RDP via PIX515

jksport · Oct 6, 2009

Please Help!

I just cannot establish RDP connection from one of my internal networks to external Terminal server.
I got several subnetworks (10.10.10.0,10.10.20.0,10.10.30.0 etc.) and several public IPs (82.10.10.1-82.10.10.16). All users are using NAT on external IP 82.10.10.2, but network 10.10.30.0 users are using NAT on external IP 82.10.10.15. Users from network 10.10.30.0 are experiencing a problem conncting to remote RDP server. All ACL on my PIX 515 are correct.
Where might be the problem?

unclerico · Oct 6, 2009

please post a scrubbed config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

jksport · Oct 6, 2009

Hi!

Here is my config.

:
PIX Version 7.2(4)
!
hostname pix-1
domain-name company.ru
enable password dV4t0J.V3dQ.M3XL encrypted
passwd AxHwpfddgdfhgf encrypted

!
interface Ethernet0
nameif milvpn2
security-level 0
ip address 195.10.176.62 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.2.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet4
nameif if_ISP
security-level 0
ip address 82.10.10.2 255.255.255.240
!
interface Ethernet5
nameif isa
security-level 75
ip address 192.168.100.1 255.255.255.0
!
boot system flash:/image.bin
ftp mode passive
clock timezone MSK-SUM 4
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.115
name-server 10.10.10.135
domain-name company.ru

access-list INSIDE_ACL extended permit tcp 10.10.30.0 255.255.255.0 any eq 3389

logging enable
logging timestamp
logging standby
logging buffer-size 65535
logging buffered debugging
logging trap debugging
logging host inside 10.10.10.35

no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (if_ISP) 1 interface
global (if_ISP) 2 82.10.10.15
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 1 10.10.20.0 255.255.255.0
nat (inside) 2 10.10.30.0 255.255.255.0

access-group INSIDE_ACL in interface inside

route inside 10.10.10.0 255.255.255.0 10.10.2.4 1
route inside 10.10.20.0 255.255.255.0 10.254.2.4 1
route inside 10.10.30.0 255.255.255.0 10.254.2.4 1

route if_ISP 0.0.0.0 0.0.0.0 82.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server community megasecret
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 3600
crypto isakmp identity address
crypto isakmp nat-traversal 20
telnet timeout 5

console timeout 0
management-access inside
dhcpd ping_timeout 750
dhcpd auto_config milvpn2

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3c55652216d108abab60b8dcd86d9f79
: end

Supergrrover · Oct 6, 2009

According to this statement -
ip address 82.10.10.2 255.255.255.240
82.10.10.15 is your broadcast address for the network, ie. no direct traffic.

Also - Your pix isn't aware of this network - 10.254.2.4
but you have it listed as an internal route.

route inside 10.10.20.0 255.255.255.0 10.254.2.4

Brent
Systems Engineer / Consultant
CCNP, CCSP

jksport · Oct 6, 2009

Hi!
Thanks for reply.
I've corrected my config, but stil got the same issue:

PIX Version 7.2(4)
!
hostname pix-1
domain-name company.ru
enable password dV4t0J.V3dQ.M3XL encrypted
passwd AxHwpfddgdfhgf encrypted

!
interface Ethernet0
nameif milvpn2
security-level 0
ip address 195.10.176.62 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.2.1 255.255.255.0
!
interface Ethernet2
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet4
nameif if_ISP
security-level 0
ip address 82.10.10.2 255.255.255.240
!
interface Ethernet5
nameif isa
security-level 75
ip address 192.168.100.1 255.255.255.0
!
boot system flash:/image.bin
ftp mode passive
clock timezone MSK-SUM 4
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.115
name-server 10.10.10.135
domain-name company.ru

access-list INSIDE_ACL extended permit tcp 10.10.30.0 255.255.255.0 any eq 3389
access-list INSIDE_ACL extended permit tcp 10.10.10.0 255.255.255.0 any eq 3389
access-list INSIDE_ACL extended permit tcp 10.10.20.0 255.255.255.0 any eq 3389

logging enable
logging timestamp
logging standby
logging buffer-size 65535
logging buffered debugging
logging trap debugging
logging host inside 10.10.10.35

no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (if_ISP) 1 interface
global (if_ISP) 2 82.10.10.14
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 1 10.10.20.0 255.255.255.0
nat (inside) 2 10.10.30.0 255.255.255.0

access-group INSIDE_ACL in interface inside

route inside 10.10.10.0 255.255.255.0 10.10.2.4 1
route inside 10.10.20.0 255.255.255.0 10.10.2.4 1
route inside 10.10.30.0 255.255.255.0 10.10.2.4 1

route if_ISP 0.0.0.0 0.0.0.0 82.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
no snmp-server location
no snmp-server contact
snmp-server community megasecret
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 3600
crypto isakmp identity address
crypto isakmp nat-traversal 20
telnet timeout 5

console timeout 0
management-access inside
dhcpd ping_timeout 750
dhcpd auto_config milvpn2

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
inspect http
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3c55652216d108abab60b8dcd86d9f79
: end

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

RDP via PIX515

jksport

Technical User

unclerico

IS-IT--Management

jksport

Technical User

Supergrrover

IS-IT--Management

jksport

Technical User

Similar threads

Part and Inventory Search

Sponsor