[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 2811 blocking remote destkop - help with map-policy statement?

Posted on 2011-04-29
8
Medium Priority
?
596 Views
Last Modified: 2012-05-11
I have an internal user that needs to remote desktop to an external internet server. I can traceroute and ping from his desktop to that server. I have a Cisco 2811 that is internet facing that I think is blocking the remote desktop. It does not access lists, but has a map-policy which I am unfamiliar with and can't seem to find much when I google about doing a remote desktop on a map-policy. Could someone look at this and let me know if you can add remote desktop as a policy or something else blocking it, or do I need to build an access list. Let me know if you need the whole config.

class-map type inspect match-any internet-traffic-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol ftps
match protocol ssh
match protocol ntp
match protocol telnet
match protocol ica
match protocol imap
!
!
policy-map type inspect internal-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
drop
!
zone security internal (applied to Internal interface further in config)
description internal network
zone security internet (applied to Internet facing interface further in config)
description outside
zone-pair security internal-internet source internal destination internet
service-policy type inspect internal-internet-policy
!
!

 
0
Comment
Question by:centralpennit
7 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35492133
Complete config would help, but you may just need an ACL to allow the RDP connection from the internal zone to the internet zone.
0
 

Author Comment

by:centralpennit
ID: 35492179
ok..so that would be port 3389?  Could you show me? Thanks!


Config -
Current configuration : 4851 bytes
!
! Last configuration change at 20:30:37 EST Tue Mar 8 2011 by admin
! NVRAM config last updated at 20:31:07 EST Tue Mar 8 2011 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname InetRtr
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-24.T1.bin
boot-end-marker
!
logging message-counter syslog
logging console informational
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST -4
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name centralpenn.edu
ip multicast-routing
no ipv6 cef
ntp server 10.254.254.9
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
username admin privilege 15 password 7 XXXXXXXXX
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key secret address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set aes-crypto esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile tunnel_crypto
set transform-set aes-crypto
!
!
archive
log config
 hidekeys
!
!
ip scp server enable
!
track 10 ip sla 1 reachability
!
class-map type inspect match-any internet-traffic-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol ftps
match protocol ssh
match protocol ntp
match protocol telnet
match protocol ica
match protocol imap
!
!
policy-map type inspect internal-internet-policy
class type inspect internet-traffic-class
 inspect
class class-default
 drop
!
zone security internal
description internal network
zone security internet
description outside
zone-pair security internal-internet source internal destination internet
service-policy type inspect internal-internet-policy
!
!
!
!
interface Tunnel0
bandwidth 2000
bandwidth receive 8000
ip address XXX.XXX.XXX.XXX 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication dmvpn!
ip nhrp map multicast dynamic
ip nhrp map 10.254.1.1 XXX.XXX.XXX.XXX
ip nhrp map multicast XXX.XXX.XXX.XXX
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.254.1.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security internal
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
load-interval 30
delay 5000
qos pre-classify
tunnel source FastEthernet0/0.254
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile tunnel_crypto
!
interface FastEthernet0/0
bandwidth 2000
bandwidth receive 8000
no ip address
ip flow ingress
duplex full
speed auto
no mop enabled
!
interface FastEthernet0/0.253
description lancaster lan edge
encapsulation dot1Q 253
ip address XXX.XXX.XXX.XXX 255.255.255.248
no ip redirects
ip flow ingress
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
zone-member security internal
!
interface FastEthernet0/0.254
description internet edge
encapsulation dot1Q 254
ip address XXX.XXX.XXX.XXX 255.255.255.248
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security internet
!
interface FastEthernet0/1
no ip address
no ip proxy-arp
shutdown
duplex auto
speed auto
!
router eigrp 100
redistribute static route-map eigrp-default-only
network 10.0.0.0
distribute-list route-map eigrp-tag out
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX track 10
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 254
ip route XXX.XXX.XXX.XXX 255.255.255.0 Null0
no ip http server
no ip http secure-server
!
ip as-path access-list 10 permit ^$
!
ip nat inside source list outbound_nat interface FastEthernet0/0.254 overload
!
ip access-list standard outbound_nat
permit 172.16.0.0 0.0.255.255
permit 10.254.0.0 0.0.255.255
!
!
ip prefix-list default-only seq 5 permit 0.0.0.0/0
ip sla 1
icmp-echo 68.86.209.6
timeout 300
frequency 30
ip sla schedule 1 life forever start-time now
!
!
!
!
route-map eigrp-default-only permit 10
match ip address prefix-list default-only
set metric 8000 100 255 1 1500
!
route-map dmvpn_networks permit 10
set local-preference 90
!
route-map eigrp-tag permit 10
set tag 10
!
!
!
control-plane
!
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 xxxxxxxxxxxxx
transport input telnet ssh
!
scheduler allocate 20000 1000
end



Edited at request of author by letenglandshake, EE Moderator
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35905094
A bit late but perhaps you still can make a use of it.

You have a router with a zone based firewall that drops anything that isn't defined in the: class type inspect internet-traffic-class
So to allow that you need to define and add rdp to that class map.

Do the following:
in configuration mode:
ip port-map rdp port 3389

Go to the class map:
class-map type inspect match-any internet-traffic-class

and add rdp:

match protocol rdp

then ^Z
wr mem

and you should be good to go :)
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35905104
0
 

Author Comment

by:centralpennit
ID: 35914955
Thanks!  It's working.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35914975
Glad I could help (better late than never :)
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 36151152
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question