Remote Desktop through PIX 501

[DHamaker]

I've got one public IP address and am having an issue trying to use port forwarding on a Cisco PIX 501. I've got 4 PC's behind the PIX that want to be able to RDP to their machines from an external network. Can anyone help with the configuration needed to open up those ports?

If not, I'm willing to allow Remote Desktop to one machine and then have RDP within another RDP.

Thanks!

 

[DHamaker]

Here's my config:

sh config
: Saved
: Written by enable_15 at 10:32:20.703 UTC Thu May 1 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xgc3YXnUEEHvPoU4 encrypted
passwd xgc3YXnUEEHvPoU4 encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 10.1.1.20 franklin
name 10.1.1.21 john
name 10.1.1.22 frontdesk
name 10.1.1.23 susan
name 10.1.1.24 hobbyserver
access-list 100 permit icmp any any
access-list termsrv permit tcp any host john eq 3389
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 24.172.60.xxx 255.255.255.xxx
ip address inside 10.1.1.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 john 321 netmask 255.255.255.255 2 0
access-group termsrv in interface outside
route outside 0.0.0.0 0.0.0.0 24.172.60.218 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 24.199.xxx.xxx 255.255.xxx.xxx outside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:c2ee344840e72cd5a956bcb4ae020337

pixfirewall(config)#

Thanks Again,

Derek

 

[azstyx]

this document demonstrates how to configure nat, pat, and port redirection

http://www.cisco.com/warp/public/707/28.html

 

[yizhar]

HI.

> ip address outside 24.172.60.xxx 255.255.255.xxx
What subnet mask do you have?

> static (inside,outside) tcp interface 3389 john 321
* If you have more registered ip addresses, use them instead of "interface".
* I think that it should be "john 3389" instead of "john 321"

> access-list termsrv permit tcp any host john eq 3389
In the access-list statement, you should specify the external ip address (whether it is "interface" or another registered ip), and not the internal addresss ("john" in the config you have). For example:
access-list termsrv permit tcp any host 24.172.60.xxx eq 3389
Or:
access-list termsrv permit tcp any interface eq 3389

I suggest that you use VPN for 2 reasons:
> You can protect access to your network with additional level of authentication and encryption.
> A single VPN tunnel can be used between remote client and the pix, and then the user can use that tunnel to open RDP connection to each internal host using their private addresses, so you will not need those "static" and "access-list" commands.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[DHamaker]

> ip address outside 24.172.60.xxx 255.255.255.xxx
>What subnet mask do you have?

The subnet mask is 255.255.255.242

> static (inside,outside) tcp interface 3389 john 321
>* If you have more registered ip addresses, use them >instead of "interface".
>* I think that it should be "john 3389" instead of "john >321"

I manually changed my port number to 321 for this PC. The other PC's were changed to different numbers. This was so that if the off-site client tried to RDP to the IPort#, it would forward the connection to his/her machine.


I will try using interface instead of the hostname in my access-list

I've looked into using a VPN, but I've never set it up before. My users are completely dependent on exact instructions so I figured the RDP connection would be easiest. What is the ease of use for a VPN using the software Cisco has?

Thanks again for the response! I appreciate the help.

Derek Hamaker

 

[yizhar]

HI.

> What is the ease of use for a VPN using the software Cisco has?
It is easy to setup for users, once you provide them the software and the needed details.
However, sometimes troubleshooting can be difficult and time consuming.

If the clients are behind another firewall/nat device (including personal firewall software), these can make things more complicated.
The newer pix OS version 6.3x has some new features for VPN behind NAT (NAT Traversal).

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ixleplix]

> A single VPN tunnel can be used between remote client and the pix, and then the user can use that tunnel to open RDP connection to each internal host using their private addresses, so you will not need those "static" and "access-list" commands.

I agree. I'm running this scenario right now. I have clients loaded with the Cisco VPN Client 3.6.3 Once they initiate the VPN they can then connect to any XP Pro or (If I give them permission) Terminal server using the RDC that comes installed with XP or is downloadable from

http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp

to use on Win 95* (I havn't tested it on 95) 98, or 2000. It allows you to connect to the Computer by name or Ip address and has configuration settings to help control the bandwidth it uses. It also features redirected printing (as long as the printer driver of the remote machine is loaded on the host) and some other nice features. The great thing about doing it this way, is you configure the VPN once and don't have to worry about port mapping or additional access lists. Also by using the PIX 501 you should have five available VPN Client Connections & if you upgrade to the 6.3.1 PIX OS then it is supposed to allow ten Client connections.

For how to use RDC see this link.

http://www.microsoft.com/WindowsXP/pro/using/howto/gomobile/remotedesktop/default.asp