Re: MS RTP to inside server

bmcollis · ‎04-13-2004

I am trying to set up a pix501 and allow a Termianl Server session to connect to a server on the inside interface. At this point no luck, any help would be appreciated.

Here are the commands that I have on my pix, related to this issue.

In.IP.Add.X = Inside IP Address

Out.IP.Add.X = Outside IP Address

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

names

name In.IP.Add.10 Server

access-list outside_access_in permit tcp any host Out.IP.Add.116 eq 3389

ip address outside Out.IP.Add.117 255.255.255.248

ip address inside In.IP.Add.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) Out.IP.Add.116 Server netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 Out.IP.Add.118 1

Can infact the RDP protocol be passed through the PIX?

Any help in this matter is greatly appreciated.

BCollis

jackko · ‎04-13-2004

assuming the basic internet connectivity is fine, as well as the server is offering the rdp service. it might be something to do with the translation. do a "sh xlate" command and verify the translation. btw, what os is running on the pix?

bmcollis · ‎04-14-2004

Hi jackko,

Thanks for taking the time to answer my question.

PIX version is 6.3

The server is offering rdp service. The server has an Internal and External NIC at present. I can successfull conect (via rdp) to the external nic and when I establish a VPN connection to the PIX, I can then connect to the internal NIC of the server.

I tried your "sh xlate" command along with

"sh xlate interface outside", "sh xlate global Out.Ip.Add.116" and "sh xlate state static" and could only get "0 in use, 6 most used"

As I used the static command to map outside to inside ip address I did a "sh static" and got

"static (inside,outside) Out.IP.Add.116 Server netmask 255.255.255.255 0 0" Which is the same as in the config.

Just to let you know; The PC I am using for the testing is behind a firewall, and hence NAting out to the Internet. Don't know if that makes any difference (hope not as I would guess that most external connections to this server will be NATed to get to the Internet).

Hope this information helps with diagnosing the problem.

Look forward to more suggestions.

BCollis

bmcollis · ‎04-14-2004

More Information:

Re did the sh xlate command while trying to connect using rdp to the server - saw this;

1 in use, 6 most used

Global Out.IP.Add.116 Local Server

So it looks like the PIX is doing something.

jasobrown · ‎04-14-2004

The problem is with this:

"The server has an Internal and External NIC at present. I can successfull conect (via rdp) to the external nic and when I establish a VPN connection to the PIX, I can then connect to the internal NIC of the server."

If you do a "route print" on the Terminal Server the default route will be out the "External NIC" therfore the TCP session for the RDP connection will not be successfull.

If you add a route to the server that routes the Public IP address of the workstation you are testing this from to the inside interface of the Pix then it will most likely work.

The way that you can test this would be to do the following:

access-list test permit tcp any host Server eq 3389

access-list test permit tcp host Server eq 3389 any

capture TEST access-list test interface inside

show capture TEST

(capture names and access-list names are case sensitive)

this will show you the "syn" go to the internal IP but nothing coming back.