Can you explain how to do that? What command is needed?

eg

static (inside,outside) 217.19.1.10 10.15.0.1 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 217.19.1.10 eq 3389

access-group outside_access_in in interface outside

is your PIX Version 6.1(1)?

Ok, that seems to be what I have.

static (inside,outside) tcp 216.153.252.xx 3389 192.168.1.xx 3389 netmask 255.255.255.255 0 0

access-list 101 permit tcp any host 216.153.252.xx eq 3389

access-group 101 in interface outside

Do you see anything in my lines that isn't right? Then I think this should be working. I'll have to see if my outside tech can get in yet.

Thanks for your help, Mike

no worries. give it a go and let us know the outcome.

you can also use the PDM manager to setup your NAT/ACL statement as well. (Easier to use)

Yeah I was thinking that too, but when I connected an older laptop to it in the IP range of the firewall and entered the path in the address bar, it goes to the page, but then just says loading and nothing ever happens. Any thoughts on that?

in the example i provided, i already have an ACL applied to the outcide interface ( outside_access_in) The PIX can only allow a single ACL on the outside interface for inbound connection. so when adding a new ACL, you need to use the exiting ACL already applied to the outside interface. unless you are trying to tell something i do not know.

I'll give it a shot.

By the way after I add this and do a "write mem" is there any other commands I should be entering to make sure it gets loaded to the PIX?

Also, I notice that I have been using 101 but doesn't there need to be a line defining what 101 is? I am really not understanding this too well.

if 101 is not already applied to the outside interface i dont see how your ACL is going to work. you need to use an ACL already applied to your PIX outside interface.

if you post the config we can find out the ACL name.

Please help. I'm having a hard time understanding the terminology here and I am afraid of making changes and locking everyone out or blocking my users access out.

Mike

so on your firewall access-group 101 is used.

The ACL below will work

access-list 101 permit tcp any host 216.153.252.20 eq 3389

Ok, I just had my outside tech try it and it didnt work. She said it might be a problem with the server instead, so from what you see, it looks like this firewall should be allowing incoming connections from everyone on port 3389, right? Is there anything else that could be blocking it on the firewall?

Thanks you for your help, it has been invaluable!

Mike

just noticed the deny

access-list 101 deny ip any any log (This is prevent your RDP from working)

access-list 101 permit tcp any host 216.153.252.20 eq 3389