RDP thru a Cisco PIX 515

noah.liles · ‎09-12-2003

I have an internet user that is trying to connect to a server using RDP in Windows XP. The server that is trying to be reached is on the internal network, but has a static mapping from the external network(internet). I have opened up TCP port 3389 on the firewall going to that server. The internet user is still unable to make the RDP connection.

I have tested the RDP connection internally.

Is there something that I am missing?

The static map is as follows:

*** access-list outside_access_in permit tcp any host xxx.xxx.xxx.114 eq 3389 ***

* IP addresses have been changed to protect the innocent :) *

TIA,

Noah

dhouser · ‎09-12-2003

There are several things to try ...

1st do a 'clear arp' and 'clear xlate'

-check your access-group

-check the access-list counters to see if the counters are increasing when the user tries to connect

-you showed the access-list entry but you did not send the static entry, can you post that also.

jmia · ‎09-12-2003

Noah,

The other post from 'dhouser' suggests some good points to look at, also, were have you placed the above ACL, is applied on the inside interface with access-group inside or outside interface with access-group outside? If your user on the internet needs to come back in to your inside network then you'll require a static command and a ACL to accomplish your task. Can you post your PIX config (remember to change passwords/inside IPs) thanks.

Jay

noah.liles · ‎09-12-2003

OOOps, sorry bout that. Here is the config on the firewall that pertains to this particular connection:

*********************************************

name 10.xxx.xxx.1 SWGSA

--

access-list outside_access_in permit tcp any host 68.xxx.xxx.114

--

pdm location SWGSA 255.255.255.255 inside

--

static (inside,outside) 68.xxx.xxx.114 SWGSA netmask 255.255.255.255 0 0

--

access-group outside_access_in in interface outside

*********************************************

BTW, Thanks for the responses that I have recieved so far...

Noah

Solace · ‎09-15-2003

Hi,

I would start by looking in your log files? If it's the firewall dropping the request you would see a DENY entry with source/destination addresses.

Secondly is your windows machine configured with a route to the firewall?

Hope this helps.

Regards

Steven

noah.liles · ‎09-24-2003

***********************************************

I would start by looking in your log files?

If it's the firewall dropping the request you

would see a DENY entry with source/destination

addresses.

***********************************************

Log files, great idea...pretend i'm a n00b and

have no experience with a pix 515 and give me

a hint as where to look for the log files..:)

***********************************************

Secondly is your windows machine configured

with a route to the firewall?

***********************************************

Are you referring to a permanent route to the

external address of the firewall or the ip

address of the external ip address of the

server they are trying to connect to?

Thanks for the advice and comments..I really appreciate the help I am getting here.

Noah