts: 192.168.1.10, 192.168.1.11, 192.168.1.12

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.12 3389 netmask 255.255.255.255

access-list 101 extended permit tcp any interface outside eq 3389
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-group 101 in interface outside

Or Using spare public IP, replace the keyword interface above with actual public IP.

static (inside,outside) tcp 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp 3391 192.168.1.12 3389 netmask 255.255.255.255

access-list 101 extended permit tcp any host eq 3389
access-list 101 extended permit tcp any host eq 3390
access-list 101 extended permit tcp any host eq 3391
access-group 101 in interface outside

here is additional information on port forwarding
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Lastly, once again you may consider RA VPN or L2L VPN in conjunction of using VPN filters to control port access
using per user vpn filters etc.., more secure.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Regards

Jorge Rodriguez

Rex Biesty · ‎04-15-2010

Thanks for the very comprehensive answer. Looks like it will suit us just fine. Thanks again.