Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 506 Filtering Terminal Services

I have a PIX 506 that is blocking MS Terminal Services which uses port 3389 tcp/udp. Whenever I apply the conduit or access-list statements to allow full access using these ports, they are still being filtered by the PIX even after the clear xlate command is issued. I know that the PIX is filtering Terminal Services because when I open the PIX up fully you can then terminal service in through the PIX. Has anyone that's ever used Microsoft Terminal Services before had this problem or does anyone know what port numbers that needs to be opened that I'm unaware of?

Here are my filters that I'm using that don't seem to work.

conduit permit tcp any any eq 3389

conduit permti udp any any eq 3389

or

access-list incoming tcp any any eq 3389

access-list incoming udp any any eq 3389

access-group incoming in interface outside

6 REPLIES
New Member

Re: PIX 506 Filtering Terminal Services

I have a PIX 506 that is blocking MS Terminal Services which uses port 3389 tcp/udp. Whenever I apply the conduit or access-list statements to allow full access using these ports, they are still being filtered by the PIX even after the clear xlate command is issued. I know that the PIX is filtering Terminal Services because when I open the PIX up fully you can then terminal service in through the PIX. Has anyone that's ever used Microsoft Terminal Services before had this problem or does anyone know what port numbers that needs to be opened that I'm unaware of? I've looked on IANA and just about every port listing site and they all reflect 3389 tcp/udp.

Here are my filters that I'm using that don't appear to be working.

conduit permit tcp any any eq 3389

conduit permit udp any any eq 3389

or

access-list incoming tcp any any eq 3389

access-list incoming udp any any eq 3389

access-group incoming in interface outside

New Member

Re: PIX 506 Filtering Terminal Services

Do you have a NAT statement to the Terminal Services Box? Use that public address in the conduit/ACL.

The following statement works for us. (Given you add the public IP)

access-list acl_outside permit tcp any host #.#.#.# eq 3389

New Member

Re: PIX 506 Filtering Terminal Services

The rdp listener will listen on port 3389 , the actual connection takes place over a port above 1024

you have to open a range of tcp ports between 1024 and 3389 that your terminal server will use.

New Member

Re: PIX 506 Filtering Terminal Services

What client are you using to connect? The following is from a Microsoft knowledge base article.

http://support.microsoft.com/support/kb/articles/q150/5/43.asp

RDP Client (Microsoft) TCP:3389 (Pre Beta2:1503)

ActiveX Client (TSAC) TCP:80, 3389

ICA Client (Citrix) TCP:1494

Hope this helps.

Bob Staaf

Southern Web Services

Orlando, Fl

New Member

Re: PIX 506 Filtering Terminal Services

Here's a suggestion that will serve you beyound this problem.

Set up a syslog server (if you don't have one, search the Internet for KIWI Syslog). You can install Kiwi's syslog server on a windows PC and configure your PIX to syslog to it.

Once you have the PIX syslogging. Configure your conduit's and then try to Terminal Server across it. The pix will log every packet blocked including the destination ports that you'll want to open up. This will speed diagnosis along for most any problem you may have in the future. One problem with this is that access-lists don't log the port number. So if you are using access-lists, temporarily configure with conduits watch the logs, then once you have a list of ports that need to be open, change back to access-lists.

Hope this helps,

Thomas

New Member

Re: PIX 506 Filtering Terminal Services

You have your port statements in the wrong location.

Try:

conduit permit tcp any eq 3389 any

conduit permti udp any eq 3389 any

By typing it in the way you have it in your post you're saying that the connection from the remote location must be initiated on port 3389. As I have it above, the connection must be destined to port 3389.

138
Views
0
Helpful
6
Replies
CreatePlease login to create content