Solved

RDP Access on Cisco 2811

Posted on 2012-03-29
3
559 Views
Last Modified: 2012-04-27
I am having some trouble configuring RDP access on a Cisco 2811 router.

Here is some of the configuration:


ip dhcp pool Vlan100
   network 10.xx.xx.0 255.255.255.0
   domain-name pain.local
   dns-server 10.xx.xx.12 4.2.2.2 
   default-router 10.xx.xx.1 
   option 156 ascii "ftpservers=10.xx.xx.10, layer2tagging=1, vlanid=200"
   option 42 ip 208.xx.xx.36
!
ip dhcp pool vlan100
   option 42 ip 208.xx.xx.36
!
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map match-any SHORETEL_VOIP
 match ip dscp ef 
 match access-group 101
 match access-group 102
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class class-default
policy-map VOIP_POLICY
 class SHORETEL_VOIP
  priority percent 75
 class class-default
  set dscp default
  fair-queue
  random-detect
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
! 
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.100
 description Data VLAN 100$FW_INSIDE$
 encapsulation dot1Q 100 native
 ip address 10.xx.xx.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1
 description $FW_OUTSIDE$
 ip address 64.xx.xx.250 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.2x.xx.60 0.0.0.3
access-list 1 permit 10.3x.xx.0 0.0.0.255
access-list 1 permit 10.3x.xx.0 0.0.0.255
access-list 1 permit 10.24x.xx.108 0.0.0.3
access-list 1 permit 172.2x.xx.0 0.0.0.255
access-list 1 permit 172.2x.xx.0 0.0.0.255
access-list 23 permit 74.1xx.xx.44
access-list 23 permit 10.1x.xx.55
access-list 23 permit 173.7x.xx.26
access-list 23 permit 166.1x.xx.151
access-list 23 permit 166.1x.xx.38
access-list 23 permit 10.2x.xx.58
access-list 23 permit 10.2x.xx.62
access-list 23 permit 99.2x.xx.251
access-list 23 permit 172.2x.xx.0 0.0.0.255
access-list 23 permit 172.2x.xx.0 0.0.0.255
access-list 23 permit 10.2x.xx.0 0.0.0.255
access-list 23 permit 71.2x.xx.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.xx.xx.0 0.255.255.255 any
access-list 100 permit ip host 10.2xx.xx.110 any
access-list 100 permit ip 10.2x.xx.108 0.0.0.3 any
access-list 100 permit ip 10.3x.xx.0 0.0.0.255 any
access-list 100 permit ip 64.xx.xx.248 0.0.0.7 any
access-list 100 permit ip 10.2x.xx.60 0.0.0.3 any
access-list 100 permit ip 10.2x.xx.0 0.0.0.255 any
access-list 101 permit udp any any eq 2427
access-list 101 permit udp any any eq 2727
access-list 101 permit udp any any range 5440 5446
access-list 101 permit udp any any eq 5004
access-list 102 permit udp host 10.3x.xx.11 gt 1024 any gt 1024
access-list 102 permit udp host 10.3x.xx.16 gt 1024 any gt 1024
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.2x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 103 permit ip 10.3x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 103 permit ip 10.1x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.2x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.2x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 103 permit ip 10.1x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 remark CCP_ACL Category=18
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.2x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 deny   ip 10.3x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 deny   udp 10.3x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.2x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 permit ip 172.2x.xx.0 0.0.0.255 any
access-list 104 permit ip 172.2x.xx.0 0.0.0.255 any
access-list 104 permit ip 10.2x.xx.108 0.0.0.3 any
access-list 104 permit ip 10.3x.xx.0 0.0.0.255 any
access-list 104 permit ip 10.2x.xx.0 0.0.0.255 any
access-list 104 permit ip 10.2x.xx.60 0.0.0.3 any
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.2x.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.1x1.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.1x0.xx.0 0.0.0.255 192.1x.xx.0 0.0.0.255
!
...

Open in new window


I am trying to setup a rule(s) that will allow three External IP addresses to allow access to port 3389 for an internal server.

I've tried adding a net port translation and a access list rule, but still cannot connect.

help?
0
Comment
Question by:MikeWheelz
  • 3
3 Comments
 
LVL 5

Accepted Solution

by:
atechnicnate earned 500 total points
ID: 37785465
Here's what I'm using currently (NAT and ACL statement)


ip nat inside source static tcp 192.168.4.4 3389 16.11.82.192 3389 extendable


all my traffic from 16.11.82.192 is sent to my internal ip of 192.168.4.4

access-list 112 permit tcp any any eq 3389


That's a basic ACL or you could do to be more secure:

access-list 112 permit tcp any host 192.168.4.4 eq 3389
0
 
LVL 5

Expert Comment

by:atechnicnate
ID: 37785469
oh I should add the acl number 112 is what I use not what you should... However, upon further inspection I don't see where you've even applied your ACL to the interface...
0
 
LVL 5

Expert Comment

by:atechnicnate
ID: 37785478
Oh, one last thing (I think lol)  you could also just forward that port via the FastE0/1 Interface with this :


ip nat inside source static tcp 192.168.3.3 3389 interface FastEthernet0/1 3389

where your internal server IP is 192.168.3.3.

This is a one to many style instead of that static, in my first example I only allow the one outside IP
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now