Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1054
  • Last Modified:

Cisco 2911 port 3389

Hi,
I think there is an entry on my router which is allowing me to just type in the external address of any of my servers in RDP and it just opens up fine.  Which entry is allowing all of my servers to be open like that.  I need help to close this direct RDP to all my servers except few.  Please help me locate which entry could that be.
ACL enclosed.
Help plz
forEEpuposesAccesslistNewFeb2011.txt
0
amanzoor
Asked:
amanzoor
  • 3
  • 2
2 Solutions
 
SeeMeShakinMyHeadCommented:
ip nat inside source list 10 interface GigabitEthernet0/1.92 overload
ip nat inside source static 10.10.10.119 x.x.x.x
ip nat inside source static 10.10.10.96 x.x.x.x
ip nat inside source static 10.10.10.39 x.x.x.x
ip nat inside source static 10.10.10.80 x.x.x.x.
ip nat inside source static 10.10.10.99 x.x.x.x.
ip nat inside source static 10.10.10.26 x.x.x.x.
ip nat inside source static 10.10.10.1 x.x.x.x.
ip nat inside source static 10.10.10.3 x.x.x.x.
ip nat inside source static 10.10.10.18 x.x.x.x.
ip nat inside source static 10.10.10.101 x.x.x.x.
ip nat inside source static 10.10.11.1 x.x.x.x.
ip nat inside source static 10.10.11.120 x.x.x.x.

access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389

The above config looks like you are publishing all those 10.x.x.x servers and allowing external RDP from a 199.x address.  Can you access from any external IP address?  Are the the "few" servers that you still want to access externally?

Not to get into your business, but this is still not a very good idea.  I would setup this router to be a L2TP/IPSEC VPN tunnel endpoint and VPN to the router to access these servers by their internal IP address.  You will be a lot more secure that way - even though it may be locked down to a specific external source, there is the potentional for address spoofing that this router will not detect.  Do you have an external IPS in the mix somewhere?
0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
seemee:
Yes its true, there is only one external IP which had RDP installed and one of my clients could not get into it, so when I put this entry she could.
access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389
What should I do, I have to secure my network as well as allow one of my windows 7clients to access 199.x.x.x.x server throug RDP?
Yes its true I am able to RDP into any of my servers from any External right now.  
*** Do you have an external IPS in the mix somewhere? ****
Did you mean I have a vacant external IP.  Yes I can release one from my list ?
Another thing I have noticed is that I am able to telnet directly into my router now.  Previously it was not possible.  May be the direct RDP and this telnet from any external related?
Help
0
 
SeeMeShakinMyHeadCommented:
Sorry, coffee is finally kicking in.

What you need is ip nat inside source static tcp 10.10.10.119 x.x.x.x 3389 to NAT the internal IP to external on port 3389.  Looks like right now you are publishing these servers on all ports.

Then you need to apply an ACL that locks down this type of access since the NAT will allow anyone to access.  I see you have an ACL 101 but dont see it applied to the external interface.  This needs to be done as well.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
lrmooreCommented:
Looks like you simply need to re-apply acl 101 to the Internet interface

interface GigabitEthernet0/1.92
 ip access-group 101 in

0
 
amanzoorNetwork infrastructure AdminAuthor Commented:
Good job guys,
access-group 101 was not even applied to hte interface.  Solved.  Thanks for your time.
0
 
SeeMeShakinMyHeadCommented:
No problem. Sometimes an external perspective is all you need. Cheers!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now