Solved: Terminal server acccess thro pix

arumugasamy · ‎04-16-2005

Dear All

I have to open a port for microsoft terminal server located inside the pix 515E to give outside users access. Which port should i open?

Pls provide me the configuration details if you have.

Thanks in Advance

swamy

spaulose · ‎04-17-2005

If the ip addresses available is limited it does not harm to retain the pating on the adsl and use the firewall just for protection.

But remember there will be 2 NATing for packets from Inside to get to Internet. That is one on PIX and the other on ADSL.

View solution in original post

spaulose · ‎04-16-2005

Hi Swamy,

Please try these commands..

static (inside,outside) tcp interface 3389 10.1.1.1 3389 netmask 255.255.255.255

access-list 100 permit tcp any host 200.1.1.1 eq 3389

access-group 100 in interface outside

The static command would use the inteface ip address of the outside interface to make the

translation and then send the information to the 10.1.1.1 host on the inside which would be the

server on the inside. The access list is permiting 'any' to connect to the ip address 200.1.1.1

which is an example of the ip address that the ISP is assigning to you.

Here is the document that you can relate to to see the explanation of what we are using here.

http://www.cisco.com/warp/public/707/28.html#port

Saju

arumugasamy · ‎04-17-2005

Thanks Mr.Saju for your valid information.

Swamy

arumugasamy · ‎04-17-2005

Saju,

In cusromer setup, the adsl modem in the edge doing the pat. Isp assigned single static ip for the wan0 interface and ip address of that int doing the pating.

adsl etho and the server all are connected to the inside eth segment.

Now I have to connect the pix and do the rest of the config. is it ok not to move the pating from the adsl modem to the pix and puting only acl on the outside interface to allow the outside users to access termial server port.

access-list allow permit tcp any x.x.x.x eq 3389

pls give me your solution

thanks in advance

swamy

spaulose · ‎04-17-2005

If the ip addresses available is limited it does not harm to retain the pating on the adsl and use the firewall just for protection.

But remember there will be 2 NATing for packets from Inside to get to Internet. That is one on PIX and the other on ADSL.

arumugasamy · ‎04-17-2005

Dear Saju,

In the customer network, adsl router wan int only doing the pating.

In your config,

static(inside,outside)tcp interface 3389 10.1.1.1 3389 netmask 255.255.255.255

Here the interface denote the outsdie interface but in actual setup pix outside i used one rfc1918 private ip range address.How can I do the pating by using adsl modem's wan0 ip address in the pix firewall.

There is no translation rule in the internal network sofar configured.

Pls could you help me

swamy

spaulose · ‎04-17-2005

I am assuming here that your Inside network is 10.1.1.0 255.255.255.0 w.r.t PIX and outside network w.r.t PIX is 172.16.1.0 255.255.255.0.

In this case...I would use..

nat (inside) 1 0 0

global (outside) 1 interface

I am not sure if this answers your question. If not then please clarify your question.

arumugasamy · ‎04-20-2005

Dear Spaulose,

Let me brief my network setup

Local lan : 10.0.0.0/24

Mail server 10.0.0.2/24 (adsl outsdie global IP mapped in ADSL modem to give mail access)

Proxy server insdie NIC :10.0.0.1 /24

proxy server outsdieNIC :172.16.1.1/24

Pix inside : 172.16.1.2 /24

pix outsdie : 192.168.100.1/24

ADSL modem inside etho : 192.168.100.2/24

Adsl outsdie :Global Fixed IP (ISP)

In pix

route outside 0.0.0.0 0.0.0.0 192.168.100.2 1

Adsl atm0 outside global IP is used by outside users to access to the internal mail & terminal server 10.0.0.2 to give terminal server access for the outside untruseted network users.But I want to know how can I configure the PIX to map the local IP of mail server to the global IP of ADSL modem.

If I leave the adsl configure untouched and in pix nat (inside) 0 0 0 command used , then can the terminal server is accessable from outside.

I really confused with the port address mapping like stuffs.

Please help me

Regards

swamy