inbound remote desktop access via cisco PIX

Service and support
Third-party services
Hi, heers my problem, i have a cisco pix firewall and i need to enable remote desktop in bound. thing is ive creatad a static nat 195 .x.x.x f(or the oustide) and 192.x.x.x (inside)., and its visable because i can ping it from an external machine-so i know thats working. ive also permitted traffiic for the VLAN from port 3389 on the oustside connection access-list . thing is when i try to connect is says "the client could not coonect to the computer" THIS IS THE CONFIG: access-list acl_out permit tcp any VLAN NAME SUBNET eq 3389 access-list insidenet_out permit tcp any VLAN NAME SUBNET eq 3389 **insidenet is the vlan** static (insidenet,oustide) 195.x.x.x 192.x.x.x netmask 255.x.x.x 0 0 thanks for your help andy

Answer Wiki

Thanks. We'll let you know when a new response is added.

You can use conduits. I know everyone likes to use ACLs but conduits work great for me. Just add the following line and it should work. This will allow any thing on the outside network to get to public ip 195.x.x.x accross port 3389. Then your static command will push it to your internal IP.

here is an example:

conduit permit tcp host 195.x.x.x eq 3389 any

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Sonotsky
    In this reply, I assume that your "external" network is the Internet, or some other untrusted network. One thing to consider in your situation - I've said it in a couple of other questions - RDP traffic is NOT encrypted. Anyone with a sniffer can watch your traffic and potentially swipe passwords. If you *must* access servers inside the PIX via Remote Desktop, you should seriously consider tunnelling all RDP traffic that goes over port 3389 via SSHv2 (port 22). This means that you'll need an SSH server on each inside server, but there are free servers available, such as OpenSSH. Good luck.
    695 pointsBadges:
  • Imazing
    I aggre 100% with sonotsky. You can also configure your PIX for VPN to get the best in authentication and encryption
    0 pointsBadges:
  • Ramheka
    the best to do it get your user to vpn into the network then use RDP once the VPN coonection is establised they would connect to ur rdp server or workstations just like if they were on the LAN and this will allow them to access other ressources on the network without keeping opening and closing ports ( more open ports the more exposed you are and try to keep your access lists or conduits to the minimum
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: