topic PIX 506 Filtering Terminal Services in Network Security

PIX 506 Filtering Terminal Services

brody — Fri, 21 Feb 2020 05:47:57 GMT

I have a PIX 506 that is blocking MS Terminal Services which uses port 3389 tcp/udp. Whenever I apply the conduit or access-list statements to allow full access using these ports, they are still being filtered by the PIX even after the clear xlate command is issued. I know that the PIX is filtering Terminal Services because when I open the PIX up fully you can then terminal service in through the PIX. Has anyone that's ever used Microsoft Terminal Services before had this problem or does anyone know what port numbers that needs to be opened that I'm unaware of?

Here are my filters that I'm using that don't seem to work.

conduit permit tcp any any eq 3389

conduit permti udp any any eq 3389

access-list incoming tcp any any eq 3389

access-list incoming udp any any eq 3389

access-group incoming in interface outside

Re: PIX 506 Filtering Terminal Services

brody — Wed, 30 May 2001 18:09:09 GMT

Here are my filters that I'm using that don't appear to be working.

conduit permit tcp any any eq 3389

conduit permit udp any any eq 3389

access-list incoming tcp any any eq 3389

access-list incoming udp any any eq 3389

access-group incoming in interface outside

Re: PIX 506 Filtering Terminal Services

timtron — Wed, 30 May 2001 18:56:39 GMT

Do you have a NAT statement to the Terminal Services Box? Use that public address in the conduit/ACL.

The following statement works for us. (Given you add the public IP)

access-list acl_outside permit tcp any host #.#.#.# eq 3389

Re: PIX 506 Filtering Terminal Services

irsanc — Wed, 06 Jun 2001 04:03:13 GMT

The rdp listener will listen on port 3389 , the actual connection takes place over a port above 1024

you have to open a range of tcp ports between 1024 and 3389 that your terminal server will use.

Re: PIX 506 Filtering Terminal Services

rstaaf — Wed, 06 Jun 2001 11:47:20 GMT

What client are you using to connect? The following is from a Microsoft knowledge base article.

http://support.microsoft.com/support/kb/articles/q150/5/43.asp

RDP Client (Microsoft) TCP:3389 (Pre Beta2:1503)

ActiveX Client (TSAC) TCP:80, 3389

ICA Client (Citrix) TCP:1494

Hope this helps.

Bob Staaf

Southern Web Services

Orlando, Fl

Re: PIX 506 Filtering Terminal Services

thomas.waddell — Wed, 06 Jun 2001 16:17:49 GMT

Here's a suggestion that will serve you beyound this problem.

Set up a syslog server (if you don't have one, search the Internet for KIWI Syslog). You can install Kiwi's syslog server on a windows PC and configure your PIX to syslog to it.

Once you have the PIX syslogging. Configure your conduit's and then try to Terminal Server across it. The pix will log every packet blocked including the destination ports that you'll want to open up. This will speed diagnosis along for most any problem you may have in the future. One problem with this is that access-lists don't log the port number. So if you are using access-lists, temporarily configure with conduits watch the logs, then once you have a list of ports that need to be open, change back to access-lists.

Hope this helps,

Thomas

Re: PIX 506 Filtering Terminal Services

jose.calvillo — Wed, 06 Jun 2001 16:52:46 GMT

You have your port statements in the wrong location.

Try:

conduit permit tcp any eq 3389 any

conduit permti udp any eq 3389 any

By typing it in the way you have it in your post you're saying that the connection from the remote location must be initiated on port 3389. As I have it above, the connection must be destined to port 3389.