08-12-2002 11:29 AM - edited 02-20-2020 10:12 PM
I'm trying to get Terminal Services to work through my PIX, port 3389, and cannot for the life of me get this thing to work right. Here's my config of the static command and my access-list which is applied to the outside interface.
static (inside,outside) tcp 24.128.92.26 ftp 192.168.60.101 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.128.92.26 www 192.168.60.101 www netmask 255.255.255.255 10 0
static (inside,outside) tcp 24.128.92.26 3389 192.168.60.101 3389 netmask 255.255.255.255 0 0
access-list 101 permit tcp any host 24.128.92.26 eq ftp
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 24.128.92.26 eq www
access-list 101 permit tcp any eq 3389 host 24.128.92.26 eq 3389
I have tried many different variations of the way the access-list is set and nothing seems to work. I have also tried the conduit command to no avail.
Can anyone tell me what I am missing here? Everything I have read from these forums leads me to believe it works and is easy to configure, but I am missing something.
Thanks in advance
Gary
08-12-2002 07:09 PM
after making each config change, use the command "clear xlate" before testing.
add the commands "logging enable" and "logging buffered debugging", test again, capture the log with "show log" and paste the results back here. the config you provided looks good, make sure you have "access-group 101 outside"
08-12-2002 07:15 PM
after making each config change, use the command "clear xlate" before testing.
add the commands "logging enable" and "logging buffered debugging", test again, capture the log with "show log" and paste the results back here. the config you provided looks good, make sure you have "access-group 101 outside"
08-14-2002 11:33 AM
Below is the capture
305001: Portmapped translation built for gaddr 24.x.x.x/3389 laddr 192.168.60.101/3389
106023: Deny tcp src outside:64.69.100.93/44599 dst inside:24.x.x.x/3389 by access-group "101"
106023: Deny tcp src outside:64.69.100.93/44599 dst inside:24..x.x.x/3389 by access-group "101"
106023: Deny tcp src outside:64.69.100.93/44599 dst inside:24.x.x.x/3389 by access-group "101"
I'm definitely hitting the access-group, which is reading the access-list and also looks like the static translation is working, but why am I getting denied?
Thanks
08-14-2002 01:38 PM
Shouldn't the last entry read as :-
access-list 101 permit tcp any host 24.128.92.26 eq 3389
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide