topic PIX only for Remote Desktop in Network Security

PIX only for Remote Desktop

cscisco_admin — Mon, 11 Mar 2019 12:58:58 GMT

I need to use PIX only for my Terminal Server with Public IP so that my External Users can access my Terminal Server through windows xp remote desktop. How should i configure PIX 515E to allow only RDP Connection for Terminal Server and block all other traffic?

Thanks!

Re: PIX only for Remote Desktop

acomiskey — Fri, 13 Jun 2008 11:46:57 GMT

static (inside,outside) tcp interface 3389 terminal.server.ip 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-group outside_access_in in interface outside

Re: PIX only for Remote Desktop

Farrukh Haroon — Fri, 13 Jun 2008 12:33:40 GMT

Adam provided you a config that should be good to go, however if you face any issues check the 'Troubleshoot' section of the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Regards

Farrukh

Re: PIX only for Remote Desktop

jwalker0594 — Thu, 26 Jun 2008 21:17:14 GMT

Microsoft RDP uses port 3389

PIX needs a permit entry on "outside" interface acl. If known source(s) address/subnet better

access-list OUTside_IN permit tcp any host 177.176.175.174 eq 3389

which is this case allows any source address "in" best to limit as much as possible

a static nat is also needed:

static (INTernet,outside) 177.176.175.174 192.168.0.1 netmask 255.255.255.255

It's possible to do this without NAT - assumption here is inside addressing is private. Also NAT hides the true IP.

Caveats:

the rest of the PIX config should follow established rules

The remote desktop host (inside) should have all Microsoft software updates and also have the user account as secure as possible and preferably access verified by AD Domain controller.

Re: PIX only for Remote Desktop

a-gould — Thu, 03 Jul 2008 05:08:42 GMT

Adam, I have a pix 515 and i need to allow an external ip address to access 8 different ip addresses on my internal lan. the 8 internal ip's are private ip's as well. ...so some nat involved too.

during a test i added an access-group (acl) to the outside interface and in doing so was able to connect from outside to inside using rdp (remote desktop , ms term svcs) BUT between those some two host, was UNable to ftp or http. strange that i could do rdp from an outside host to an inside host but NOT ftp or http. does the fact that i have ftp and http fixup statements cause this to not work? not sure. i ask because i read a solution on the web from someone who was able to get h323 voip inbound connections working through a pix515 and one of the steps they suggested was to remove the "fixup protocol h323 1720" statement.