×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

RDP through PIX

Unanswered Question
May 22nd, 2012
User Badges:

I have the following network topology:


PC1 <=> Switches L2 <=> Switch L2/L3 <=> PIX <=> Router <=> INTERNET <=> Adsl Modem/Router <=> PC2


I want from the PC2 to make RDP connection to PC1.

The PC1 has a private static IP Address (10.10.10.10).

Teamviewer is not a option for my implementation.


According to a cisco document i found the below proposed solution:

1) Configure an access-list on the PIX

access-list Outside_access_In permit tcp any host 197.197.197.197 eq 3389

2) Apply the access-list

access-group Outside_access_In in interface outside

3) Configure the static NAT

static (inside,outside) 197.197.197.197 10.10.10.10 netmask 255.255.255.255


Does this configuration recommend as i have (with any) all the Internet space to allow access to RDP service.

If in the future it exists the necessity to add an additional private IP address for access via RDP, how it will possible to change my above configuration as i don't want to wast all my public IP Addresses.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rizwanr74 Tue, 05/22/2012 - 08:56
User Badges:
  • Gold, 750 points or more

Hi Kostas,


Your config looks fine to me and you should not have any problem accessing your internal device @10.10.10.10.


However you can go on translating to specific port as well, rather than ip to ip translation.


static (inside,outside) tcp 197.197.197.197 3389 10.10.10.10 3389 netmask 255.255.255.255.



"If in the future it exists the necessity to add an additional private IP  address for access via RDP, how it will possible to change my above  configuration as i don't want to wast all my public IP Addresses."


To address your question above, it is just like your ACL says allow port "3389" and likewise you could have an allow to different port, 80, 443, or whatever port allow and create a static-nat to a different IP (i.e. private IP) to different interested port on the same public addresss, so you are not wasting public address.


I hope this answrs your question.


Please rate helpful post.


thanks

Rizwan Rafeek


rizwanr74 Tue, 05/22/2012 - 19:35
User Badges:
  • Gold, 750 points or more

Please rate helpful post.


thanks

Actions

This Discussion

Related Content