Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Allowing RDP through Cisco router

ok, simply put we have a vendor that needs to have access to internal server, i created a NAT rule to allow 3389 traffic to go to that server, but it lets everyone to it, i want to restrict access to that server based on thier public ip..attached is the config..thanks
cobrun.txt
0
jasonmichel
Asked:
jasonmichel
  • 4
  • 3
1 Solution
 
JFrederick29Commented:
You can apply an access-list to the WAN interface that only allows RDP from your vendor (x.x.x.x).

conf t
ip access-list extended internet-in
permit tcp host x.x.x.x host 70.62.43.150 eq 3389  <--where x.x.x.x is the public IP of your vendor
deny tcp any host 70.62.43.150 eq 3389
permit ip any any

int g0/0
ip access-group internet-in in
0
 
jasonmichelAuthor Commented:
i am going to get ahold of vendor to test...but i think that will work..thanks, just another quick question...if i wanted to add another host to be allowed to get to that server how do i add a sequence to the NACL?  

thanks
0
 
JFrederick29Commented:
If you do a "show access-list internet-in", you will see line numbers next to the access-list.

For example:

10 permit tcp host x.x.x.x host 70.62.43.150 eq 3389
20 deny tcp any host 70.62.43.150 eq 3389
30 permit ip any any

Simply add the new entry with a line number to insert the permit before the deny.

conf t
ip access-list ext internet-in
12 permit tcp host y.y.y.y host 70.62.43.150 eq 3389    <--where y.y.y.y is the new vendor IP

Your new access would look like this:

10 permit tcp host x.x.x.x host 70.62.43.150 eq 3389
12 permit tcp host y.y.y.y host 70.62.43.150 eq 3389
20 deny tcp any host 70.62.43.150 eq 3389
30 permit ip any any
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
jasonmichelAuthor Commented:
i def want the sequence number to be lower  than the deny sequence number correct?
0
 
JFrederick29Commented:
Yes, the permit needs to be before the deny so you can choose any number between 10 and 20 (11-19).
0
 
jasonmichelAuthor Commented:
added my home ip to it and tested..it worked..thanks for the simple yet great instructions
0
 
jasonmichelAuthor Commented:
thanks for the help, you made it very simple to understand and it did exactly what i needed it to
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now