Ugh...remote desktop and Cisco PIX 501....

Discussion in 'Networking & Security' started by Timbowens, Mar 28, 2008.

  1. Timbowens

    Timbowens [H]ard|Gawd

    Messages:
    1,083
    Joined:
    Dec 12, 2006
    Hi all, I'm still toiling with my remote desktop problem that I had from a while ago.

    My new question is this, is there a way, when I'm logged into the PIX, to give it a command that will make it so I don't have to use VPN software to establish a remote desktop connection?

    Right now, I have to have cisco vpn software on the machines in one of my offices to remote desktop to another office that is sitting behind the PIX. The problem is, my firewall is killing the VPN software, adn this can't be changed (thanks, firebox).

    So, can I make a rule, or simply disable the policy in the PIX that requires outside computers to be running the stupid VPN software?
     
  2. StarTrek4U

    StarTrek4U Gawd

    Messages:
    1,011
    Joined:
    Jan 8, 2003
    You would need a NAT rule (or port forwarding) to the internal machine you want to RDP to and then allow port 3389 through.
     
  3. killerasp

    killerasp Gawd

    Messages:
    963
    Joined:
    Jul 17, 2001
    startrek4U is correct.

    assuming you only have one static IP to use, you would need to configure port fowarding on PIX to forward port 3389/TCP to your desktop.

    BUT, you should definitely put an ACL on your outside interface to only accept packets from a specific host (the machine you are connecting from). its not much, but at least it restricted.
     
  4. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    Does the pix have a real IP? If so, just make a static NAT for TCP 3389 for the outside interface and have it point at the IP address on the inside, the address the ACL applied to your outside interface.
     
  5. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    You need to setup your PIX with a static NAT translation to do this. You cannot turn off a rule on the PIX to just allow anyone to RDP into your network.

    Here are some code snippets where 123.123.123.123 is an unused public IP address available for you to use and 192.168.1.10 is the IP address of your server or desktop that sits behind the pix. If you don't have an extra public IP you can use the outside IP address of your PIX but the NAT translation is different and I can't remember exactly how that goes off the top of my head. I think you have to specify the exact ports being used for the NAT translation or you will hork up your inside internet access, I seem to remember accidentally doing that one time . . .

    access-list outside_access_in permit tcp any host 123.123.123.123 eq 3389

    static (inside,outside) 123.123.123.123 192.168.1.10 netmask 255.255.255.255 0 0

    access-group outside_access_in in interface outside

    [​IMG]
     
  6. Timbowens

    Timbowens [H]ard|Gawd

    Messages:
    1,083
    Joined:
    Dec 12, 2006
    Thank you, I'll try this!:D