topic PIX config for RDP access to an internal server in Network Security

PIX config for RDP access to an internal server

aaron.grussner — Mon, 11 Mar 2019 21:15:26 GMT

Hi, it's been a while since I've done a lot with a PIX config so I'd like some ideas on the best way to allow access for 2 IP addresses that need to RDP into a server here inside our network. They also wanted to have ports redirected, 3391 to 3389 and 3397 to 3389. Could someone give me an example of the best way to config this on the PIX? Thanks.

PIX config for RDP access to an internal server

Mohammad Alhyari — Mon, 22 Aug 2011 20:57:09 GMT

hi ,

Assume the following :

the server translated ip addresses :

10.0.0.2 10.0.0.3

Real ip addresses :

11.0.0.2 11.0.0.3

you want to allow the following ip addresses to access the servers :

192.168.1.1 192.168.2.1

you need to apply an access-list on the outside interface :

access-list outside_in_access permit tcp host 192.168.1.1 host 10.0.0.2 eq 3391

access-list outside_access_in permit tcp host 192.168.2.1 host 10.0.0.3 eq 3397

do the NAT redirection :

static (dmz,outside) TCP 10.0.0.2 3391 11.0.0.2 3389

static (dmz,outside) TCP 10.0.0.3 3397 11.0.0.3 3389

cheeers

PIX config for RDP access to an internal server

aaron.grussner — Mon, 22 Aug 2011 21:55:09 GMT

Thanks a lot, I'll give it a try tomorrow and let you know how it goes.

PIX config for RDP access to an internal server

aaron.grussner — Tue, 23 Aug 2011 20:18:14 GMT

This is just one server that they want to access from 2 different machines over the Internet on different ports and they don't have a DMZ. Would I just change the static to this then:

static (inside,outside) TCP 10.0.0.3 3391 11.0.0.3 3389

static (inside,outside) TCP 10.0.0.3 3397 11.0.0.3 3389

Or is that wrong?

I already have a static for this server since it's going to be the FTP site shortly also.

Thanks

PIX config for RDP access to an internal server

Mohammad Alhyari — Tue, 23 Aug 2011 20:33:28 GMT

yup , you can give this a try and see if it works .

regards.

PIX config for RDP access to an internal server

aaron.grussner — Tue, 23 Aug 2011 20:39:53 GMT

Since I already have a static for this IP address it won't let me post the additional statics for the NAT on the ports. What am I missing?

Thanks

PIX config for RDP access to an internal server

aaron.grussner — Tue, 23 Aug 2011 22:31:48 GMT

Any chance you're still online for the last question?

Thanks

PIX config for RDP access to an internal server

Maykol Rojas — Tue, 23 Aug 2011 23:08:45 GMT

Aaron,

If you already have a 1 to 1 translation, then you may need delete the entry and create only port forwardings for everyone.

Lets say you had this

static (inside,outside) x.x.x.x y.y.y.y

and you want to add this

static (inside,outside) tcp x.x.x.x 3389 z.z.z.z 3389

That you cannot do, you will need to do this

static (inside,outside) x.x.x.x y.y.y.y

static (inside,outside) tcp x.x.x.x 3389 z.z.z.z 3389

Then for the services that you had on IP Y... lets say FTP, you will need to create a port forward for that...

static (inside,outside) tcp x.x.x.x 21 y.y.y.y. 21

Let me know if you have doubts.

Mike

PIX config for RDP access to an internal server

Mohammad Alhyari — Wed, 24 Aug 2011 05:46:20 GMT

Hi ,

as Mike Said ,

if you have one for one translation then all the requests on that ip address will hit that line , you can consider :

1- using another ip address

2-making the line more specific and do a static PAT instead of mapping the whole ip address.

cheers.

PIX config for RDP access to an internal server

aaron.grussner — Wed, 24 Aug 2011 13:22:40 GMT

So if I'm understanding this correctly I can't have these 2 statics for the same IP like I have below correct?

static (inside,outside) TCP 12.15.15.183 3391 192.168.100.38 3389

static (inside,outside) TCP 12.15.15.183 3397 192.168.100.38 3389

They want to have 2 different machines access this one server but on different redirected ports but it sounds like it's not possible which is fine I just need to be able to tell them that and know that I'm correct. We don't have anymore available public IP's to use at this point but they may buy another block in the future. Will I also be able to run my FTP on this server and still allow access from the Internet?

Thanks again guys.

PIX config for RDP access to an internal server

Maykol Rojas — Wed, 24 Aug 2011 16:34:45 GMT

Hi,

Nope, that will conflict.... since the port 3389 is already mapped to 3391.... you cannot add a new translation for the same port.

You should be able to grab that same static and have something like this

static (inside,outside) TCP 12.15.15.183 3391 192.168.100.38 3389

static (inside,outside) TCP 12.15.15.183 21 192.168.100.38 21

What you cannot do is try to map port 3389 to two different ports.

Hope this helps.

Mike

PIX config for RDP access to an internal server

aaron.grussner — Wed, 24 Aug 2011 17:19:14 GMT

It appears I have everything correct but I'm still not able to RDP into the server. I don't have an A record or anything else registered which I don't think is needed correct? Since I'm just using it for 2 systems owned by a sister company to access it and I don't want it to be easily found.

Thanks

Aaron

PIX config for RDP access to an internal server

varrao — Wed, 24 Aug 2011 18:06:28 GMT

Hi Aaron,

You should just need the static pat statement along with an access-list to allow inbound connection on the outside interaface, if you ahve it but still not working, I would advise, to follow the below stes:

1. Take logs on the ASA, when the connection drops.

2. Take captures on the firewall interfaces.

3. Take packet-tracer.

For capture yolu can use this:

https://supportforums.cisco.com/docs/DOC-1222

For packet-tracer:

packet-tracer input outside tcp 1.1.1.1 2345 12.15.15.183 3389 detailed.

These outputs shoudl tell where the issue lies. If you need any help with captures, do let me know.

Thanks,

Varun