Re: PIX ACL/STATIC Advice/help required.

admin_2 · ‎05-25-2004

I am trying to add a 2nd ACL and static on my PIX to allow external access for Remote Desktop Protocol (RDP) on port 3389.

At the moment there is a ACL and static configured for access to one internal server via RDP on port 3389, but when I try to configure a 2nd ACL/static for a external client to access a 2nd server on the inside via RDP, I get a duplicate static error!

Here is the config at the moment:

access-list inbound permit tcp host [external_IP_1] host [outside_intf_IP_of_pix] eq 3389

static (inside,outside) tcp [outside_intf_IP_of_pix] 3389 [inside_srv1_ip] 3389 netmask 255.255.255.255 0 0

the above configuration works perfectly, but if I try adding the following to the above configuration then I get the duplicat error message:

access-list inbound permit tcp host [external_IP_2] host [outside_intf_IP_of_pix] eq 3389

static (inside,outside) tcp [outside_intf_IP_of_pix> 3389 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0

Both of these servers (srv1 and srv2) are on the same inside subnet. Can someone help me out with this or point me to relevant information/document.

Thanks in advance for any assistance.

kagodfrey · ‎05-25-2004

I'm afraid you can't map the same one port from the outside interface IP address to two ports on seperate IP addresses on the inside. You would either have to use an additional address from the range available outside the pix,

access-list inbound permit tcp host [external_IP_2] host [another_outside_ip] eq 3389

static (inside,outside) tcp [another_outside_ip> 3389 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0

or change the number of the second port

access-list inbound permit tcp host [external_IP_2] host [outside_intf_IP_of_pix] eq 12321

static (inside,outside) tcp [outside_intf_IP_of_pix> 12321 [inside_srv2 ip] 3389 netmask 255.255.255.255 0 0

Hth

Kev