Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
10
Helpful
4
Replies

Inbound Terminal Services Clients

Go to solution
dsingleterry
Level 1
Level 1

‎12-31-2002 11:08 AM - edited ‎03-09-2019 01:32 AM

Hello,

I have a need to allow specific clients to my Terminal Services Server. Since TS uses port 3389 would something like

access-li acl_inbound permit tcp host x.x.x.x 192.168.50.75 255.255.255.255 eq 3389

and

static (inside,outside) Brian 192.168.50.75 netmask 255.255.255.255 0 0

be enough for the client to jump through to the TS server? or do I need more? Whatever it is that line doesnt seem to be cutting it...

Thanks

Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvanginneken
Level 4
Level 4
In response to dsingleterry

‎01-02-2003 11:17 AM

Hi,

you could be right. I'll have to test it. But to be absolutely sure you can use the following static command instead:

static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

This way, only incoming tcp traffic on port 3389 is forwarded to the TS server.

Kind Regards,

Tom

View solution in original post

4 Replies 4

Go to solution
tvanginneken
Level 4
Level 4

‎01-01-2003 09:42 AM

Hi,

All you have to do is to add a static translation for the internal TS and create an access-list to allow the incoming traffic.

If the private ip address of the TS would be A.B.C.D, and the public address W.X.Y.Z. Then add the following lines to your config:

static (inside, outside) W.X.Y.Z A.B.C.D netmask 255.255.255.255

access-list ts_in permit tcp any host W.X.Y.Z eq 3389

access-group ts_in in interface outside

This will allow all TSclients on the internet to connect to the TS Server.

This should do it :-)

I think that your access-list is incorrect. You should use the public address of the TS server and not the private one.

Are you sure that 3389 is the correct port?

Best Wishes and Kind Regards,

Tom

0 Helpful

Go to solution
dsingleterry
Level 1
Level 1
In response to tvanginneken

‎01-02-2003 08:41 AM

That makes sense, but I need to confirm something before I do this...

I have one public IP address x.x.71.7 , my private TS is 192.168.50.75

If i add:

static (inside, outside) x.x.71.7 192.168.50.75 netmask 255.255.255.255

won't that affect my outbound traffic? Since all my users accessing the web need to go out on that IP and they wont be routing through 50.75 since their gateway is 192.168.50.1 which is the inside interface of the PIX.

Or am I getting confused beyond reason?

Thanks,

Dave

0 Helpful

Go to solution
tvanginneken
Level 4
Level 4
In response to dsingleterry

‎01-02-2003 11:17 AM

Hi,

you could be right. I'll have to test it. But to be absolutely sure you can use the following static command instead:

static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0

This way, only incoming tcp traffic on port 3389 is forwarded to the TS server.

Kind Regards,

Tom

Go to solution
dsingleterry
Level 1
Level 1
In response to tvanginneken

‎01-03-2003 06:33 AM

Thanks, that did the trick.

Customers Also Viewed These Support Documents