Solved

Restrict traffic going across a T1 private line to one specific port

Posted on 2007-11-28
7
303 Views
Last Modified: 2008-02-01
We have a private line T1 installation with two Cisco 1841 T1 routers.  The T1 is only going to be used to allow remote desktop access to a terminal server in on of the offices.  Using Cisco's access control lists (ACL) is there a way we can lock it down so only traffic can only flow in one direction via port 3389 TCP to specific IP 192.168.0.5?  Please share your thoughts on the commands that would make this possible.  The routers are going in tomorrow (Thursday) so any help would be appreciated.
0
Comment
Question by:BuildingITC
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
on the router closest to the terminal server you can do
int ser 0/9
ip access-group rdp in
exit
ip access0list extended rdp
permit tcp any host 192.168.0.5 eq 3389
deny ip any any log
0
 

Author Comment

by:BuildingITC
Comment Utility
Wingates - Thanks for the quick reply!

A few questions...

First for the serial interface the WAN card is s0/0/0 - I want to confirm this is where I specify the access-list and not on a sub-interface.
Second on your access0list command is that a mistype?  Should it read 'access-list'?
Third this looks like it will take care of traffic incoming on the terminal server side which is great but can I make it that on the remote end everything is locked down as well?  Would I create a similar ACL saying:
permit tcp any eq 3389 (leaving out the host part?).  And is there a 'outbound' or 'inbound' designation I can use?

Please share your thoughts.  We are installing this later this AM.
0
 

Author Comment

by:BuildingITC
Comment Utility
I made the changes above recommended by Wingatesl and pasted my config below for reference.  What is strange is the access-lists I just added do not appear to show up on the config.  Is something not enabled?  Also, as I was typing I realized the 'in' is for inbound on the rule so logic says I can simply create a similar one with an 'out' and deny all traffic.  I look foward to a response.

Using 2391 out of 196600 bytes
!
! Last configuration change at 16:44:31 PCTime Wed Nov 28 2007
! NVRAM config last updated at 16:44:32 PCTime Wed Nov 28 2007
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name
ip name-server 192.168.0.12
ip name-server 192.168.0.10
!
username  privilege 15 secret 5  
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0/0
 description $FW_OUTSIDE$$ES_WAN$
 bandwidth 1544
 ip address 172.16.1.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 service-module t1 timeslots 1-24
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 15

Accepted Solution

by:
wingatesl earned 500 total points
Comment Utility
There is no need to deny the out as the inbound access list restricts the traffic from returning simply because it is not RDP traffic. You only need the one.
it was a typo
int ser 0/0/0
ip access-group rdp in
exit
ip access-list extended rdp
permit tcp any host 192.168.0.5 eq 3389
deny ip any any log
0
 

Author Comment

by:BuildingITC
Comment Utility
Sounds good!  Any idea why the changes do not appear in the config?
0
 

Author Comment

by:BuildingITC
Comment Utility
That worked great.  Traffic is locked down as expected.  Thank you so much.
0
 
LVL 15

Expert Comment

by:wingatesl
Comment Utility
My pleasure
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now