Re: PIX 506 Filtering Terminal Services

brody · ‎05-30-2001

I have a PIX 506 that is blocking MS Terminal Services which uses port 3389 tcp/udp. Whenever I apply the conduit or access-list statements to allow full access using these ports, they are still being filtered by the PIX even after the clear xlate command is issued. I know that the PIX is filtering Terminal Services because when I open the PIX up fully you can then terminal service in through the PIX. Has anyone that's ever used Microsoft Terminal Services before had this problem or does anyone know what port numbers that needs to be opened that I'm unaware of?

Here are my filters that I'm using that don't seem to work.

conduit permit tcp any any eq 3389

conduit permti udp any any eq 3389

or

access-list incoming tcp any any eq 3389

access-list incoming udp any any eq 3389

access-group incoming in interface outside

brody · ‎05-30-2001

I have a PIX 506 that is blocking MS Terminal Services which uses port 3389 tcp/udp. Whenever I apply the conduit or access-list statements to allow full access using these ports, they are still being filtered by the PIX even after the clear xlate command is issued. I know that the PIX is filtering Terminal Services because when I open the PIX up fully you can then terminal service in through the PIX. Has anyone that's ever used Microsoft Terminal Services before had this problem or does anyone know what port numbers that needs to be opened that I'm unaware of? I've looked on IANA and just about every port listing site and they all reflect 3389 tcp/udp.

Here are my filters that I'm using that don't appear to be working.

conduit permit tcp any any eq 3389

conduit permit udp any any eq 3389

or

access-list incoming tcp any any eq 3389

access-list incoming udp any any eq 3389

access-group incoming in interface outside

timtron · ‎05-30-2001

Do you have a NAT statement to the Terminal Services Box? Use that public address in the conduit/ACL.

The following statement works for us. (Given you add the public IP)

access-list acl_outside permit tcp any host #.#.#.# eq 3389

irsanc · ‎06-05-2001

The rdp listener will listen on port 3389 , the actual connection takes place over a port above 1024

you have to open a range of tcp ports between 1024 and 3389 that your terminal server will use.

rstaaf · ‎06-06-2001

What client are you using to connect? The following is from a Microsoft knowledge base article.

http://support.microsoft.com/support/kb/articles/q150/5/43.asp

RDP Client (Microsoft) TCP:3389 (Pre Beta2:1503)

ActiveX Client (TSAC) TCP:80, 3389

ICA Client (Citrix) TCP:1494

Hope this helps.

Bob Staaf

Southern Web Services

Orlando, Fl

thomas.waddell · ‎06-06-2001

Here's a suggestion that will serve you beyound this problem.

Set up a syslog server (if you don't have one, search the Internet for KIWI Syslog). You can install Kiwi's syslog server on a windows PC and configure your PIX to syslog to it.

Once you have the PIX syslogging. Configure your conduit's and then try to Terminal Server across it. The pix will log every packet blocked including the destination ports that you'll want to open up. This will speed diagnosis along for most any problem you may have in the future. One problem with this is that access-lists don't log the port number. So if you are using access-lists, temporarily configure with conduits watch the logs, then once you have a list of ports that need to be open, change back to access-lists.

Hope this helps,

Thomas

jose.calvillo · ‎06-06-2001

You have your port statements in the wrong location.

Try:

conduit permit tcp any eq 3389 any

conduit permti udp any eq 3389 any

By typing it in the way you have it in your post you're saying that the connection from the remote location must be initiated on port 3389. As I have it above, the connection must be destined to port 3389.