Ugh...remote desktop and Cisco PIX 501....

T

Timbowens

[H]ard|Gawd
Joined
Dec 12, 2006
Messages
1,083
Hi all, I'm still toiling with my remote desktop problem that I had from a while ago.

My new question is this, is there a way, when I'm logged into the PIX, to give it a command that will make it so I don't have to use VPN software to establish a remote desktop connection?

Right now, I have to have cisco vpn software on the machines in one of my offices to remote desktop to another office that is sitting behind the PIX. The problem is, my firewall is killing the VPN software, adn this can't be changed (thanks, firebox).

So, can I make a rule, or simply disable the policy in the PIX that requires outside computers to be running the stupid VPN software?
 
You would need a NAT rule (or port forwarding) to the internal machine you want to RDP to and then allow port 3389 through.
 
startrek4U is correct.

assuming you only have one static IP to use, you would need to configure port fowarding on PIX to forward port 3389/TCP to your desktop.

BUT, you should definitely put an ACL on your outside interface to only accept packets from a specific host (the machine you are connecting from). its not much, but at least it restricted.
 
Does the pix have a real IP? If so, just make a static NAT for TCP 3389 for the outside interface and have it point at the IP address on the inside, the address the ACL applied to your outside interface.
 
You need to setup your PIX with a static NAT translation to do this. You cannot turn off a rule on the PIX to just allow anyone to RDP into your network.

Here are some code snippets where 123.123.123.123 is an unused public IP address available for you to use and 192.168.1.10 is the IP address of your server or desktop that sits behind the pix. If you don't have an extra public IP you can use the outside IP address of your PIX but the NAT translation is different and I can't remember exactly how that goes off the top of my head. I think you have to specify the exact ports being used for the NAT translation or you will hork up your inside internet access, I seem to remember accidentally doing that one time . . .

access-list outside_access_in permit tcp any host 123.123.123.123 eq 3389

static (inside,outside) 123.123.123.123 192.168.1.10 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

 
Captain Colonoscopy said:
You need to setup your PIX with a static NAT translation to do this. You cannot turn off a rule on the PIX to just allow anyone to RDP into your network.

Here are some code snippets where 123.123.123.123 is an unused public IP address available for you to use and 192.168.1.10 is the IP address of your server or desktop that sits behind the pix. If you don't have an extra public IP you can use the outside IP address of your PIX but the NAT translation is different and I can't remember exactly how that goes off the top of my head. I think you have to specify the exact ports being used for the NAT translation or you will hork up your inside internet access, I seem to remember accidentally doing that one time . . .

access-list outside_access_in permit tcp any host 123.123.123.123 eq 3389

static (inside,outside) 123.123.123.123 192.168.1.10 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

Click to expand...

Thank you, I'll try this!:D
 
You must log in or register to reply here.
Back
Top