Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
4
Replies

PIX only for Remote Desktop

cscisco_admin
Level 1
Level 1

‎06-13-2008 04:25 AM - edited ‎03-11-2019 05:58 AM

I need to use PIX only for my Terminal Server with Public IP so that my External Users can access my Terminal Server through windows xp remote desktop. How should i configure PIX 515E to allow only RDP Connection for Terminal Server and block all other traffic?

Thanks!

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎06-13-2008 04:46 AM

static (inside,outside) tcp interface 3389 terminal.server.ip 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to acomiskey

‎06-13-2008 05:33 AM

Adam provided you a config that should be good to go, however if you face any issues check the 'Troubleshoot' section of the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Regards

Farrukh

0 Helpful

a-gould
Level 1
Level 1
In response to acomiskey

‎07-02-2008 10:08 PM

Adam, I have a pix 515 and i need to allow an external ip address to access 8 different ip addresses on my internal lan. the 8 internal ip's are private ip's as well. ...so some nat involved too.

during a test i added an access-group (acl) to the outside interface and in doing so was able to connect from outside to inside using rdp (remote desktop , ms term svcs) BUT between those some two host, was UNable to ftp or http. strange that i could do rdp from an outside host to an inside host but NOT ftp or http. does the fact that i have ftp and http fixup statements cause this to not work? not sure. i ask because i read a solution on the web from someone who was able to get h323 voip inbound connections working through a pix515 and one of the steps they suggested was to remove the "fixup protocol h323 1720" statement.

0 Helpful

jwalker0594
Level 1
Level 1

‎06-26-2008 02:17 PM

Microsoft RDP uses port 3389

PIX needs a permit entry on "outside" interface acl. If known source(s) address/subnet better

access-list OUTside_IN permit tcp any host 177.176.175.174 eq 3389

which is this case allows any source address "in" best to limit as much as possible

a static nat is also needed:

static (INTernet,outside) 177.176.175.174 192.168.0.1 netmask 255.255.255.255

It's possible to do this without NAT - assumption here is inside addressing is private. Also NAT hides the true IP.

Caveats:

the rest of the PIX config should follow established rules

The remote desktop host (inside) should have all Microsoft software updates and also have the user account as secure as possible and preferably access verified by AD Domain controller.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card