Cisco 2911 port 3389

Hi,
I think there is an entry on my router which is allowing me to just type in the external address of any of my servers in RDP and it just opens up fine.  Which entry is allowing all of my servers to be open like that.  I need help to close this direct RDP to all my servers except few.  Please help me locate which entry could that be.
ACL enclosed.
Help plz
forEEpuposesAccesslistNewFeb2011.txt
LVL 5
amanzoorNetwork infrastructure AdminAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
SeeMeShakinMyHeadConnect With a Mentor Commented:
Sorry, coffee is finally kicking in.

What you need is ip nat inside source static tcp 10.10.10.119 x.x.x.x 3389 to NAT the internal IP to external on port 3389.  Looks like right now you are publishing these servers on all ports.

Then you need to apply an ACL that locks down this type of access since the NAT will allow anyone to access.  I see you have an ACL 101 but dont see it applied to the external interface.  This needs to be done as well.
0
 
SeeMeShakinMyHeadCommented:
ip nat inside source list 10 interface GigabitEthernet0/1.92 overload
ip nat inside source static 10.10.10.119 x.x.x.x
ip nat inside source static 10.10.10.96 x.x.x.x
ip nat inside source static 10.10.10.39 x.x.x.x
ip nat inside source static 10.10.10.80 x.x.x.x.
ip nat inside source static 10.10.10.99 x.x.x.x.
ip nat inside source static 10.10.10.26 x.x.x.x.
ip nat inside source static 10.10.10.1 x.x.x.x.
ip nat inside source static 10.10.10.3 x.x.x.x.
ip nat inside source static 10.10.10.18 x.x.x.x.
ip nat inside source static 10.10.10.101 x.x.x.x.
ip nat inside source static 10.10.11.1 x.x.x.x.
ip nat inside source static 10.10.11.120 x.x.x.x.

access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389

The above config looks like you are publishing all those 10.x.x.x servers and allowing external RDP from a 199.x address.  Can you access from any external IP address?  Are the the "few" servers that you still want to access externally?

Not to get into your business, but this is still not a very good idea.  I would setup this router to be a L2TP/IPSEC VPN tunnel endpoint and VPN to the router to access these servers by their internal IP address.  You will be a lot more secure that way - even though it may be locked down to a specific external source, there is the potentional for address spoofing that this router will not detect.  Do you have an external IPS in the mix somewhere?
0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
seemee:
Yes its true, there is only one external IP which had RDP installed and one of my clients could not get into it, so when I put this entry she could.
access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389
What should I do, I have to secure my network as well as allow one of my windows 7clients to access 199.x.x.x.x server throug RDP?
Yes its true I am able to RDP into any of my servers from any External right now.  
*** Do you have an external IPS in the mix somewhere? ****
Did you mean I have a vacant external IP.  Yes I can release one from my list ?
Another thing I have noticed is that I am able to telnet directly into my router now.  Previously it was not possible.  May be the direct RDP and this telnet from any external related?
Help
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
lrmooreConnect With a Mentor Commented:
Looks like you simply need to re-apply acl 101 to the Internet interface

interface GigabitEthernet0/1.92
 ip access-group 101 in

0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
Good job guys,
access-group 101 was not even applied to hte interface.  Solved.  Thanks for your time.
0
 
SeeMeShakinMyHeadCommented:
No problem. Sometimes an external perspective is all you need. Cheers!
0
All Courses

From novice to tech pro — start learning today.