Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Restrict traffic going across a T1 private line to one specific port

Posted on 2007-11-28
7
306 Views
Last Modified: 2008-02-01
We have a private line T1 installation with two Cisco 1841 T1 routers.  The T1 is only going to be used to allow remote desktop access to a terminal server in on of the offices.  Using Cisco's access control lists (ACL) is there a way we can lock it down so only traffic can only flow in one direction via port 3389 TCP to specific IP 192.168.0.5?  Please share your thoughts on the commands that would make this possible.  The routers are going in tomorrow (Thursday) so any help would be appreciated.
0
Comment
Question by:BuildingITC
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:wingatesl
ID: 20370824
on the router closest to the terminal server you can do
int ser 0/9
ip access-group rdp in
exit
ip access0list extended rdp
permit tcp any host 192.168.0.5 eq 3389
deny ip any any log
0
 

Author Comment

by:BuildingITC
ID: 20373059
Wingates - Thanks for the quick reply!

A few questions...

First for the serial interface the WAN card is s0/0/0 - I want to confirm this is where I specify the access-list and not on a sub-interface.
Second on your access0list command is that a mistype?  Should it read 'access-list'?
Third this looks like it will take care of traffic incoming on the terminal server side which is great but can I make it that on the remote end everything is locked down as well?  Would I create a similar ACL saying:
permit tcp any eq 3389 (leaving out the host part?).  And is there a 'outbound' or 'inbound' designation I can use?

Please share your thoughts.  We are installing this later this AM.
0
 

Author Comment

by:BuildingITC
ID: 20373119
I made the changes above recommended by Wingatesl and pasted my config below for reference.  What is strange is the access-lists I just added do not appear to show up on the config.  Is something not enabled?  Also, as I was typing I realized the 'in' is for inbound on the rule so logic says I can simply create a similar one with an 'out' and deny all traffic.  I look foward to a response.

Using 2391 out of 196600 bytes
!
! Last configuration change at 16:44:31 PCTime Wed Nov 28 2007
! NVRAM config last updated at 16:44:32 PCTime Wed Nov 28 2007
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name
ip name-server 192.168.0.12
ip name-server 192.168.0.10
!
username  privilege 15 secret 5  
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description $FW_OUTSIDE$$ES_WAN$
 bandwidth 1544
 ip address 172.16.1.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 service-module t1 timeslots 1-24
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
ID: 20373263
There is no need to deny the out as the inbound access list restricts the traffic from returning simply because it is not RDP traffic. You only need the one.
it was a typo
int ser 0/0/0
ip access-group rdp in
exit
ip access-list extended rdp
permit tcp any host 192.168.0.5 eq 3389
deny ip any any log
0
 

Author Comment

by:BuildingITC
ID: 20373425
Sounds good!  Any idea why the changes do not appear in the config?
0
 

Author Comment

by:BuildingITC
ID: 20379353
That worked great.  Traffic is locked down as expected.  Thank you so much.
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20379658
My pleasure
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question