Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow Port 3389 on PIX501 Firewall

I am new to firewalling and have a PIX501 that has been setup and running for awhile now without any problems. But I now need to get the PIX to allow a new port number through. How do I do this?

I tried adding:

access-list 101 permit tcp any host xxx.xxx.xxx.xx eq 3389

and

static (inside,outside) tcp interface 3389 xxx.xxx.xxx.xx netmask 255.255.255.255 0 0

But according to the tech guys that need it, it still not open. Any help would be great. I really need to get this working.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Allow Port 3389 on PIX501 Firewall

have just tried it on my lab pix 525.

removed

no access-list 101 extended deny ip any any log

and add again

access-list 101 extended deny ip any any log

now

access-list 101 extended permit tcp any host 216.153.252.20 eq 3389

access-list 101 extended deny ip any any log

before making changes on production FW, i recommded you backup the config and do it out of working hours.

20 REPLIES

Re: Allow Port 3389 on PIX501 Firewall

Mike,

yes by default traffic from outside to inside is block. so you need apply NAT and permit the traffic.

static NAT (NAT FROM OUTSIDE TO INSIDE)

static (inside,outside) [Public IP Address] [Private IP] netmask 255.255.255.255

ACL

access-list [Use exisitng ACL name applied to your outisde Interface] permit tcp any host [PUBLIC IP] eq 3389.

francisco.

New Member

Re: Allow Port 3389 on PIX501 Firewall

Can you explain how to do that? What command is needed?

Re: Allow Port 3389 on PIX501 Firewall

eg

static (inside,outside) 217.19.1.10 10.15.0.1 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 217.19.1.10 eq 3389

access-group outside_access_in in interface outside

is your PIX Version 6.1(1)?

New Member

Re: Allow Port 3389 on PIX501 Firewall

Ok, that seems to be what I have.

static (inside,outside) tcp 216.153.252.xx 3389 192.168.1.xx 3389 netmask 255.255.255.255 0 0

access-list 101 permit tcp any host 216.153.252.xx eq 3389

access-group 101 in interface outside

Do you see anything in my lines that isn't right? Then I think this should be working. I'll have to see if my outside tech can get in yet.

Thanks for your help, Mike

Re: Allow Port 3389 on PIX501 Firewall

no worries. give it a go and let us know the outcome.

you can also use the PDM manager to setup your NAT/ACL statement as well. (Easier to use)

New Member

Re: Allow Port 3389 on PIX501 Firewall

Yeah I was thinking that too, but when I connected an older laptop to it in the IP range of the firewall and entered the path in the address bar, it goes to the page, but then just says loading and nothing ever happens. Any thoughts on that?

Cisco Employee

Re: Allow Port 3389 on PIX501 Firewall

Dude,

Try this ( a small modification in your commands ) :

access-list 101 permit tcp any interface outside eq 3389

and

static (inside,outside) tcp interface 3389 xxx.xxx.xxx.xx netmask 255.255.255.255 0 0

As you can see,in access list,I specified " interface outside " keyword rather then the outside interface ip address.

Try this,should work.Please rate if helps :)

Regards,

Sushil

Re: Allow Port 3389 on PIX501 Firewall

in the example i provided, i already have an ACL applied to the outcide interface ( outside_access_in) The PIX can only allow a single ACL on the outside interface for inbound connection. so when adding a new ACL, you need to use the exiting ACL already applied to the outside interface. unless you are trying to tell something i do not know.

New Member

Re: Allow Port 3389 on PIX501 Firewall

I'll give it a shot.

By the way after I add this and do a "write mem" is there any other commands I should be entering to make sure it gets loaded to the PIX?

Also, I notice that I have been using 101 but doesn't there need to be a line defining what 101 is? I am really not understanding this too well.

Re: Allow Port 3389 on PIX501 Firewall

if 101 is not already applied to the outside interface i dont see how your ACL is going to work. you need to use an ACL already applied to your PIX outside interface.

if you post the config we can find out the ACL name.

New Member

Re: Allow Port 3389 on PIX501 Firewall

Please help. I'm having a hard time understanding the terminology here and I am afraid of making changes and locking everyone out or blocking my users access out.

Mike

Re: Allow Port 3389 on PIX501 Firewall

so on your firewall access-group 101 is used.

The ACL below will work

access-list 101 permit tcp any host 216.153.252.20 eq 3389

New Member

Re: Allow Port 3389 on PIX501 Firewall

Ok, I just had my outside tech try it and it didnt work. She said it might be a problem with the server instead, so from what you see, it looks like this firewall should be allowing incoming connections from everyone on port 3389, right? Is there anything else that could be blocking it on the firewall?

Thanks you for your help, it has been invaluable!

Mike

Re: Allow Port 3389 on PIX501 Firewall

just noticed the deny

access-list 101 deny ip any any log (This is prevent your RDP from working)

access-list 101 permit tcp any host 216.153.252.20 eq 3389

New Member

Re: Allow Port 3389 on PIX501 Firewall

So if I enter:

"no access-list 101 deny ip any any log"

that will work? Will doing this affect anything else?

Thank you

Re: Allow Port 3389 on PIX501 Firewall

have just tried it on my lab pix 525.

removed

no access-list 101 extended deny ip any any log

and add again

access-list 101 extended deny ip any any log

now

access-list 101 extended permit tcp any host 216.153.252.20 eq 3389

access-list 101 extended deny ip any any log

before making changes on production FW, i recommded you backup the config and do it out of working hours.

New Member

Re: Allow Port 3389 on PIX501 Firewall

Oh, so your saying it can be there but the line for the 3389 port needs to be above the deny line? And by removing it and then re-adding it it should place the deny line at the bottom?

Re: Allow Port 3389 on PIX501 Firewall

yes. the test i did worked on my lab pix. i always use the PDM manager to make ACL changes. easier to use. with the PDM, you can add a new ACL and paste above your deny rule.

New Member

Re: Allow Port 3389 on PIX501 Firewall

Yep that worked. My outside tech was able to connect through port 3389.

Thanks, your a life saver.

Mike

Re: Allow Port 3389 on PIX501 Firewall

no problem.

Can you pls rate.

Thanks.

Francisco

568
Views
0
Helpful
20
Replies
CreatePlease login to create content