10-31-2004 06:13 PM - edited 03-09-2019 09:17 AM
Hello there..
Here I have pix506e. I'm unable to remote desktop the server behind the firewall. If i take out the firewall...yes it can. It seems that the firewall doesn't allow any outside user to access inside.
Fixed IP: xxx.xxx.xxx.161
server 192.168.1.9 [ Unable to remote this server ]
Router IP: 10.1.1.1
Outside IP: 10.1.1.2
Inside IP: 192.168.1.1
I've allow any icmp. How i'm going to allow outside to go inside...
I've attach my configurations, please look through..
Thanks
Tonny
Solved! Go to Solution.
11-01-2004 02:17 AM
Where are you trying to do the RDC connection from ? (to the server 192.168.1.9) If it is from outside we need to open appropriate ports and do statics. Do let us know where you want the RDC access from ?
11-01-2004 05:04 AM
access-list outside_access_in line 1 permit tcp any host 10.1.1.2 eq 3389
# This will allow any host to RDP into RDPServer
static (inside,outside) tcp 10.1.1.2 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
#Port Redirect tcp port 3389 RDP to 192.168.1.9
access-group outside_access_in in interface outside
# Apply access-list to interface
sincerely
Patrick
11-01-2004 11:28 PM
As per your configuration posted before 10.1.1.2 is your PIX outside IP address. You should not do a PAT here as shown above. you need to do a static NAT and then allow port 3389 on that IP.
Am taking 10.1.1.3 (hope it is a free IP) in my configuration.
access-list outside_access_in permit tcp any host 10.1.1.3 eq 3389
access-list outside_access_in permit icmp any host 10.1.1.3
access-group outside_access_in in interface outside
static (inside,outside) 10.1.1.3 192.168.1.9 netmask 255.255.255.255 0 0
After doing this, you can telnet on port 3389 to the IP address 10.1.1.3 from the router & ping the server as well.
All the best !!
11-03-2004 07:01 PM
Your config:
ip address outside 10.1.1.2 255.0.0.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 10 218.xxx.xxx.162-218.xxx.xxx.172
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
What is that global ? I do not understand why do have configured this IP Range 218.xxx.xxx.162 - 218.xxx.xxx.172. I mean this looks like a public range that is usually on an outside interface, right.
I would expect something like that:
global (outside) 10 10.1.1.3
or
global (outside) 10 interface
Please could you explain me that.
Your access-list and static is ok. But you cannot route a Private range (10.1.1.0) on the Internet. So I suppose that this is an internal network, or you NAT or PAT somewhere else.
You should be able to connect from the 10.1.1.0 Network to IP 10.1.1.9 on RDP.
sincerely
Patrick
11-01-2004 02:17 AM
Where are you trying to do the RDC connection from ? (to the server 192.168.1.9) If it is from outside we need to open appropriate ports and do statics. Do let us know where you want the RDC access from ?
11-01-2004 05:04 AM
access-list outside_access_in line 1 permit tcp any host 10.1.1.2 eq 3389
# This will allow any host to RDP into RDPServer
static (inside,outside) tcp 10.1.1.2 3389 192.168.1.9 3389 netmask 255.255.255.255 0 0
#Port Redirect tcp port 3389 RDP to 192.168.1.9
access-group outside_access_in in interface outside
# Apply access-list to interface
sincerely
Patrick
11-01-2004 06:53 PM
Hi,
I want to make the Remote Desktop Connection from outside. I've try your config, but still i can't remote the server from outside and also can't ping it. For your information, In the router i've enable dmz with dmz host ip 192.168.1.9 (server that i want to remote) and then from outside..I remote the server with remote desktop connection and fill in the fixed ip address xxx.xxx.xxx.161, without the firewall yes it can...but with the firewall..its block. Please help
Thanks
Tonny
11-01-2004 08:01 PM
Below are the further details of my config:
show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list outside_access_in; 2 elements
access-list outside_access_in line 1 permit tcp any host 10.1.1.2 eq 3389 (hitcn
t=0)
access-list outside_access_in line 2 permit icmp any any (hitcnt=4)
show xlate
1 in use, 31 most used
PAT Global 10.1.1.2(1537) Local 192.168.1.9(2855)
show route
outside 0.0.0.0 0.0.0.0 10.1.1.1 1 OTHER static
outside 10.0.0.0 255.0.0.0 10.1.1.2 1 CONNECT static
inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
show nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
I'm not using NAT. Pls check, what's wrong with my config. Thanks a million for helping
Tonny
11-01-2004 11:28 PM
As per your configuration posted before 10.1.1.2 is your PIX outside IP address. You should not do a PAT here as shown above. you need to do a static NAT and then allow port 3389 on that IP.
Am taking 10.1.1.3 (hope it is a free IP) in my configuration.
access-list outside_access_in permit tcp any host 10.1.1.3 eq 3389
access-list outside_access_in permit icmp any host 10.1.1.3
access-group outside_access_in in interface outside
static (inside,outside) 10.1.1.3 192.168.1.9 netmask 255.255.255.255 0 0
After doing this, you can telnet on port 3389 to the IP address 10.1.1.3 from the router & ping the server as well.
All the best !!
11-03-2004 06:03 PM
11-03-2004 07:01 PM
Your config:
ip address outside 10.1.1.2 255.0.0.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 10 218.xxx.xxx.162-218.xxx.xxx.172
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
What is that global ? I do not understand why do have configured this IP Range 218.xxx.xxx.162 - 218.xxx.xxx.172. I mean this looks like a public range that is usually on an outside interface, right.
I would expect something like that:
global (outside) 10 10.1.1.3
or
global (outside) 10 interface
Please could you explain me that.
Your access-list and static is ok. But you cannot route a Private range (10.1.1.0) on the Internet. So I suppose that this is an internal network, or you NAT or PAT somewhere else.
You should be able to connect from the 10.1.1.0 Network to IP 10.1.1.9 on RDP.
sincerely
Patrick
11-03-2004 07:21 PM
Thanks for replying, I'm going to erase my config and start a new one again. I'm trying now, hope no problem..
Thanks a million
Tonny
11-03-2004 08:24 PM
Hello Patrick & Sachinraja,
Thanks for helping me, now then i can remote the RDP Server from outside. Thanks for your configuration example. How to save my configuration to floppy?
Thanks for helping the beginner
Tonny
11-04-2004 12:51 AM
Hi Tonny,
You can use the write net command on the PIX to export the configuration to a TFTP server. You can run cisco or 3CDaemon TFTP server on a PC and give this command on the PIX. It will transfer all your configurations to that PC. you can copy to the floppy from that PC.
Thanks
11-04-2004 03:48 AM
Connect to the console, VT100 9600/8/N/1 using Hyper Terminal or other Terminal emulation.
Type:
enable
write term
# This will show your configuration DRAG SND DROP into wordpad or noteapd.
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide