Link to home
Start Free TrialLog in
Avatar of amanzoor
amanzoorFlag for Canada

asked on

Cisco 2911 port 3389

Hi,
I think there is an entry on my router which is allowing me to just type in the external address of any of my servers in RDP and it just opens up fine.  Which entry is allowing all of my servers to be open like that.  I need help to close this direct RDP to all my servers except few.  Please help me locate which entry could that be.
ACL enclosed.
Help plz
forEEpuposesAccesslistNewFeb2011.txt
Avatar of SeeMeShakinMyHead
SeeMeShakinMyHead

ip nat inside source list 10 interface GigabitEthernet0/1.92 overload
ip nat inside source static 10.10.10.119 x.x.x.x
ip nat inside source static 10.10.10.96 x.x.x.x
ip nat inside source static 10.10.10.39 x.x.x.x
ip nat inside source static 10.10.10.80 x.x.x.x.
ip nat inside source static 10.10.10.99 x.x.x.x.
ip nat inside source static 10.10.10.26 x.x.x.x.
ip nat inside source static 10.10.10.1 x.x.x.x.
ip nat inside source static 10.10.10.3 x.x.x.x.
ip nat inside source static 10.10.10.18 x.x.x.x.
ip nat inside source static 10.10.10.101 x.x.x.x.
ip nat inside source static 10.10.11.1 x.x.x.x.
ip nat inside source static 10.10.11.120 x.x.x.x.

access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389

The above config looks like you are publishing all those 10.x.x.x servers and allowing external RDP from a 199.x address.  Can you access from any external IP address?  Are the the "few" servers that you still want to access externally?

Not to get into your business, but this is still not a very good idea.  I would setup this router to be a L2TP/IPSEC VPN tunnel endpoint and VPN to the router to access these servers by their internal IP address.  You will be a lot more secure that way - even though it may be locked down to a specific external source, there is the potentional for address spoofing that this router will not detect.  Do you have an external IPS in the mix somewhere?
Avatar of amanzoor

ASKER

seemee:
Yes its true, there is only one external IP which had RDP installed and one of my clients could not get into it, so when I put this entry she could.
access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389
What should I do, I have to secure my network as well as allow one of my windows 7clients to access 199.x.x.x.x server throug RDP?
Yes its true I am able to RDP into any of my servers from any External right now.  
*** Do you have an external IPS in the mix somewhere? ****
Did you mean I have a vacant external IP.  Yes I can release one from my list ?
Another thing I have noticed is that I am able to telnet directly into my router now.  Previously it was not possible.  May be the direct RDP and this telnet from any external related?
Help
ASKER CERTIFIED SOLUTION
Avatar of SeeMeShakinMyHead
SeeMeShakinMyHead

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Good job guys,
access-group 101 was not even applied to hte interface.  Solved.  Thanks for your time.
No problem. Sometimes an external perspective is all you need. Cheers!