This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Remote Desktop for Administration ONLY

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Remote Desktop for Administration ONLY

numberall
Not applicable

‎12-15-2010 12:04 PM

Hello,

Ok, I'm stuck. I'm trying to allow external acces for Remote Desktop, but only for Administering our Server not for Virtual Apps. I created a NAT Rule as follows

                        Name: Inbound Remote Desktop

              Source Zone: l3-untrust

        Destination Zone: l3-trust

  Destination Interface: Any

         Source Address: Any

                      Service: TCP_Port5000   (Outside port is 5000)

      Source Translation: None

Destination Translation: 10.0.0.50 and Port 3389

And a Security Rule as follows:

                     Name: RemoteDesktop In to Server

           Source Zone: l3-untrust

     Destination Zone: l3-trust

      Source Address: any

           Source User: any

Destination Address: 222.222.222.222  (example outside address)

             Application: ms-rdp, t.120

                    Action: Allow

                    Profile: Block virus, spyware

What am I missing, any help is appreciated.

Thanks,

Daniel

0 Likes Likes
2 REPLIES 2

numberall
Not applicable

‎12-15-2010 12:19 PM

Ok, I figured out my problem. In the NAT settings the Source AND Destination Zones need to be set to l3-untrusted.

Hope this helps someone else out.

Daniel

0 Likes Likes

kbrazil
L4 Transporter
In response to numberall

‎12-15-2010 02:46 PM

Hi there,

Glad you figured it out.  Another way to do this in PAN-OS 3.1 and later is to create an outbound source-nat for the server/service and configure the source-nat as 'bidirectional'.  This will create the secondary inbound destination-nat in the background.  It will essentially be a hidden rule that looks like this:

source-zone:  any

dst-zone: source-zone of the outbound bidirectional nat rule

destination-nat: source-nat ip of the outbound bidirectional nat rule

This guarantees the same IP for inbound and outbound initiated traffic.

Cheers,

Kelly

0 Likes Likes
  • 2621 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks