Terminal Server config for PIX 506

Don't use conduit, it is obsolete.

static (inside,outside) tcp interface 3389 192.168.0.10 3389 netmask

255.255.255.255 access-list out2in permit tcp any interface outside eq 3389 access-group out2in in interface outside

Walter, thank you for your post.

the old conduit statement would allow me to create multiple conduits for different public IP addresses for different servers for the same services. for example, I could have two different terminal servers, public IPs 4.2.2.2 and 4.2.2.3. Port 3389 traffic to 4.2.2.2 would be redirected to 192.168.0.2 and traffic to 4.2.2.3 would be redirected to

192.168.0.1 (and my PIX is 4.2.2.1). The PIX would see the traffic for .2 or .3 and send it "through" the correct conduit.

it seems like with the statements you gave me, I have to use my PIX public IP address as the destination for the terminal server user, and all terminal server users will end up going to only one inside server. we have a range of 10 public addresses, and I was going to use the next number up from the PIX address to redirect. can I not do this sort of configuration?

Brian

Sure, no problem. Most people who post here and don't mention having a block of public IPs turn out to only have a single outside IP, so we tend to assume that one will need to use the interface IP unless the poster has indicated otherwise. Also, there is special syntax for the interface IP, so if we show the examples in terms of public IPs then onlookers get the wrong impression about how to deal with the interface.

static (inside,outside) tcp 4.2.2.2 3389 192.168.0.2 3389 netmask 255.255.255.255 static (inside,outside) tcp 4.2.2.3 3389 192.168.0.1 3389 netmask 255.255.255.255 access-list out2in permit tcp any host 4.2.2.2 eq 3389 access-list out2in permit tcp any host 4.2.2.3 eq 3389 access-group out2in in interface outside

excellent. exactly what I was looking for. thank you very much for your help, Walter.

Regards, Brian