Configure PIX 506E for Terminal Services

[Designware]

Hi,

I have configured a PIX 501 for terminal services previously, but I cannot get the 506E to pass through the Terminal Services signal (port 3389) correctly. When I try to connect to the external IP address, it will NOT connect to the internal PC. However, internally I CAN connect using Remote Desktop connection and the internal IP address.

I want the signal to go to a particular PC (192.168.211.156 ... static IP). Here is the configuration. Thank you for your help!!

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2Yj7RytiRXU24 encrypted
passwd om/4RaxQhgiM7XQw encrypted
hostname fw
domain-name local.domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.211.156 Terminal-Server
access-list outside_in permit icmp any any
access-list outside_in permit tcp any host Terminal-Server eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.211.0 255.255.255.0 192.168.203.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.211.0 255.255.255.0 192.168.203.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 16
ip address inside 192.168.211.1 255.255.255.0
multicast interface outside
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.203.0 255.255.255.0 outside
pdm location Terminal-Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Terminal-Server 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.203.0 255.255.255.0 outside
http 192.168.211.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XX.XX.XX.XXX
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.18XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh 192.168.203.0 255.255.255.0 outside
ssh 192.168.211.0 255.255.255.0 inside
ssh timeout 5
console timeout 20
dhcpd address 192.168.211.100-192.168.211.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username menot password otkwV4U3rXIyQAdk encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:9191fb51558135ef8b1d716e09737bc1
: end
[OK]

 

[Supergrrover]

The ACL needs to reflect the outside IP or interface if it is DHCP and your static needs to be adjusted

access-list outside_in permit tcp any host Terminal-Server eq 3389
should be

access-list outside_in permit tcp any host interface outside eq 3389

You will need to connect to the outside IP when using the RDP client. Do you have a way of keeping track of this?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Designware]

Supergrrover,

Thank you very much for your reply!! I just got a chance to go out and make the changes on the PIX. However, it did not like the syntax of the command. ( XX.XXX.XX.XX below is my external IP address. I tried hard coding it even though it's a dynamic IP address.) Also, NO, I do not have anything to monitor the activity on Terminal Services. Any suggestions?? I'd be happy to find something to monitor it.

First I took out the line: access-list outside_in permit tcp any host Terminal-Server eq 3389

Next I tried to add in: access-list outside_in permit tcp any host interface outside eq 3389

I also tried: access-list outside_in permit tcp any host interface XX.XXX.XX.XX eq 3389

and tried: access-list outside_in permit tcp any host XX.XXX.XX.XX eq 3389

The response I get to my attempts is pasted below:
fw(config)# access-list outside_in permit tcp any host interface outside eq 33$
ERROR: invalid IP address interface
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}

Thank you for your assistance!!

 

[Supergrrover]

Sorry typed too fast

access-list outside_in permit tcp any interface outside eq 3389

The monitoring was for the external IP. You have to connect to that to get to the Term Serv.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Designware]

Supergrrover,

Thank you again for your response. I had an opportunity to go out and make the change to the PIX. The syntax was accepted, but it still does not redirect through to the PC. I am certain of the INTERNAL PC IP address, since I am using RDP to connect just fine internally. Here is the current configuration. I greatly appreciate your help.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd om/4RaxhgQiM7XQw encrypted
hostname fw
domain-name local.clatax.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.211.156 Terminal-Server
access-list outside_in permit icmp any any
access-list outside_in permit tcp any interface outside eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.211.0 255.255.255.0 192.1
68.203.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.211.0 255.255.255.0 192.168.2
03.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 16
ip address inside 192.168.211.1 255.255.255.0
multicast interface outside
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.203.0 255.255.255.0 outside
pdm location Terminal-Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Terminal-Server 3389 netmask 255.255.
255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.203.0 255.255.255.0 outside
http 192.168.211.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XX.XX.XX.XX
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh 192.168.203.0 255.255.255.0 outside
ssh 192.168.211.0 255.255.255.0 inside
ssh timeout 5
console timeout 20
dhcpd address 192.168.211.100-192.168.211.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username jimefaw password otkwU4V3rXIyQAdk encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:9191fb51558135ef8b1d716e09737bc1
: end
[OK]

 

[Supergrrover]

Everything looks ok.

