cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1174
Views
5
Helpful
8
Replies

Pix 501 Port Redirection with outside Dyn IP

rafaelgarcia
Level 1
Level 1

Hi,

I have a Pix 501 with dynamic IP address on the outside interface. I have a host inside which I need to access from the outside using RDP. I have already created an access list to permit tcp 3339 in.I am using DynDNS to know my current IP address.

My inside host IP address is 192.168.150.10. Can someone tell me how to create a static route using the port? Do I need any alias?

Thanks

8 Replies 8

a.kiprawih
Level 7
Level 7

Since your PIX outside interface obtained its IP dynamically, you can try this:

access-list outside permit tcp any interface outside eq 3389

access-list outside deny ip any any

static (inside,outside) tcp interface 3389 192.168.150.10 3389 netmask 255.255.255.255

access-group outside in interface outside

Use 'show access-list outside' command to verify whether your ACL is working. You should see some hitcount. Also, check the connection status to the 192.168.150.10 using 'sh conn | i 3389'

HTH

AK

Thanks for your reply.

I could connect only once, when I configured it.

I did some troubleshooting the pix is forwarding the request to a different host. Why?

How is the server getting an IP Address, Is this dynamic. If so, has the IP Address of server changed after you had configured port redirection on the Pix 501.

Can you make sure that the server still owns the 192.168.150.10 IP Address.

I hope it helps.

Regards,

Arul

Hi,

The server has an static IP and it has not been changed. At this moment I am using the pix from the outside (ssh) and I am trying to RDP into my server and I get TCT reques discarded from x.x.x.x to outside x.x.x.x/3389.

It looks like is doing the request but it is not permited. The access list has not hint. I reapplied the access-group but not success.

Any ideas?

Is your static(inside, outside) configured the way A.Kiprawih had posted in his earlier e mail.

Based upon the logs, the PIX discards the packet because it thinks it is destined

to itself and the PIX does not listen for packets on TCP/3389; therefore it does not know what to do with that packet that was destined to it and discards it.

If you have Port Redirection configured, then this should not be the case.

I hope it helps.

Regards,

Arul

The configuration is exactly as the one posted above.

As I said before, when I have another computer connected to the network the packets are destined for that other host getting the exact same error but with different IP address.

Any suggestions or troubleshooting stesp I could do?

Thanks

I am not sure, but you maybe have to clear your xlate table when that ip adresse have been changed. I am not sure if the pix notices that the ip adresse are changed dynamic and times out that entery. It wold time out if you changed it manually. You could try by clearing that entery in the xlate table and connect again...

NorAlarm(config)# sh xlate

43 in use, 851 most used

PAT Global 213.145.xxx.xxx(3389) Local 10.0.2.241(3389)

clear xlate global xx.xx.xx.xx local xx.xx.xx.xx

Jens

Thank you to all of you for your interest on resolving my problem. I deleted all the access list as well as static and reconfigured them again and everything started working.

I can now access my host from the outside.

Review Cisco Networking for a $25 gift card