Route My World!

A CCNA/CCNP Blog

« No Rest for the Weary
Moving Right Along »

Make it Happen - Allow RDP access Over Internet on a PIX

Posted by Aragoen Celtdra on September 17th, 2008

I was again asked to “make something happen” to our network that I previously had no idea how to do. We have an application server in our office that several folks from home used to be able to connect remotely into using Remote Desktop connection. Since I moved all our outgoing and incoming traffic to the PIX, that has since been broken. With some direction from my manager, I was able to figure out what to do. Basically, it entails using NAT in order to map a local IP address to a globally routable address.

The basic requirements are:

  • Configure static NAT on the PIX to map the outside interface to the inside host.
  • Create an access list that allows RDP access

Here’s a simple diagram of my network to give you a pictorial view of the packet’s path:

Below is my configuration that “makes it happen”:

PIX Version 7.2(4)
!

access-list acl_outside extended permit tcp any host 72.x.x.x eq 3389
!
!
!
static (inside, outside) 72.x.x.x 10.100.194.33 netmask 255.255.255.255
!
!
access-group acl_outside in interface outside

Lets go over the config line by line:

  1. The first line is the software version of the PIX
  2. The second line is an exclamation mark
  3. Then a space…. OK, I’m being not funny!

Basically, I created an access list, called “acl_outside” which allows a source IP from any hosts on the internet to access destination 72.x.x.x on TCP port 3389 (the default port used by RDP) - stuff I learned in CCNA.

Destination 72.x.x.x is mapped to a local address 10.100.194.33 using a one-to-one static mapping - stuff I also learned in CCNA.

The last line applies the access list I created above to the outside interface of the PIX - stuff I just learned recently.

And somehow, magically, I’m now able to establish RDP connection to the box in our little server room. Oh what beauty to behold! Now if anybody has a best-practice suggestion that can make my config even better, I’m all ears. As always, I’m sure there’s better ways to accomplish the same task. But for now, it makes happen.

This entry was posted on Wednesday, September 17th, 2008 at 3:48 pm and is filed under NAT, PIX/ASA, Work. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Make it Happen - Allow RDP access Over Internet on a PIX”

  1. Jeremy L. GaddisNo Gravatar Says:
    October 14th, 2008 at 2:30 pm

    Best practice suggestion:  don’t allow unencrypted RDP over the Internet.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« No Rest for the Weary
Moving Right Along »
 

Warning: stristr() [function.stristr]: Empty delimiter in /home/liwanagf/public_html/routemyworld/wp-content/plugins/wassup/wassup.php on line 2093