See what appears in the logs
Try adding
logging timestamp
logging buffered debugging
logging trap debugging
logging enable

then try the connection and on the pix do
show logging


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Designware]

Brent,

When you do "show logging" it doesn't clear the log ... does it? I hope not. Because I put in the commands you stated, had someone try to connect to the outside ip address, then did a "show logging", but wasn't ready to capture the output. I did another "show logging" and that is shown below. I am just hoping that the log file wasn't cleared out after I did the initial show logging.

Also, the syntax on one command was slightly different, but I don't think that will make a difference. The syntax was "logging on" instead of "logging enable".

FYI, the outside IP address I'm trying to ger in through is the 69.XXX.21.194 Here is the captured log:

fw# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 729 messages logged
Trap logging: level debugging, 729 messages logged
History logging: disabled
Device ID: disabled
essed URL 216.XX.86.152:/activity;src=1277306;met=1;v=1;pid=18662350;aid=128334883
;ko=0;cid=22208481;rid=22226371;rv=1;&timestamp=1188340758906;eid1=2;ecn1=0;etm1=3
0;
305011: Built dynamic TCP translation from inside:192.168.211.106/1240 to outside:
69.XXX.21.194/26595
302013: Built outbound TCP connection 34118 for outside:216.XX.86.152/80 (216.XX.8
6.152/80) to inside:192.168.211.106/1240 (69.XXX.21.194/26595)
302014: Teardown TCP connection 34117 for outside:216.XX.86.152/80 to inside:192.1
68.211.106/1239 duration 0:00:01 bytes 871 TCP FINs
304001: 192.168.211.106 Accessed URL 216.XX.86.152:/activity;src=1277306;met=1;v=1
;pid=18662350;aid=128334883;ko=0;cid=22208481;rid=22226371;rv=1;&timestamp=1188340
758906;eid1=2;ecn1=0;etm1=30;&_dc_ck=try
302014: Teardown TCP connection 34118 for outside:216.XX.86.152/80 to inside:192.1
68.211.106/1240 duration 0:00:01 bytes 581 TCP FINs
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1237 to outsi
de:69.XXX.21.194/26592 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1238 to outsi
de:69.XXX.21.194/26593 duration 0:00:31
710005: UDP request discarded from 192.168.211.20/138 to inside:255.255.255.255/ne
tbios-dgm
710005: UDP request discarded from 192.168.211.20/138 to inside:255.255.255.255/ne
tbios-dgm
710005: UDP request discarded from 192.168.211.20/138 to inside:255.255.255.255/ne
tbios-dgm
302014: Teardown TCP connection 34086 for outside:209.62.188.19/80 to inside:192.1
68.211.106/1216 duration 0:00:53 bytes 533 TCP Reset-I
302014: Teardown TCP connection 34087 for outside:209.62.188.19/80 to inside:192.1
68.211.106/1217 duration 0:00:53 bytes 490 TCP Reset-I
302014: Teardown TCP connection 34088 for outside:209.62.188.19/80 to inside:192.1
68.211.106/1218 duration 0:00:53 bytes 558 TCP Reset-I
68.211.106/1218 duration 0:00:53 bytes 558 TCP Reset-I
34/26575 duration 0:01:41
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1228 to outsi
de:69.XXX.21.194/26583 duration 0:01:40
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1230 to outsi
de:69.XXX.21.194/26585 duration 0:01:40
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1231 to outsi
de:69.XXX.21.194/26586 duration 0:01:39
302014: Teardown TCP connection 34094 for outside:64.125.138.155/80 to inside:192.
168.211.106/1223 duration 0:01:48 bytes 20696 TCP Reset-I
302014: Teardown TCP connection 34095 for outside:64.125.138.155/80 to inside:192.
168.211.106/1224 duration 0:01:48 bytes 20931 TCP Reset-I
302014: Teardown TCP connection 34114 for outside:64.125.138.181/80 to inside:192.
168.211.106/1236 duration 0:01:31 bytes 2899 TCP Reset-I
302014: Teardown TCP connection 34076 for outside:64.125.138.181/80 to inside:192.
168.211.106/1210 duration 0:01:50 bytes 19802 TCP Reset-I
302014: Teardown TCP connection 34077 for outside:64.125.138.181/80 to inside:192.
168.211.106/1211 duration 0:01:50 bytes 30382 TCP Reset-I
302014: Teardown TCP connection 34072 for outside:64.125.138.181/80 to inside:192.
168.211.106/1207 duration 0:01:51 bytes 40875 TCP Reset-I
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1236 to outsi
de:69.XXX.21.194/26591 duration 0:01:35
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1207 to outsi
de:69.XXX.21.194/26562 duration 0:01:55
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1210 to outsi
de:69.XXX.21.194/26565 duration 0:01:54
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1211 to outsi
de:69.XXX.21.194/26566 duration 0:01:54
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1223 to outsi
de:69.XXX.21.194/26578 duration 0:01:51
305012: Teardown dynamic TCP translation from inside:192.168.211.106/1224 to outsi
de:69.XXX.21.194/26579 duration 0:01:54
302014: Teardown TCP connection 27607 for outside:66.225.205.50/80 to inside:192.1
68.211.105/2789 duration 8:00:35 bytes 201952066 TCP FINs
outside:72.XX.223.19/80 (72.XX.223.19/80) to inside:192.168.211.106/1241 (69.XXX.
21.194/26596)
304001: 192.168.211.106 Accessed URL 72.XX.223.19:/mail/im/offline_orange1.gif

 

[brianinms]

Try issuing the clear xlate command ..


pix# clear xlate <enter>

 

[Supergrrover]

It won't clear the log. Just displays it.

There aren't any connection attempts to 3389.

You can also view this directly through the PDM real time.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Designware]

Supergrrover,

Thanks again for the replies! Still no luck.

I performed the clear xlate command (accepted the command, so I assume it worked).

I had someone attempt to connect to the external 69.XXX.21.194 (I verified the external address by going to whatismyip.com) address again, and grabbed another log.

By the way, you mentioned the PDM. I took over for someone else on this PIX, and I do not know the password to the PDM. How can I change that using commands? Thanks.

Here is the log:

fw# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 109518 messages logged
Trap logging: level debugging, 109518 messages logged
History logging: disabled
Device ID: disabled
nside:192.168.211.105/2488 to outside:69.XXX.21.194/41508 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2490 to out
side:69.XXX.21.194/41510 duration 0:00:32
305012: Teardown dynamic TCP translation from inside:192.168.211.103/4330 to out
side:69.XXX.21.194/41477 duration 0:01:41
302014: Teardown TCP connection 54830 for outside:64.86.95.42/80 to inside:192.1
68.211.105/2482 duration 0:01:05 bytes 10450 TCP Reset-I
302014: Teardown TCP connection 54827 for outside:64.12.187.25/80 to inside:192.
168.211.105/2480 duration 0:01:08 bytes 8350 TCP Reset-I
305012: Teardown dynamic TCP translation from inside:192.168.211.156/1552 to out
side:69.XXX.21.194/41490 duration 0:01:35
710005: TCP request discarded from 64.12.26.88/443 to outside:69.XXX.21.194/2849
7
710005: UDP request discarded from 192.168.211.20/138 to inside:255.255.255.255/
netbios-dgm
710005: UDP request discarded from 192.168.211.20/138 to inside:255.255.255.255/
netbios-dgm
710005: UDP request discarded from 192.168.211.20/138 to inside:255.255.255.255/
netbios-dgm
302014: Teardown TCP connection 54844 for outside:64.86.95.59/80 to inside:192.1
68.211.105/2489 duration 0:01:00 bytes 8015 TCP Reset-I
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2491 to out
side:69.XXX.21.194/41511 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2492 to out
side:69.XXX.21.194/41512 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2493 to out
side:69.XXX.21.194/41513 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2493 to out
side:69.XXX.21.194/41513 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2494 to out
side:69.XXX.21.194/41514 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2495 to out
side:69.XXX.21.194/41515 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2496 to out
side:69.XXX.21.194/41516 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2497 to out
side:69.XXX.21.194/41517 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2498 to out
side:69.XXX.21.194/41518 duration 0:00:31
305012: Teardown dynamic UDP translation from inside:192.168.211.105/1027 to out
side:69.XXX.21.194/4703 duration 0:01:31
305012: Teardown dynamic UDP translation from inside:192.168.211.105/1602 to out
side:69.XXX.21.194/4702 duration 0:01:34
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2489 to out
side:69.XXX.21.194/41509 duration 0:01:02
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2482 to out
side:69.XXX.21.194/41502 duration 0:01:35
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2480 to out
side:69.XXX.21.194/41500 duration 0:01:38
305011: Built dynamic TCP translation from inside:192.168.211.109/1756 to outsid
e:69.XXX.21.194/41519
