Firewall - Allow MS RDP

Unanswered Question
May 24th, 2006
User Badges:


I require to allow access via CISCO PIX Firewall to a Microsoft server using Remote Desktop. What I have done is using web interface to create an access rule to open 3389 on the firewall. No luck, still cannot access. Any other method or suggestion. BTW, I am going thru a DMZ, so I open from internal network to DMZ and DMZ to my external RDP server. Or is there any command line I can use. I am very new to managing CISCO firewall, thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.kiprawih Wed, 05/24/2006 - 02:36
User Badges:
  • Gold, 750 points or more


When you mentioned accessing RD server via DMZ, does it went through some sort of proxy server? More specific info will help.

What's your ACL looks like? Do you configure ACL (for inside interface) to allow internal host to use TCP 3389 to connect to DMZ (or proxy if any), and from there access remote RD svr via same protocol?

In certain scenario, user can only access external network, e.g www, via proxy in DMZ, but they are allowed to access other external servers via different service port directly. This require NAT/global/ACL combination.

For DMZ, I believed it should be straight forward, at least like "access-list dmz permit tcp eq 3389



mill.choo Wed, 05/24/2006 - 18:14
User Badges:

My network do use a Apache proxy server. i didn't check the proxy as I am not familiar with Apache. However, the person managing the proxy told me there is no configuration on the proxy that is blocking.

I configure a Service group RDP to use TCP 3389, then I configure to allow internal host to use Service Gp RDP to proxy and then from Proxy to the external RDP server. What else do I need to do here?

mill.choo Wed, 05/24/2006 - 18:21
User Badges:

BTW, when I try to connect to the RDP server from my workstation in the inside network, Netstat show my workstation connecting to external RDP server directly with port 3389 & a Syn_Sent state. Does that meant that I am not going through proxy server?

a.kiprawih Wed, 05/24/2006 - 19:12
User Badges:
  • Gold, 750 points or more

Yes, you're bypassing the proxy.

At the same time, check your session to the RDP server from PIX using one of the following commands:

'show conn | i '

'show conn | i 3389'

To access remote RDP svr, what is the actual plan - access it via proxy or direct from internal host to the external RDP server? Direct access controlled by inside ACL.

Most of the time, you have to access it directly without going through Proxy (proxy commonly for controlling http/www only).

There's no difference if you go direct, as outbound traffic is strictly controlled by your ACL, where you can specify single host or more.



mill.choo Wed, 05/24/2006 - 19:58
User Badges:

I am able to get a reply for 'show conn | i 3389'

TCP out 'external RDP server':3389 in 'internal host':2951 idle 0:00:17 Bytes 0 flags saA

but when I try 'show conn | i <'my host ip address'

nothing was returned.

a.kiprawih Wed, 05/24/2006 - 20:39
User Badges:
  • Gold, 750 points or more

I believed your RDP connection was not successful.

What's your config to allow internal host to access outside/internet? You should have at least like:

nat (inside) 1 --> can also specify host IP

global (outside) 1 <1st_public_IP>-, OR

global (outside) 1 --> served as PAT

Your ACL should be one of these:

access-list inside permit tcp host any eq 3389, or

access-list inside permit tcp host host eq 3389, or

access-list inside permit tcp any any eq 3389

access-group inside in interface inside

route outside



mill.choo Thu, 05/25/2006 - 00:34
User Badges:

My ACL include

access-list inside_access_in permit tcp host ,internal_host_IP> host eq 3389

NATnat (inside) 0 0 0

Nothing on global.

Btw, I am using Pix version 6.3 (3)

Sorry, if I am asking so many questions, I am very new to Cisco Pix configuration

a.kiprawih Thu, 05/25/2006 - 01:11
User Badges:
  • Gold, 750 points or more

Not a problem. What's your internal network IP - private or public?

The 'nat (inside) 0' is to disable translation (no translation) between internal and outside/dmz segments. Is it possible to look at your config, probably limit to the part of static/nat/global/route statements.

The access-list is clearly allowed your internal host to access external RDP server directly. If your internal network run on public IP, then it should be working (with proper ACL). But if your internal run on private IP, then you should have 'global' statement, which need to be paired with 'nat' command. The 'nat' command cannot use zero '0', change it to any number, e.g 1.

global (outside) 1

nat (inside) 1 or netmask

*Tag '1' is to bind nat & global

Example using one (1) public IP and allowing one (1) internal host:

global (outside) 1 ---> public IP

nat (inside) 1 -> internal subnet

access-list inside_access_in permit tcp host host eq 3389

access-group inside_access_in in interface inside



mill.choo Fri, 05/26/2006 - 23:07
User Badges:

Thanks AK. I am away from the office for the past 2 days. Will try next week & post if successful. Thank you.

mill.choo Tue, 05/30/2006 - 18:30
User Badges:

I was trying to add the NAT but now I got a new problem. When I type the URL of the firewall and after entering my username and password,I get a screen loading PIX device manager, please wait. And I never get to the configuration sceen. I thought it is Java issue. But after uninstall and installing Java still the same. Any idea what is the issue. Please help. I was able to access to the config screen last week on the same machine


This Discussion