10-20-2006 04:55 AM - edited 02-21-2020 01:15 AM
Hi,
I have a Pix 501 with dynamic IP address on the outside interface. I have a host inside which I need to access from the outside using RDP. I have already created an access list to permit tcp 3339 in.I am using DynDNS to know my current IP address.
My inside host IP address is 192.168.150.10. Can someone tell me how to create a static route using the port? Do I need any alias?
Thanks
10-20-2006 05:19 AM
Since your PIX outside interface obtained its IP dynamically, you can try this:
access-list outside permit tcp any interface outside eq 3389
access-list outside deny ip any any
static (inside,outside) tcp interface 3389 192.168.150.10 3389 netmask 255.255.255.255
access-group outside in interface outside
Use 'show access-list outside' command to verify whether your ACL is working. You should see some hitcount. Also, check the connection status to the 192.168.150.10 using 'sh conn | i 3389'
HTH
AK
10-24-2006 03:27 AM
Thanks for your reply.
I could connect only once, when I configured it.
I did some troubleshooting the pix is forwarding the request to a different host. Why?
10-24-2006 06:26 PM
How is the server getting an IP Address, Is this dynamic. If so, has the IP Address of server changed after you had configured port redirection on the Pix 501.
Can you make sure that the server still owns the 192.168.150.10 IP Address.
I hope it helps.
Regards,
Arul
10-25-2006 04:43 AM
Hi,
The server has an static IP and it has not been changed. At this moment I am using the pix from the outside (ssh) and I am trying to RDP into my server and I get TCT reques discarded from x.x.x.x to outside x.x.x.x/3389.
It looks like is doing the request but it is not permited. The access list has not hint. I reapplied the access-group but not success.
Any ideas?
10-25-2006 08:01 AM
Is your static(inside, outside) configured the way A.Kiprawih had posted in his earlier e mail.
Based upon the logs, the PIX discards the packet because it thinks it is destined
to itself and the PIX does not listen for packets on TCP/3389; therefore it does not know what to do with that packet that was destined to it and discards it.
If you have Port Redirection configured, then this should not be the case.
I hope it helps.
Regards,
Arul
10-26-2006 09:23 AM
The configuration is exactly as the one posted above.
As I said before, when I have another computer connected to the network the packets are destined for that other host getting the exact same error but with different IP address.
Any suggestions or troubleshooting stesp I could do?
Thanks
10-26-2006 11:55 PM
I am not sure, but you maybe have to clear your xlate table when that ip adresse have been changed. I am not sure if the pix notices that the ip adresse are changed dynamic and times out that entery. It wold time out if you changed it manually. You could try by clearing that entery in the xlate table and connect again...
NorAlarm(config)# sh xlate
43 in use, 851 most used
PAT Global 213.145.xxx.xxx(3389) Local 10.0.2.241(3389)
clear xlate global xx.xx.xx.xx local xx.xx.xx.xx
Jens
10-27-2006 04:46 AM
Thank you to all of you for your interest on resolving my problem. I deleted all the access list as well as static and reconfigured them again and everything started working.
I can now access my host from the outside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide