08-22-2011 01:30 PM - edited 03-11-2019 02:15 PM
Hi, it's been a while since I've done a lot with a PIX config so I'd like some ideas on the best way to allow access for 2 IP addresses that need to RDP into a server here inside our network. They also wanted to have ports redirected, 3391 to 3389 and 3397 to 3389. Could someone give me an example of the best way to config this on the PIX? Thanks.
08-22-2011 01:57 PM
hi ,
Assume the following :
the server translated ip addresses :
10.0.0.2 10.0.0.3
Real ip addresses :
11.0.0.2 11.0.0.3
you want to allow the following ip addresses to access the servers :
192.168.1.1 192.168.2.1
you need to apply an access-list on the outside interface :
access-list outside_in_access permit tcp host 192.168.1.1 host 10.0.0.2 eq 3391
access-list outside_access_in permit tcp host 192.168.2.1 host 10.0.0.3 eq 3397
do the NAT redirection :
static (dmz,outside) TCP 10.0.0.2 3391 11.0.0.2 3389
static (dmz,outside) TCP 10.0.0.3 3397 11.0.0.3 3389
cheeers
08-22-2011 02:55 PM
Thanks a lot, I'll give it a try tomorrow and let you know how it goes.
08-23-2011 01:18 PM
This is just one server that they want to access from 2 different machines over the Internet on different ports and they don't have a DMZ. Would I just change the static to this then:
static (inside,outside) TCP 10.0.0.3 3391 11.0.0.3 3389
static (inside,outside) TCP 10.0.0.3 3397 11.0.0.3 3389
Or is that wrong?
I already have a static for this server since it's going to be the FTP site shortly also.
Thanks
08-23-2011 01:33 PM
yup , you can give this a try and see if it works .
regards.
08-23-2011 01:39 PM
Since I already have a static for this IP address it won't let me post the additional statics for the NAT on the ports. What am I missing?
Thanks
08-23-2011 10:46 PM
Hi ,
as Mike Said ,
if you have one for one translation then all the requests on that ip address will hit that line , you can consider :
1- using another ip address
2-making the line more specific and do a static PAT instead of mapping the whole ip address.
cheers.
08-23-2011 03:31 PM
Any chance you're still online for the last question?
Thanks
08-23-2011 04:08 PM
Aaron,
If you already have a 1 to 1 translation, then you may need delete the entry and create only port forwardings for everyone.
Lets say you had this
static (inside,outside) x.x.x.x y.y.y.y
and you want to add this
static (inside,outside) tcp x.x.x.x 3389 z.z.z.z 3389
That you cannot do, you will need to do this
no
static (inside,outside) x.x.x.x y.y.y.y
static (inside,outside) tcp x.x.x.x 3389 z.z.z.z 3389
Then for the services that you had on IP Y... lets say FTP, you will need to create a port forward for that...
static (inside,outside) tcp x.x.x.x 21 y.y.y.y. 21
Let me know if you have doubts.
Mike
08-24-2011 06:22 AM
So if I'm understanding this correctly I can't have these 2 statics for the same IP like I have below correct?
static (inside,outside) TCP 12.15.15.183 3391 192.168.100.38 3389
static (inside,outside) TCP 12.15.15.183 3397 192.168.100.38 3389
They want to have 2 different machines access this one server but on different redirected ports but it sounds like it's not possible which is fine I just need to be able to tell them that and know that I'm correct. We don't have anymore available public IP's to use at this point but they may buy another block in the future. Will I also be able to run my FTP on this server and still allow access from the Internet?
Thanks again guys.
08-24-2011 09:34 AM
Hi,
Nope, that will conflict.... since the port 3389 is already mapped to 3391.... you cannot add a new translation for the same port.
You should be able to grab that same static and have something like this
static (inside,outside) TCP 12.15.15.183 3391 192.168.100.38 3389
static (inside,outside) TCP 12.15.15.183 21 192.168.100.38 21
What you cannot do is try to map port 3389 to two different ports.
Hope this helps.
Mike
08-24-2011 10:19 AM
It appears I have everything correct but I'm still not able to RDP into the server. I don't have an A record or anything else registered which I don't think is needed correct? Since I'm just using it for 2 systems owned by a sister company to access it and I don't want it to be easily found.
Thanks
Aaron
08-24-2011 11:06 AM
Hi Aaron,
You should just need the static pat statement along with an access-list to allow inbound connection on the outside interaface, if you ahve it but still not working, I would advise, to follow the below stes:
1. Take logs on the ASA, when the connection drops.
2. Take captures on the firewall interfaces.
3. Take packet-tracer.
For capture yolu can use this:
https://supportforums.cisco.com/docs/DOC-1222
For packet-tracer:
packet-tracer input outside tcp 1.1.1.1 2345 12.15.15.183 3389 detailed.
These outputs shoudl tell where the issue lies. If you need any help with captures, do let me know.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide