05-24-2006 12:13 AM - edited 03-09-2019 03:00 PM
Hi,
I require to allow access via CISCO PIX Firewall to a Microsoft server using Remote Desktop. What I have done is using web interface to create an access rule to open 3389 on the firewall. No luck, still cannot access. Any other method or suggestion. BTW, I am going thru a DMZ, so I open from internal network to DMZ and DMZ to my external RDP server. Or is there any command line I can use. I am very new to managing CISCO firewall, thanks for your help.
05-24-2006 02:36 AM
Hi,
When you mentioned accessing RD server via DMZ, does it went through some sort of proxy server? More specific info will help.
What's your ACL looks like? Do you configure ACL (for inside interface) to allow internal host to use TCP 3389 to connect to DMZ (or proxy if any), and from there access remote RD svr via same protocol?
In certain scenario, user can only access external network, e.g www, via proxy in DMZ, but they are allowed to access other external servers via different service port directly. This require NAT/global/ACL combination.
For DMZ, I believed it should be straight forward, at least like "access-list dmz permit tcp
Rgds,
AK
05-24-2006 06:14 PM
My network do use a Apache proxy server. i didn't check the proxy as I am not familiar with Apache. However, the person managing the proxy told me there is no configuration on the proxy that is blocking.
I configure a Service group RDP to use TCP 3389, then I configure to allow internal host to use Service Gp RDP to proxy and then from Proxy to the external RDP server. What else do I need to do here?
05-24-2006 06:21 PM
BTW, when I try to connect to the RDP server from my workstation in the inside network, Netstat show my workstation connecting to external RDP server directly with port 3389 & a Syn_Sent state. Does that meant that I am not going through proxy server?
05-24-2006 07:12 PM
Yes, you're bypassing the proxy.
At the same time, check your session to the RDP server from PIX using one of the following commands:
'show conn | i
'show conn | i 3389'
To access remote RDP svr, what is the actual plan - access it via proxy or direct from internal host to the external RDP server? Direct access controlled by inside ACL.
Most of the time, you have to access it directly without going through Proxy (proxy commonly for controlling http/www only).
There's no difference if you go direct, as outbound traffic is strictly controlled by your ACL, where you can specify single host or more.
Rgds,
AK
05-24-2006 07:58 PM
I am able to get a reply for 'show conn | i 3389'
TCP out 'external RDP server':3389 in 'internal host':2951 idle 0:00:17 Bytes 0 flags saA
but when I try 'show conn | i <'my host ip address'
nothing was returned.
05-24-2006 08:39 PM
I believed your RDP connection was not successful.
What's your config to allow internal host to access outside/internet? You should have at least like:
nat (inside) 1
global (outside) 1 <1st_public_IP>-
global (outside) 1
Your ACL should be one of these:
access-list inside permit tcp host
access-list inside permit tcp host
access-list inside permit tcp any any eq 3389
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0
Rgds,
AK
05-25-2006 12:34 AM
My ACL include
access-list inside_access_in permit tcp host ,internal_host_IP> host
NATnat (inside) 0 0.0.0.0 0.0.0.0 0 0
Nothing on global.
Btw, I am using Pix version 6.3 (3)
Sorry, if I am asking so many questions, I am very new to Cisco Pix configuration
05-25-2006 01:11 AM
Not a problem. What's your internal network IP - private or public?
The 'nat (inside) 0 0.0.0.0 0.0.0.0' is to disable translation (no translation) between internal and outside/dmz segments. Is it possible to look at your config, probably limit to the part of static/nat/global/route statements.
The access-list is clearly allowed your internal host to access external RDP server directly. If your internal network run on public IP, then it should be working (with proper ACL). But if your internal run on private IP, then you should have 'global' statement, which need to be paired with 'nat' command. The 'nat' command cannot use zero '0', change it to any number, e.g 1.
global (outside) 1
nat (inside) 1
*Tag '1' is to bind nat & global
Example using one (1) public IP and allowing one (1) internal host:
global (outside) 1 100.100.100.100 ---> public IP
nat (inside) 1 10.1.1.10 255.255.255.255 -> internal subnet
access-list inside_access_in permit tcp host 10.1.1.10 host
access-group inside_access_in in interface inside
Rgds,
AK
05-26-2006 11:07 PM
Thanks AK. I am away from the office for the past 2 days. Will try next week & post if successful. Thank you.
05-30-2006 06:30 PM
I was trying to add the NAT but now I got a new problem. When I type the URL of the firewall and after entering my username and password,I get a screen loading PIX device manager, please wait. And I never get to the configuration sceen. I thought it is Java issue. But after uninstall and installing Java still the same. Any idea what is the issue. Please help. I was able to access to the config screen last week on the same machine
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: