PIX 515E Address Translation

[GISD]

We are using the PIX 515E w/ V.6.2. and we are using NAT for address translation. Long story short we are trying to allow outside access to a terminal server in our dmz but to no avail. We have opened port 3389 and we also have a static route translated. Now I know vpn would be the safer way to go but the powers that be have deemed it too time consuming and for that to be instituted at a later date. Any answers? B-)

Current config as follows:
static (dmz,outside) xxx.xx.xxx.xx yyy.yy.yyy.y netmask 255.255.255.255 0 0
access-list out_acc_in permit tcp any host xxx.xx.xxx.xx eq 3389
access-group out_acc_in in interface outside

x=public ext. ip
y=dmz ip

 

[bell1996]

Can the terminal server access the outside devices (via ping)? Just trying to see int which direction the problem may be occuring.

 

[GISD]

Yes, the server can ping the outside devices.

 

[dopehead]

If you go to something like

http://www.myip.com

what address does it say you are coming from ? is it the one you expected ? if not, try to issue a "clear xlate" on the pix, your nat table might not be reset after you made the changes to the static nat.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[GISD]

Funniest thing is that after searching the archives of this forum, there were suggestions regarding other situations that could indeed apply to my dilemna. I did indeed "clear xlate" yesterday and it shows an active translation for the Term. Server to the outside but testing it I am still unable to connect to it.

I ran ethereal on an outside connection and received this

xxx.xx.xxx.xx yyy.yy.yyy.yy TCP 3389 > 1202 [RST, ACK] seq=0 ACK=###########

Any other ideas???

 

[bwilliam13]

Where are the rules for your DMZ interface? Ya gotta have those...otherwise nothing's gonna work.

A complete config would be a bit more helpful.