topic Re: Remote Desktop for Administration ONLY in General Topics

Remote Desktop for Administration ONLY

numberall — Wed, 15 Dec 2010 20:04:25 GMT

Hello,

Ok, I'm stuck. I'm trying to allow external acces for Remote Desktop, but only for Administering our Server not for Virtual Apps. I created a NAT Rule as follows

Name: Inbound Remote Desktop

Source Zone: l3-untrust

Destination Zone: l3-trust

Destination Interface: Any

Source Address: Any

Service: TCP_Port5000 (Outside port is 5000)

Source Translation: None

Destination Translation: 10.0.0.50 and Port 3389

And a Security Rule as follows:

Name: RemoteDesktop In to Server

Source Zone: l3-untrust

Destination Zone: l3-trust

Source Address: any

Source User: any

Destination Address: 222.222.222.222 (example outside address)

Application: ms-rdp, t.120

Action: Allow

Profile: Block virus, spyware

What am I missing, any help is appreciated.

Thanks,

Daniel

Re: Remote Desktop for Administration ONLY

numberall — Wed, 15 Dec 2010 20:19:46 GMT

Ok, I figured out my problem. In the NAT settings the Source AND Destination Zones need to be set to l3-untrusted.

Hope this helps someone else out.

Daniel

Re: Remote Desktop for Administration ONLY

kbrazil — Wed, 15 Dec 2010 22:46:54 GMT

Hi there,

Glad you figured it out. Another way to do this in PAN-OS 3.1 and later is to create an outbound source-nat for the server/service and configure the source-nat as 'bidirectional'. This will create the secondary inbound destination-nat in the background. It will essentially be a hidden rule that looks like this:

source-zone: any

dst-zone: source-zone of the outbound bidirectional nat rule

destination-nat: source-nat ip of the outbound bidirectional nat rule

This guarantees the same IP for inbound and outbound initiated traffic.

Cheers,

Kelly