Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX Special Port Forwarding

Hi All,

I put this thread in the remote access area as well because of the port I am having trouble forwarding through the PIX.

What I'm trying to do is forward port 3389 (windows terminal services) to a W2k server. I tried using access list settings in the GUI for this to no avail and I'm not familiar enough with PIX CLI to accomplish this yet.



  • Other Security Subjects
New Member

Re: PIX Special Port Forwarding

If I understand you correct you are trying to give access to a terminal Server that is protected by/behind a PIX Firewall ??

I believe that GUI's are fine for simple tasks buit in you case you'll just have to get "knee-deep" and learn the CLI !!

What you want to do, that is if I understood you correct is to open up for port 3389 to this particular server. This can be done in the following fashion

a) assign a static outside IP address for the W2K server which will be used to translate to it's real inside address

static (inside,outside) netmask

b) allow (only) port 3389 to pass on this connnection

conduit permit tcp host eq 3389 any

That should do it, assuming that the W2k box does not require any other open ports. Nevertheless, this, in my (paranoid) opinion, would be to compromise a good firewall as best practice is to *NEVER* to have any port open from the outside to the inside, but that a whole new thred we would have to open just for that discussion....

Good luck

- Goran

New Member

Re: PIX Special Port Forwarding

Thanks a bunch Goran. I think that'll do it. I am somewhat familiar with the CLI. However, conduit commands are still a bit shaky... The funny thing about this one is that I was just told to replace the PIX with a NetScreen 5xp because that is what the client was expecting. Well, I guess I'll go ahead and stick it before our corporate LAN in which our MS guys use the W2k TS anyway.

Best regards,