Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Terminal services and pix 515

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I have a pix 515 and I want to allow terminal services to work on two diff. servers. I already have one working just fine. I created a static route from outside interface to inside interface. (ex. my outside interface ip is and my internal server is 192.168.1.x. I want to be able to terminal services into a diff. server. My isp has assigned me 14 other ip addresses. How would I go about assigning one of those public IPs to my outside interface. I am stumped and new to pix. Any help would be greatly appreciated.. also attached is my current config:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname PIX


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list vpnacl permit ip

access-list smtp permit tcp any host eq smtp

access-list outsideif permit tcp any any eq www

access-list outsideif permit udp any any eq 80

access-list outsideif permit tcp any any eq 3389

access-list outsideif permit udp any any eq 3389

access-list outsideif permit tcp any any eq ftp

pager lines 24

logging on

logging timestamp

logging trap errors

logging host inside

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside

ip address inside

ip address DMZ

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn3000-pool

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list vpnacl

nat (inside) 1 0 0

static (inside,outside) tcp interface www www netmask 0 0

static (inside,outside) tcp interface 3389 3389 netmask 0 0

static (DMZ,outside) xxx.xxy.3.5 netmask 0 0

static (inside,DMZ) netmask 0 0

access-group outsideif in interface outside

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool vpn3000-pool

vpngroup vpn3000 dns-server xxx.xzz.193.250 xxx.xzz.203.12

vpngroup vpn3000 default-domain

vpngroup vpn3000 split-tunnel vpnacl

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5

dhcpd address inside

dhcpd dns xxx.xzz.203.12 xxx.xzz.193.250

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80

Cryptochecksum:--moderator edit--

: end


Re: Terminal services and pix 515

You are currently using PAT.

static (inside,outside) tcp interface 12345 3389 netmask 0 0

If you server is, the above line would allow TS to work, but you would need to connect to port 12345 to do so, so in the TS client, you would need to specific the outside interface of the pix's ip:12345

You can statically nat one ip address to the ip of the server:

static (inside, outside) netmask

you then could connect to TS via just without having to specify the port number.

Have you secured your terminal servers? Do you have a pop up login banner and a password policy with account lock outs to protect against brute forcing?


New Member

Re: Terminal services and pix 515

Yes I do have them secure. I tried typing the following in that you specified and it gave me the following error.

"static (inside,outside) 209.124.236.x

unrecognized option:

Type help or '?' for a list of available commands."

Any suggestions I would rather not have to worry about port numbers.


New Member

Re: Terminal services and pix 515

I tried it both ways and neither of them work. Any suggestions?


Re: Terminal services and pix 515

did you type in "netmask" before ?

New Member

Re: Terminal services and pix 515

Yes, I thought about it after my post and went back and did it. It took the command but will not let me connect to the terminal server??


Re: Terminal services and pix 515

you probably need to do a clear xlate to clear out all translation slots. this will clear the connection table, breaking all active connections. you might want to do that at the end of the day

New Member

Re: Terminal services and pix 515

Alright lets see if you guys can explain this. I put in the static route yesterday. Did not do the clear xlate command. User tells me today they can not access internet. Took out static route and did a clear xlate command, can access internet fine now. Back to square one. I would like to get to this box via terminal services but I need it to be able to access web also. Any suggestions??

CreatePlease to create content