12-31-2002 11:08 AM - edited 03-09-2019 01:32 AM
Hello,
I have a need to allow specific clients to my Terminal Services Server. Since TS uses port 3389 would something like
access-li acl_inbound permit tcp host x.x.x.x 192.168.50.75 255.255.255.255 eq 3389
and
static (inside,outside) Brian 192.168.50.75 netmask 255.255.255.255 0 0
be enough for the client to jump through to the TS server? or do I need more? Whatever it is that line doesnt seem to be cutting it...
Thanks
Dave
Solved! Go to Solution.
01-02-2003 11:17 AM
Hi,
you could be right. I'll have to test it. But to be absolutely sure you can use the following static command instead:
static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
This way, only incoming tcp traffic on port 3389 is forwarded to the TS server.
Kind Regards,
Tom
01-01-2003 09:42 AM
Hi,
All you have to do is to add a static translation for the internal TS and create an access-list to allow the incoming traffic.
If the private ip address of the TS would be A.B.C.D, and the public address W.X.Y.Z. Then add the following lines to your config:
static (inside, outside) W.X.Y.Z A.B.C.D netmask 255.255.255.255
access-list ts_in permit tcp any host W.X.Y.Z eq 3389
access-group ts_in in interface outside
This will allow all TSclients on the internet to connect to the TS Server.
This should do it :-)
I think that your access-list is incorrect. You should use the public address of the TS server and not the private one.
Are you sure that 3389 is the correct port?
Best Wishes and Kind Regards,
Tom
01-02-2003 08:41 AM
That makes sense, but I need to confirm something before I do this...
I have one public IP address x.x.71.7 , my private TS is 192.168.50.75
If i add:
static (inside, outside) x.x.71.7 192.168.50.75 netmask 255.255.255.255
won't that affect my outbound traffic? Since all my users accessing the web need to go out on that IP and they wont be routing through 50.75 since their gateway is 192.168.50.1 which is the inside interface of the PIX.
Or am I getting confused beyond reason?
Thanks,
Dave
01-02-2003 11:17 AM
Hi,
you could be right. I'll have to test it. But to be absolutely sure you can use the following static command instead:
static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
This way, only incoming tcp traffic on port 3389 is forwarded to the TS server.
Kind Regards,
Tom
01-03-2003 06:33 AM
Thanks, that did the trick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide