PIX RDP question PLEASE HELP me solve this simple issue

[hellboy101]

Hello all-

Trying to wrap my mind around this scenario and if I could just nail this one area, everything in the world will be ok.

I'd like an outside vendor to be able to access servers in my DMZ (I'm using a PIX 515e). My question is:

when I write the access-list and static statement, I believe my logic is a bit wrong. I wrote:

access-list acl_dmz permit tcp host 24.xx.xx.xx host 69.74.xx.xx eq 3389

so what I'm saying above is let host 24.x.x.x in thru port rdp using my global address 69.74.x.x.. but what should that global IP be? should it be the outside interface of my PIX? or an available global IP from within my global (ISP) range??

depending on that I would write a STATIC statement similar to:
static (dmz,outside) 69.74.xx.xx 172.17.xx.xx netmask 255.255.255.255 0 0

but this again would depend on what address I'm using for 69.74.x.x.. to make a long story short, when I use an available global outside IP of 69.74.x.x it won't allow my outside vendor to access my server using RDP at all.. It just fails initially to connect. Should I be applying a 69.x.x address that is truly my IP for the outside interface of the PIX or my perimeter Cisco router? will that allow my vendor access into my 172.17.x.x server? I know this is something simple I'm missing... can anyone please help me discover the symptom of this problem?

thanks for any help at all
hb101

 

[kurttorok]

For the most part, here's the config that you need to make everything work.

global (outside) 10 interface
nat (dmz) 10 172.17.0.0 255.255.0.0
static (dmz,outside) 69.74.xx.xx 172.17.xx.xx netmask 255.255.255.255 0 0

access-list acl_dmz permit tcp host 24.xx.xx.xx host 69.74.xx.xx eq 3389

access-group acl_dmz in interface dmz


The global and nat statements work together. When coming from the 172.17.0.0/16 subnet out of the dmz and going to the outside interface, perform nat. Since you have a static command, it will use that static pair. If it's any other host than the host in the static statement, it will PAT out the outside interface IP. The applied access-list on the outside will permit the outside vendor to RDP to your sever.

That's it in a nutshell.

Kurt

 

[hellboy101]

Ah thank you Kurt!

One more question and I think I'll be in good shape.. my global (ISP available) IP address that I'm using.. was wondering if it needs to be the actual outside interface IP of the PIX 69.74.x.x or can it be just an available IP address from my ISP that they've alotted us that isn't being used?

hope my inquiry is clear enought to understand.

thanks soooooo much!
hb101

 

[kurttorok]

If you want to PAT (NAT Overload) out any IP, you can use the following commmand.

global (outside) 10 x.x.x.x

It's important that that IP is in the same subnet as your outside interface, or that that IP is routed to your PIX's outside interface.

Normally you want to PAT your general users and servers without publicly available resources and then NAT (static command) your servers who need to be accessed from the outside.

Kurt

 

[hellboy101]

Thank you Kurt,

Then I should be in good shape. I had the vendor try and RDP in again but they are still not connecting at all using the global 69.74.XX.XX address I'm giving him. I wonder if there's something other than this causing the glitch.

Thanks again
hb101

 

[kurttorok]

You will want to either do a 'clear xlate' or reboot the pix once you make any nat/pat changes. The old translations will remain in memory and in use other wise. This could cause the problem.

Also double check to make sure RDP is still enabled on the server. I've heard of a few security patches and apps disabling RDP access.

Kurt

 

[hellboy101]

yes sir ran clear xlate and reloaded for good measure.

All is working by the way

I appreciate ALL that you've provided for me