How to I forward a port (3389) to a PC (192.168.1.5) in a NAT environment in Pix (6.2)?

Thanks. But do I need any access-list or "fixup protocols"? If yes, how do I put it?

In article , swsw wrote: :Any suggestions on command?

static (inside,outside) udp XX.XX.XX.XX 3389 192.168.1.5 3389 netmask

OR

static (inside,outside) udp interface 3389 192.168.1.5 3389 netmask

In article , swsw wrote: :Thanks. But do I need any access-list or "fixup protocols"? If yes, how :do I put it?

You do not need any 'fixup'. You -will- need an access-list and access-group.

My memory of the details of PIX 6.2 is starting to fade a bit and the documentation is a bit weak on some points. My recollection is that if the packets will be addressed to teh PIX outside interface, that the ACL entry you would need would be similar to

access-list outside2inside permit udp any interface eq 3389

but you might instead need

access-list outside2inside permit udp any interface outside eq 3389

The documentation does not indicate that the 'interface' keyword existed in 6.2, but my recollection is that it did.

If you do not (or cannot) use the interface keyword in the ACL, then if your PIX's public IP is your only IP, the next choice would be

access-list outside2inside permit udp any any eq 3389

If the PIX does not recognize the 'interface' keyword in ACLs and you need to be more specific about the destination IP (because you have other IPs) and it is the Interface IP that you want the port to be forwarded for, then you could try

access-list outside2inside permit udp any host XX.XX.XX.XX eq 3389

where XX.XX.XX.XX is the pubic IP. This will NOT work properly in PIX 6.3!! (It also will not work properly in PIX 5.x, as PIX 5.x does not allow forwarding of PIX interface-IP ports.)

Whatever ACL entry you end up using, you will need

access-group outside2inside in interface outside

Note: you should check first with show access-group as you might already have an existing access-list on the outside interface.