Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access to RDP through PIX

Status
Not open for further replies.

emso

IS-IT--Management
Oct 10, 2003
22
I have two vendors who needs access to our server through RDP. They do not wish to use VPN. We have a PIX 501 and I have set up the access-list and stuff as seen below. But this does not work. Does anybody have any ideas ???

I have posted the config in two parts:

Accesslist config:

access-list outside_access_in permit tcp host 195.xxx.xxx.xxx host 172.20.30.240 eq 3389
access-list outside_access_in permit tcp host 195.xxx.xxx.xxx host 172.20.30.240 eq 1433
access-list outside_access_in permit tcp host 80.xxx.xxx.xxx host 172.20.30.240 eq 3389
access-list outside_access_in permit tcp host 80.xxx.xxx.xxx host 172.20.30.240 eq 1433
access-list 101 permit ip 172.20.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 101 permit ip 172.20.30.0 255.255.255.0 172.20.30.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.20.30.240 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 172.20.30.240 1433 netmask 255.255.255.255 0 0


Whole COnfig:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password bSaReVNStzKHNgsT encrypted
passwd bSaReVNStzKHNgsT encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit gre any any
access-list outside_access_in permit tcp host 195.xxx.xxx.xxx host 172.20.30.240 eq 3389
access-list outside_access_in permit tcp host 195.xxx.xxx.xxx host 172.20.30.240 eq 1433
access-list outside_access_in permit tcp host 80.xxx.xxx.xxx host 172.20.30.240 eq 3389
access-list outside_access_in permit tcp host 80.xxx.xxx.xxx host 172.20.30.240 eq 1433
access-list 101 permit ip 172.20.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list 101 permit ip 172.20.30.0 255.255.255.0 172.20.30.0 255.255.255.0
pager lines 24
icmp permit any redirect inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 172.20.30.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.20.30.250-172.20.30.254
pdm location 172.20.0.0 255.255.0.0 inside
pdm location 172.20.30.0 255.255.255.0 inside
pdm location 172.20.30.0 255.255.255.0 outside
pdm location 172.20.0.0 255.255.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 172.20.30.240 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1433 172.20.30.240 1433 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.188.26.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.20.0.0 255.255.0.0 inside
http 172.20.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
isakmp enable outside
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80

So, why cant they access our server ??
 
Hi Emso

Use the EXTERNAL IP that the services arrive on - I made the same mistake. The PIX allows the 3389 through on the External IP then does tha NAT to the internal.

Also do you know you don't need port 1433 for RDP? That port allows SQL traffic through to the servers which I wouldn't recommend.
 
Hello Peterhurst,

I was/am facing the exact same issue with a vendor whom needs access to my network using RDP (3389).. you mentioned using the external (vendor) address that brings in the 3389 protocol.. I agree but then to NAT it internally.. can you provide a sample access-list and perhaps the sample NAT statement that shows syntax.. I thought what I has used would have solved the problem but I'm missing something.. any help you can provide would be greatly appreciated.

hb101
 
Ahh, so i have to spesify my PIX outside IP, it does not regonice it at "interface" ??

Like this ?
static (inside,outside) tcp xxx.xxx.xxx.xxx 3389 172.20.30.240 3389 netmask 255.255.255.255 0 0

Where xxx.xxx.xxx.xxx is the PIX's outside ip adress ?

SQL is also for them...

And to Colin:
No, they do not wish to use VPN. I have other vendors using VPN, but this one wants to use RDP.

 
I did as you said, but it still does not work. Any ideas anyone ???
 
emso,

Regarding "No, they do not wish to use VPN. I have other vendors using VPN, but this one wants to use RDP" - You're letting them onto your network. Not the other way around. So you should tell them to use whatever is most secure. And RDP tunneled inside an IpSec vpn is more secure than RDP natted through your firewall. So they should use that. They don't want to? Too bad. Your security is more important than their personal preferences.

Additionally I would *never* allow unencrypted SQL traffic through any of my firewalls from an ip address that belongs to a third party out on the internet.

Ranting aside (sorry for the sermon ;), to answer your question, your access list is wrong. The access list should allow traffic to the publicly visible ip address, not the local ip address. The nat happens after the access-list conditions are matched.

In other words, if you have the following static mapping:

static (inside,outside) tcp a.b.c.d 3389 172.20.30.240 3389 netmask 255.255.255.255 0 0

Your access list should look like this:

access-list outside_access_in permit tcp host 195.xxx.xxx.xxx host a.b.c.d eq 3389

That will allow RDP from the remote network address of 195.xxx.xxx.xxx to your server.

But don't do that, tell them they have to create a vpn instead! :)

CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top