Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows Terminal Services

Hell-o,

Want to assign an external ip to dns for our Wan link to access a local server via Terminal Services. What do I enter in a PIX515 to allow terminal services access?

TIA

Gary Hornbeck

Net Admin

2 REPLIES
New Member

Re: Windows Terminal Services

global (outside) 3 outsideIPaddress netmask 255.255.255.255

conduit permit tcp host outsideIPaddress eq 3389 any

conduit permit tcp host outsideIPaddress eq www any

For outsideIPaddress put in the actual outside IP address. The first is to allow a global address recognizable by the outside world, the second is to allow TS traffic, the third is in case you are using TSWEB. the only other note is this: If you decide to change the default TS port for security change it here as well from 3389 to the new port.

We have another entry for the internal IP address of the TS server, but I think it is surplus to requirements.

Glyn

New Member

Re: Windows Terminal Services

Gary,

MS Terminal Services runs over TCP Port 3389. Obviously this well known so any security conscience individual would not want to open that port on their Firewall. Luckily you can adjust the port the client (regular RDP5 and the Web client) uses.

But as for the PIX itself... assuming you have an outside IP that is not being used for anything else right now. All you have to do (works on my 2 PIX 506's and 520) is add - -

access-list (name of inbound access-list) permit tcp any host (unless you need to specify a specific host or hosts) 10.10.10.10 (outside IP) eq 3389 (or other port like 56566 or sumsuch in the high unused area)

access-list inbound permit tcp any host 10.10.10.10 eq 56566

and then you need to add a static... assuming you want to access just one specific machine....

static tcp 10.10.10.10 56566 192.168.1.2 3389

If you just want to do it without changing ports just leave that 56566 as 3389 and you set.

Mike Vassallo

PC/LAN Analyst III

DS&D

115
Views
0
Helpful
2
Replies
CreatePlease login to create content