Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX only for Remote Desktop

I need to use PIX only for my Terminal Server with Public IP so that my External Users can access my Terminal Server through windows xp remote desktop. How should i configure PIX 515E to allow only RDP Connection for Terminal Server and block all other traffic?



Re: PIX only for Remote Desktop

static (inside,outside) tcp interface 3389 terminal.server.ip 3389 netmask

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside

Re: PIX only for Remote Desktop

Adam provided you a config that should be good to go, however if you face any issues check the 'Troubleshoot' section of the following link:



New Member

Re: PIX only for Remote Desktop

Adam, I have a pix 515 and i need to allow an external ip address to access 8 different ip addresses on my internal lan. the 8 internal ip's are private ip's as well. some nat involved too.

during a test i added an access-group (acl) to the outside interface and in doing so was able to connect from outside to inside using rdp (remote desktop , ms term svcs) BUT between those some two host, was UNable to ftp or http. strange that i could do rdp from an outside host to an inside host but NOT ftp or http. does the fact that i have ftp and http fixup statements cause this to not work? not sure. i ask because i read a solution on the web from someone who was able to get h323 voip inbound connections working through a pix515 and one of the steps they suggested was to remove the "fixup protocol h323 1720" statement.

New Member

Re: PIX only for Remote Desktop

Microsoft RDP uses port 3389

PIX needs a permit entry on "outside" interface acl. If known source(s) address/subnet better

access-list OUTside_IN permit tcp any host eq 3389

which is this case allows any source address "in" best to limit as much as possible

a static nat is also needed:

static (INTernet,outside) netmask

It's possible to do this without NAT - assumption here is inside addressing is private. Also NAT hides the true IP.


the rest of the PIX config should follow established rules

The remote desktop host (inside) should have all Microsoft software updates and also have the user account as secure as possible and preferably access verified by AD Domain controller.