Re: RDP through PIX 515 with Squid proxy into DMZ

e.blok · ‎02-13-2004

Anyone any idea how to get this functional:

From a Lan one need to make a rdp connection to a w2k server.

From the outside i can ping a.b.c.d

When i put the following into the PIX it won't work:

access-list outside_access_in permit tcp host a.b.c.d eq 3389 e.f.g.h 255.255.255.0

access-list intf2_access_in permit tcp any host a.b.c.d eq 3389

a.b.c.d is the remote server and e.f.g.h the Lan

intf2 is the dmz

The connection can be made if i bypass the PIX with a dialup connection.

Is the proxy server in the DMZ a problem, as far as i know it's not usual to install a proxyserver into the dmz. This Squid proxy does allow all ports to pass so there's no restriction.

Thanks in advance,

Erik Blok.

jmia · ‎02-13-2004

Hi..

It's a litle hard to tell what's going on by your post. If you ever have connection problems through the PIX, the best bet to troubleshoot it is to turn on syslogging, the PIX will tell you exactly what's going wrong then. Do the following:

logging on

logging buffer debug

sho logging

Let me know the outcome - Jay.

e.blok · ‎02-16-2004

Jay,

When i look at the various logs i can't see anything mentioning port 3389. This PIX is a gateway for the lan and the pc from which I tried had the ip address of the PIX as default gateway.

Am I forgetting something in the configuration?

Erik

mostiguy · ‎02-13-2004

you should not need an access list entry for the outside interface - the pix is a stateful device, so that so long as you permit the rdp connection to leave the dmz interface, the stateful replies should come back in.

on a show access-list - do any of those 2 lines have numbers to indicate that have been used - hitcnts ?

the proxy server could easily be a problem - are they any logs for it?

e.blok · ‎02-16-2004

I don't have logs for the squid proxy server. Unfortunate i'm not at the particular location so i can't tell you the output of the show access-list.

I'm aware of the stateful filtering but as i've never seen a proxy server placed into a dmz (mostly between lan and pix) i added it to be sure.

But adding the specified rule should work or not?

Erik

jackko · ‎02-16-2004

it is confusing. i'm not too sure what exactly you are trying to achieve here.

would you please explain more and perhaps simply outline the traffic flow?

e.blok · ‎02-17-2004

Ok,

As said before, I want to make a connection over the internet to a remote W2k server with the rdp protocol (standard uses tcp port 3389).

At our side is a pix 515 installed.

What do i have to change to let traffic over port 3389 pass the pix.

Lan = = = = > PIX ===> internet ====> w2k server

||

DMZ with proxy server

jackko · ‎02-17-2004

so you tried to rdp into w2k server from lan. if you don't have outbound access list configured, then it wouldn't be the pix blocking the rdp traffic.