Re: PIX Special Port Forwarding

j.way · ‎05-13-2002

Hi All,

I put this thread in the remote access area as well because of the port I am having trouble forwarding through the PIX.

What I'm trying to do is forward port 3389 (windows terminal services) to a W2k server. I tried using access list settings in the GUI for this to no avail and I'm not familiar enough with PIX CLI to accomplish this yet.

Thanks,

Josh

gradosavljevic · ‎05-14-2002

If I understand you correct you are trying to give access to a terminal Server that is protected by/behind a PIX Firewall ??

I believe that GUI's are fine for simple tasks buit in you case you'll just have to get "knee-deep" and learn the CLI !!

What you want to do, that is if I understood you correct is to open up for port 3389 to this particular server. This can be done in the following fashion

a) assign a static outside IP address for the W2K server which will be used to translate to it's real inside address

static (inside,outside) 193.76.88.15 10.1.1.1 netmask 255.255.255.255

b) allow (only) port 3389 to pass on this connnection

conduit permit tcp host 193.76.88.15 eq 3389 any

That should do it, assuming that the W2k box does not require any other open ports. Nevertheless, this, in my (paranoid) opinion, would be to compromise a good firewall as best practice is to *NEVER* to have any port open from the outside to the inside, but that a whole new thred we would have to open just for that discussion....

Good luck

- Goran

j.way · ‎05-15-2002

Thanks a bunch Goran. I think that'll do it. I am somewhat familiar with the CLI. However, conduit commands are still a bit shaky... The funny thing about this one is that I was just told to replace the PIX with a NetScreen 5xp because that is what the client was expecting. Well, I guess I'll go ahead and stick it before our corporate LAN in which our MS guys use the W2k TS anyway.

Best regards,

Josh