RDP through PIX

koslyr000 · ‎05-22-2012

I have the following network topology:

PC1 <=> Switches L2 <=> Switch L2/L3 <=> PIX <=> Router <=> INTERNET <=> Adsl Modem/Router <=> PC2

I want from the PC2 to make RDP connection to PC1.

The PC1 has a private static IP Address (10.10.10.10).

Teamviewer is not a option for my implementation.

According to a cisco document i found the below proposed solution:

1) Configure an access-list on the PIX

access-list Outside_access_In permit tcp any host 197.197.197.197 eq 3389

2) Apply the access-list

access-group Outside_access_In in interface outside

3) Configure the static NAT

static (inside,outside) 197.197.197.197 10.10.10.10 netmask 255.255.255.255

Does this configuration recommend as i have (with any) all the Internet space to allow access to RDP service.

If in the future it exists the necessity to add an additional private IP address for access via RDP, how it will possible to change my above configuration as i don't want to wast all my public IP Addresses.

rizwanr74 · ‎05-22-2012

Hi Kostas,

Your config looks fine to me and you should not have any problem accessing your internal device @10.10.10.10.

However you can go on translating to specific port as well, rather than ip to ip translation.

static (inside,outside) tcp 197.197.197.197 3389 10.10.10.10 3389 netmask 255.255.255.255.

"If in the future it exists the necessity to add an additional private IP address for access via RDP, how it will possible to change my above configuration as i don't want to wast all my public IP Addresses."

To address your question above, it is just like your ACL says allow port "3389" and likewise you could have an allow to different port, 80, 443, or whatever port allow and create a static-nat to a different IP (i.e. private IP) to different interested port on the same public addresss, so you are not wasting public address.

I hope this answrs your question.

Please rate helpful post.

thanks

Rizwan Rafeek

rizwanr74 · ‎05-22-2012

Please rate helpful post.

thanks