Solved

Cisco 2911  port 3389

Posted on 2011-02-11
6
991 Views
Last Modified: 2012-05-11
Hi,
I think there is an entry on my router which is allowing me to just type in the external address of any of my servers in RDP and it just opens up fine.  Which entry is allowing all of my servers to be open like that.  I need help to close this direct RDP to all my servers except few.  Please help me locate which entry could that be.
ACL enclosed.
Help plz
forEEpuposesAccesslistNewFeb2011.txt
0
Comment
Question by:amanzoor
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 34878123
ip nat inside source list 10 interface GigabitEthernet0/1.92 overload
ip nat inside source static 10.10.10.119 x.x.x.x
ip nat inside source static 10.10.10.96 x.x.x.x
ip nat inside source static 10.10.10.39 x.x.x.x
ip nat inside source static 10.10.10.80 x.x.x.x.
ip nat inside source static 10.10.10.99 x.x.x.x.
ip nat inside source static 10.10.10.26 x.x.x.x.
ip nat inside source static 10.10.10.1 x.x.x.x.
ip nat inside source static 10.10.10.3 x.x.x.x.
ip nat inside source static 10.10.10.18 x.x.x.x.
ip nat inside source static 10.10.10.101 x.x.x.x.
ip nat inside source static 10.10.11.1 x.x.x.x.
ip nat inside source static 10.10.11.120 x.x.x.x.

access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389

The above config looks like you are publishing all those 10.x.x.x servers and allowing external RDP from a 199.x address.  Can you access from any external IP address?  Are the the "few" servers that you still want to access externally?

Not to get into your business, but this is still not a very good idea.  I would setup this router to be a L2TP/IPSEC VPN tunnel endpoint and VPN to the router to access these servers by their internal IP address.  You will be a lot more secure that way - even though it may be locked down to a specific external source, there is the potentional for address spoofing that this router will not detect.  Do you have an external IPS in the mix somewhere?
0
 
LVL 4

Author Comment

by:amanzoor
ID: 34878325
seemee:
Yes its true, there is only one external IP which had RDP installed and one of my clients could not get into it, so when I put this entry she could.
access-list 101 permit tcp host 199.x.x.x.x. host 6x.x.x.x. eq 3389
What should I do, I have to secure my network as well as allow one of my windows 7clients to access 199.x.x.x.x server throug RDP?
Yes its true I am able to RDP into any of my servers from any External right now.  
*** Do you have an external IPS in the mix somewhere? ****
Did you mean I have a vacant external IP.  Yes I can release one from my list ?
Another thing I have noticed is that I am able to telnet directly into my router now.  Previously it was not possible.  May be the direct RDP and this telnet from any external related?
Help
0
 
LVL 8

Accepted Solution

by:
SeeMeShakinMyHead earned 400 total points
ID: 34878519
Sorry, coffee is finally kicking in.

What you need is ip nat inside source static tcp 10.10.10.119 x.x.x.x 3389 to NAT the internal IP to external on port 3389.  Looks like right now you are publishing these servers on all ports.

Then you need to apply an ACL that locks down this type of access since the NAT will allow anyone to access.  I see you have an ACL 101 but dont see it applied to the external interface.  This needs to be done as well.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 34880160
Looks like you simply need to re-apply acl 101 to the Internet interface

interface GigabitEthernet0/1.92
 ip access-group 101 in

0
 
LVL 4

Author Closing Comment

by:amanzoor
ID: 34880653
Good job guys,
access-group 101 was not even applied to hte interface.  Solved.  Thanks for your time.
0
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 34881076
No problem. Sometimes an external perspective is all you need. Cheers!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now