04-13-2004 12:59 PM - edited 03-09-2019 07:03 AM
I am trying to set up a pix501 and allow a Termianl Server session to connect to a server on the inside interface. At this point no luck, any help would be appreciated.
Here are the commands that I have on my pix, related to this issue.
In.IP.Add.X = Inside IP Address
Out.IP.Add.X = Outside IP Address
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name In.IP.Add.10 Server
access-list outside_access_in permit tcp any host Out.IP.Add.116 eq 3389
ip address outside Out.IP.Add.117 255.255.255.248
ip address inside In.IP.Add.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Out.IP.Add.116 Server netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 Out.IP.Add.118 1
Can infact the RDP protocol be passed through the PIX?
Any help in this matter is greatly appreciated.
BCollis
04-13-2004 07:25 PM
assuming the basic internet connectivity is fine, as well as the server is offering the rdp service. it might be something to do with the translation. do a "sh xlate" command and verify the translation. btw, what os is running on the pix?
04-14-2004 07:48 AM
Hi jackko,
Thanks for taking the time to answer my question.
PIX version is 6.3
The server is offering rdp service. The server has an Internal and External NIC at present. I can successfull conect (via rdp) to the external nic and when I establish a VPN connection to the PIX, I can then connect to the internal NIC of the server.
I tried your "sh xlate" command along with
"sh xlate interface outside", "sh xlate global Out.Ip.Add.116" and "sh xlate state static" and could only get "0 in use, 6 most used"
As I used the static command to map outside to inside ip address I did a "sh static" and got
"static (inside,outside) Out.IP.Add.116 Server netmask 255.255.255.255 0 0" Which is the same as in the config.
Just to let you know; The PC I am using for the testing is behind a firewall, and hence NAting out to the Internet. Don't know if that makes any difference (hope not as I would guess that most external connections to this server will be NATed to get to the Internet).
Hope this information helps with diagnosing the problem.
Look forward to more suggestions.
BCollis
04-14-2004 09:56 AM
More Information:
Re did the sh xlate command while trying to connect using rdp to the server - saw this;
1 in use, 6 most used
Global Out.IP.Add.116 Local Server
So it looks like the PIX is doing something.
04-14-2004 12:25 PM
The problem is with this:
"The server has an Internal and External NIC at present. I can successfull conect (via rdp) to the external nic and when I establish a VPN connection to the PIX, I can then connect to the internal NIC of the server."
If you do a "route print" on the Terminal Server the default route will be out the "External NIC" therfore the TCP session for the RDP connection will not be successfull.
If you add a route to the server that routes the Public IP address of the workstation you are testing this from to the inside interface of the Pix then it will most likely work.
The way that you can test this would be to do the following:
access-list test permit tcp any host Server eq 3389
access-list test permit tcp host Server eq 3389 any
capture TEST access-list test interface inside
show capture TEST
(capture names and access-list names are case sensitive)
this will show you the "syn" go to the internal IP but nothing coming back.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide