04-14-2010 06:09 AM - edited 03-11-2019 10:32 AM
Hi
We have a Pix 515e running v7 and one of our external contractors want to access multiple servers on our internal network. They currently do this for one internal server by a static mapping from one of our external IP addresses to the internal IP of the server then RDP onto it. The problem is that there is now a requirement for them to manage a number of other internal servers but I dont have any more public IPs to do one-to-one mappings. Is there any way I can RDP (port 3389) onto multiple internal servers using one public IP address using something like port forwarding (e.g. public_ip:3389 forwards to private_ip1:3389, public_ip:3390 forwards to public_ip2:3389 if that makes sense)?
Thanks, Rex
Solved! Go to Solution.
04-14-2010 10:41 AM
Hello Rex,
Should be no problem to accomplish your requirements, and yes it can be done.. you may either use PIX outside interface as your public IP entity for port forwarding , or use a single spare public IP, either or, implementation is similar. Be aware that this implementation does not entails encryption and you probably should consider implementing Ipsec , remote access VPN or L2L VPN using VPN filters so traffic is encrypted as suppose to wide open unencrypted RDP sessions, unless your hosts are on a DMZ environment segregated from inside network.
As for port forwarding you can do as follow:
Example using outside interface:
Assume you have 3 servers on your inside subnet:
Inside Hosts: 192.168.1.10, 192.168.1.11, 192.168.1.12
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.12 3389 netmask 255.255.255.255
access-list 101 extended permit tcp any interface outside eq 3389
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-group 101 in interface outside
Or Using spare public IP, replace the keyword interface above with actual public IP.
static (inside,outside) tcp
static (inside,outside) tcp
static (inside,outside) tcp
access-list 101 extended permit tcp any host
access-list 101 extended permit tcp any host
access-list 101 extended permit tcp any host
access-group 101 in interface outside
here is additional information on port forwarding
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
Lastly, once again you may consider RA VPN or L2L VPN in conjunction of using VPN filters to control port access
using per user vpn filters etc.., more secure.
Regards
04-14-2010 10:41 AM
Hello Rex,
Should be no problem to accomplish your requirements, and yes it can be done.. you may either use PIX outside interface as your public IP entity for port forwarding , or use a single spare public IP, either or, implementation is similar. Be aware that this implementation does not entails encryption and you probably should consider implementing Ipsec , remote access VPN or L2L VPN using VPN filters so traffic is encrypted as suppose to wide open unencrypted RDP sessions, unless your hosts are on a DMZ environment segregated from inside network.
As for port forwarding you can do as follow:
Example using outside interface:
Assume you have 3 servers on your inside subnet:
Inside Hosts: 192.168.1.10, 192.168.1.11, 192.168.1.12
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.1.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.1.12 3389 netmask 255.255.255.255
access-list 101 extended permit tcp any interface outside eq 3389
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-group 101 in interface outside
Or Using spare public IP, replace the keyword interface above with actual public IP.
static (inside,outside) tcp
static (inside,outside) tcp
static (inside,outside) tcp
access-list 101 extended permit tcp any host
access-list 101 extended permit tcp any host
access-list 101 extended permit tcp any host
access-group 101 in interface outside
here is additional information on port forwarding
http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
Lastly, once again you may consider RA VPN or L2L VPN in conjunction of using VPN filters to control port access
using per user vpn filters etc.., more secure.
Regards
04-15-2010 06:17 AM
Thanks for the very comprehensive answer. Looks like it will suit us just fine. Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide