Re: Problems with RDC after installing a PIX

ruiacrosa · ‎09-23-2004

I Have a remote server (with W2000 Server with a PIX 506E) working OK with a VPN Tunnel using IPSEC. This server is used by several telework ers with Remote Desktop Connection (RDC) in Win2000/XP. One of the teleworkers ned more security, so I installed a Cisco PIX 501. Untill this installation everything worked fine, but after the instalation of the PIX 501 it gives an error when I try to connect the RDC. The error is this "The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection. Please try your connection again later. If the problem continues to occur, contact your administrator.". Can you help me with this.

jmia · ‎09-23-2004

Rui,

I'm guessing that your 506E hasn't got the apporiate ACLs/static for RDC (port 3389) for your inbound connection from the 501, i.e. you need to allow the public IP (outside interface IP) of your 501 on port 3389 on the 506E.

If I'm wrong on the above then please provide both configurations from the 506E and 501 so that I can check - change any sensitive info if you post the config here.

Hope this helps and let me know.

Jay

ruiacrosa · ‎09-28-2004

Hi, Thanks for the reply. Please, can you send me the command line to allow port 3389 in outside interface? Meanwhile, I let you know the actual configuration of the pix 501:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx encrypted

passwd xxx encrypted

hostname Fener

domain-name qwerty

clock timezone WEST 0

clock summer-time WEDT recurring last Sun Mar 0:00 last Sun Oct 2:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any eq 3389 interface outside eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute retry 4

ip address inside 192.168.x.x 255.x.x.x

ip audit name AttackPolicy attack action alarm drop

ip audit interface inside AttackPolicy

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.x.x 255.x.x.x inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.x.x-192.168.x.x inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

Thanks for the help.

RR

jmia · ‎09-29-2004

Rui,

access-list outside_in permit tcp host 213.xx.xx.xx host 211.xx.xx.xx eq 3389

static (inside,outside) tcp 213.xx.xx.xx 3389 10.xx.xx.xx 3389 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

The above config is allowing host 213.xx.xx.xx to connect to port 3389 on my public IP 211.xx.xx.xx,

The static is tarnslating host 213.xx.xx.xx port 3389 to my inside server IP 10.xx.xx.xx on port 3389.

The access-group statement is binding the access-list outside_in to the outside interface.

The reason I have a host-to-host setup for RDC on 3389 is so that only that host (213.xx.xx.xx) can connect to my internal server on port 3389. I could have used 'any host' but this would have allowed any one to connect to my internal server on port 3389 (Not a good idea!)

If you don't have any free public IPs avaliable then you can use keyword 'interface' on your static, i.e.

access-list outside_in permit tcp host 213.xx.xx.xx host eq 3389

static (inside,outside) tcp interface 3389 10.xx.xx.xx 3389 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

That keyword interface will correspond to your pix's outside interface IP address therefore, your ACL for the outside interface will need to point to the outside interface IP of your pix, i.e.

access-list outside_in permit host 213.xx.xx.xx host eq 3389

Make sure to issue clear xlate after the modification of the above and save with write mem.

Hope this explains and helps, let me know how you get on or require further help.

Jay

ruiacrosa · ‎10-07-2004

First of all let me thank you for the help you are giving me.

I have tried to use the suggestions you gave me but it didn't work. I have several questions/doubts:

1 - access-list outside_in permit tcp host 213.xx.xx.xx host 211.xx.xx.xx eq 3389 - here when you put 211.xx.xx.xx is my public ip. It happends that my public ip is not static. Where is 211.xx.xx.xx should I put "any". That's what I have tried: access-list outside_in permit tcp host 213.xx.xx.xx host any eq 3389

2 - static (inside,outside) tcp 213.xx.xx.xx 3389 10.xx.xx.xx 3389 netmask 255.255.255.255 0 0

When you put 10.xx.xx.xx is my inside server? Pix Ip or my machine IP? What happens when I have more than 1 pc to acces outside?

Thanks.

RR