Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco 2911  port 3389

Posted on 2011-02-11
6
Medium Priority
?
1,048 Views
Last Modified: 2012-05-11
Hi,
I think there is an entry on my router which is allowing me to just type in the external address of any of my servers in RDP and it just opens up fine.  Which entry is allowing all of my servers to be open like that.  I need help to close this direct RDP to all my servers except few.  Please help me locate which entry could that be.
ACL enclosed.
Help plz
forEEpuposesAccesslistNewFeb2011.txt
0
Comment
Question by:amanzoor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 34878123
ip nat inside source list 10 interface GigabitEthernet0/1.92 overload
ip nat inside source static 10.10.10.119 x.x.x.x
ip nat inside source static 10.10.10.96 x.x.x.x
ip nat inside source static 10.10.10.39 x.x.x.x
ip nat inside source static 10.10.10.80 x.x.x.x.
ip nat inside source static 10.10.10.99 x.x.x.x.
ip nat inside source static 10.10.10.26 x.x.x.x.
ip nat inside source static 10.10.10.1 x.x.x.x.
ip nat inside source static 10.10.10.3 x.x.x.x.
ip nat inside source static 10.10.10.18 x.x.x.x.
ip nat inside source static 10.10.10.101 x.x.x.x.
ip nat inside source static 10.10.11.1 x.x.x.x.
ip nat inside source static 10.10.11.120 x.x.x.x.

access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389

The above config looks like you are publishing all those 10.x.x.x servers and allowing external RDP from a 199.x address.  Can you access from any external IP address?  Are the the "few" servers that you still want to access externally?

Not to get into your business, but this is still not a very good idea.  I would setup this router to be a L2TP/IPSEC VPN tunnel endpoint and VPN to the router to access these servers by their internal IP address.  You will be a lot more secure that way - even though it may be locked down to a specific external source, there is the potentional for address spoofing that this router will not detect.  Do you have an external IPS in the mix somewhere?
0
 
LVL 4

Author Comment

by:amanzoor
ID: 34878325
seemee:
Yes its true, there is only one external IP which had RDP installed and one of my clients could not get into it, so when I put this entry she could.
access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389
What should I do, I have to secure my network as well as allow one of my windows 7clients to access 199.x.x.x.x server throug RDP?
Yes its true I am able to RDP into any of my servers from any External right now.  
*** Do you have an external IPS in the mix somewhere? ****
Did you mean I have a vacant external IP.  Yes I can release one from my list ?
Another thing I have noticed is that I am able to telnet directly into my router now.  Previously it was not possible.  May be the direct RDP and this telnet from any external related?
Help
0
 
LVL 8

Accepted Solution

by:
SeeMeShakinMyHead earned 1600 total points
ID: 34878519
Sorry, coffee is finally kicking in.

What you need is ip nat inside source static tcp 10.10.10.119 x.x.x.x 3389 to NAT the internal IP to external on port 3389.  Looks like right now you are publishing these servers on all ports.

Then you need to apply an ACL that locks down this type of access since the NAT will allow anyone to access.  I see you have an ACL 101 but dont see it applied to the external interface.  This needs to be done as well.
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 34880160
Looks like you simply need to re-apply acl 101 to the Internet interface

interface GigabitEthernet0/1.92
 ip access-group 101 in

0
 
LVL 4

Author Closing Comment

by:amanzoor
ID: 34880653
Good job guys,
access-group 101 was not even applied to hte interface.  Solved.  Thanks for your time.
0
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 34881076
No problem. Sometimes an external perspective is all you need. Cheers!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question