PIX 501 and port 3389

Have you write the rules that forward packets from the public IP to the PIX?

The PIX configs seem to be OK.

Alex.

I don't think so... Some more details ? Once I type everything I listed earlier it's all visible in rules (ACCESS RULES and TRANSLATION RULES) when using PDM.

Does the Netgear do Network Address Translation (NAT) ?

That would be fine if the Netgear is translating the destination address 81.82.83.84 to 192.168.0.2 and forwarding them on to the PIX.

What kind of Netgear router is it, and what address translations have you set up on it? If it is one of their consumer "cable modem" type devices (typically goes inbetween a home network and a residential connection) then you would specifically have to set up forwarding on it, as by default such devices block inbound connections.

Can you first do a sh xlate to confirm that translation occurs when you try to Remote Terminal

And can you activate the logs

logging on logging buffered warnings

then "sh log" will show if you have translation errors or access denied.

I assume that you have no filtering in the Netgear box...

Yes, Netgear does NAT - checked using different connection and different PC - I could access this PC from a remote location elsewhere.

Don't really get that: Should I allow logging and then try to connect and after that (doesn't matter worked or not) see the log ? No, Netgear does not filter.

Yes, Netgear does NAT - checked using different connection and different PC - I could access this PC from a remote location elsewhere.

Exactly ,

1-Activate logs 2-Try to establish a connection

3- do a "sh xlate" to validate the translation

4- do a "sh log" to see if there is any warnings related to translations or denied access

Maybe this will help - current config, after once again restored to factory settings.

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol dns maximum-length 512

fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.16.1 255.255.255.0

ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.16.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.16.2-192.168.16.254 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:c63ffd4b562d3e711ee0db19337ae6ef : end [OK] pixfirewall(config)#

--------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------

If I type this:

access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389 access-group acl_inbound in interface outside static (inside,outside) 192.168.0.2 192.168.16.254 netmask

255.255.255.255 cl xlate

// or this:

static (inside,outside) tcp 192.168.0.2 3389 192.168.16.254 3389 access-list acl_inbound permit tcp any host 192.168.0.2 eq 3389 access-group acl_inbound in interface outside cl xlate

should it be working already ? Or I simply miss something out ? Thanks,

I would prefer more technical details as to how the NAT is set up on the Netgear, as I suspect that to be the problem.

Thanks for any help guys. I just managed to get ir t working using this:

access-list acl_inbound permit tcp any interface outside eq 3389 static (inside, outside) tcp interface 3389 192.168.16.254 3389 netmask

255.255.255.255 0 0 access-group acl_inbound in interface outside clear xlate

Dam, I have same Netgear router as you got. I was about to connect my Netgear and bridge to my 501. I was lazy I didnt do it.

BTTT, if you use only 501 can you remote to your desktop/server?

I rechecked the thread but I couldn't find any information about which model of Netgear router it was ?

This works for now, but you have put yourself in a position where you will not be able add another address for terminal services.

In article , Rohan top-posted, now corrected:

Please do not top-post: it is harder to read, and it means that when someone wants to reply to you, they have to go through the trouble of editting the conversation so that the entire sequence makes sense in context.

255.255.255.255 0 0

In the context of the original posting, this does not matter because the original poster only has a single public IP address at the netgear.

Besides, when you are making a "remote assist" or "rdesktop" connection, the client has the option of specifying the remote port. The scheme used by 'mc' can easily be extended to handle additional ports, including possibly ones that terminate on other machines. For example,

access-list acl_inbound permit tcp any interface outside eq 3389 access-list acl_inbound permit tcp any interface outside eq 33891 static (inside, outside) tcp interface 3389 192.168.16.254 3389 netmask

255.255.255.255 0 0 static (inside, outside) tcp interface 33891 192.168.16.219 3389 netmask 255.255.255.255 0 0 access-group acl_inbound in interface outside

The server on 192.168.16.219 does not even need to know that the remote system is addressing it by an an unusual port: the PIX will redirect the 33891 packets to 3389 on the internal machine if that is what is configured.