302013: Built outbound TCP connection 54859 for outside:208.XX.69.70/80 (208.XX.
69.70/80) to inside:192.168.211.109/1756 (69.XXX.21.194/41519)
304001: 192.168.211.109 Accessed URL 208.XX.69.70:/
302014: Teardown TCP connection 54859 for outside:208.XX.69.70/80 to inside:192.
168.211.109/1756 duration 0:00:01 bytes 378 TCP FINs
302014: Teardown TCP connection 54836 for outside:64.86.95.58/80 to inside:192.1
68.211.105/2485 duration 0:01:30 bytes 1436 TCP Reset-I
302014: Teardown TCP connection 54819 for outside:205.188.165.57/80 to inside:19
2.168.211.105/2475 duration 0:02:01 bytes 31260 TCP Reset-I
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2485 to out
side:69.XXX.21.194/41505 duration 0:01:33
710005: UDP request discarded from 192.168.211.110/138 to inside:192.168.211.255
/netbios-dgm
305012: Teardown dynamic TCP translation from inside:192.168.211.109/1756 to out
side:69.XXX.21.194/41519 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.211.105/2475 to out
side:69.XXX.21.194/41496 duration 0:02:32
302014: Teardown TCP connection 54846 for outside:207.XXX.70.234/2115 to inside:
192.168.211.156/3389 duration 0:02:01 bytes 0 SYN Timeout

 

[brianinms]

Post a new copy of the configuration

 

[Designware]

brianinms, thanks for your assistance.

Here is the most recent configuration:

fw# write t
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7qtXU24 encrypted
passwd om/4Raxadoe7XQw encrypted
hostname fw
domain-name local.clatax.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.211.156 Terminal-Server
access-list outside_in permit icmp any any
access-list outside_in permit tcp any interface outside eq 3389
access-list inside_outbound_nat0_acl permit ip 192.168.211.0 255.255.255.0 192.1
68.203.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.211.0 255.255.255.0 192.168.2
03.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 16
ip address inside 192.168.211.1 255.255.255.0
multicast interface outside
multicast interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.203.0 255.255.255.0 outside
pdm location Terminal-Server 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Terminal-Server 3389 netmask 255.255.
255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.203.0 255.255.255.0 outside
http 192.168.211.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.XX.84.181
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.XX.84.181 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh 192.168.203.0 255.255.255.0 outside
ssh 192.168.211.0 255.255.255.0 inside
ssh timeout 5
console timeout 20
dhcpd address 192.168.211.100-192.168.211.150 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username jimtane password otkwU4V3eiaoQAdk encrypted privilege 15
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:b7f6fd18be549fd1442710ccd53d6483
: end
[OK]

 

[Supergrrover]

These are the important parts.
access-list outside_in permit icmp any any
access-list outside_in permit tcp any interface outside eq 3389
global (outside) 1 interface
static (inside,outside) tcp interface 3389 Terminal-Server 3389 netmask 255.255.
255.255 0 0
access-group outside_in in interface outside

As far as what you posted, your config looks correct. I would start checking the RDP box that you are trying to get to. The windows firewall can be set so that only computers on it's same network can connect. Your ISP might also be blocking it. Does your VPN work?




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Designware]

Supergrrover,

Thank you!! Sorry I didn't think about the firewall, but that's it!

 

[Supergrrover]

No Problem. Glad it works.



Brent
Systems Engineer / Consultant
CCNP, CCSP