Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
0
Helpful
4
Replies

Terminal Services through my PIX 501

r.giguere
Level 1
Level 1

‎08-12-2002 11:29 AM - edited ‎02-20-2020 10:12 PM

I'm trying to get Terminal Services to work through my PIX, port 3389, and cannot for the life of me get this thing to work right. Here's my config of the static command and my access-list which is applied to the outside interface.

static (inside,outside) tcp 24.128.92.26 ftp 192.168.60.101 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp 24.128.92.26 www 192.168.60.101 www netmask 255.255.255.255 10 0

static (inside,outside) tcp 24.128.92.26 3389 192.168.60.101 3389 netmask 255.255.255.255 0 0

access-list 101 permit tcp any host 24.128.92.26 eq ftp

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any host 24.128.92.26 eq www

access-list 101 permit tcp any eq 3389 host 24.128.92.26 eq 3389

I have tried many different variations of the way the access-list is set and nothing seems to work. I have also tried the conduit command to no avail.

Can anyone tell me what I am missing here? Everything I have read from these forums leads me to believe it works and is easy to configure, but I am missing something.

Thanks in advance

Gary

0 Helpful
4 Replies 4

pgolding
Level 1
Level 1

‎08-12-2002 07:09 PM

after making each config change, use the command "clear xlate" before testing.

add the commands "logging enable" and "logging buffered debugging", test again, capture the log with "show log" and paste the results back here. the config you provided looks good, make sure you have "access-group 101 outside"

0 Helpful

pgolding
Level 1
Level 1

‎08-12-2002 07:15 PM

after making each config change, use the command "clear xlate" before testing.

add the commands "logging enable" and "logging buffered debugging", test again, capture the log with "show log" and paste the results back here. the config you provided looks good, make sure you have "access-group 101 outside"

0 Helpful

r.giguere
Level 1
Level 1
In response to pgolding

‎08-14-2002 11:33 AM

Below is the capture

305001: Portmapped translation built for gaddr 24.x.x.x/3389 laddr 192.168.60.101/3389

106023: Deny tcp src outside:64.69.100.93/44599 dst inside:24.x.x.x/3389 by access-group "101"

106023: Deny tcp src outside:64.69.100.93/44599 dst inside:24..x.x.x/3389 by access-group "101"

106023: Deny tcp src outside:64.69.100.93/44599 dst inside:24.x.x.x/3389 by access-group "101"

I'm definitely hitting the access-group, which is reading the access-list and also looks like the static translation is working, but why am I getting denied?

Thanks

0 Helpful

v.kalingara
Level 1
Level 1

‎08-14-2002 01:38 PM

Shouldn't the last entry read as :-

access-list 101 permit tcp any host 24.128.92.26 eq 3389

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card