Solved

How to enable RDP via Port Forwarding on Cisco 1941 Router?

Posted on 2014-03-19
8
4,858 Views
Last Modified: 2014-05-21
I have a Cisco 1941 Router on a very small network.  We have no need for VPN but I would like to be able to remotely access one single machine on that network, so RDP seems like a good solution.

The GUI doesn't seem to give that option.  So, I'm assuming I'll have to use the CLI.

What commands should I issue in the CLI to enable RDP to 192.168.1.222 and then save it to the NVRAM?

Thanks!
0
Comment
Question by:SqueezeOJ
  • 4
  • 3
8 Comments
 
LVL 35

Expert Comment

by:Kimputer
Comment Utility
Follow this guide, but instead of the webserver and port 80, use port 3389 (and change IP addresses accordingly of course)

http://www.cisco.com/c/en/us/support/docs/long-reach-ethernet-lre-digital-subscriber-line-xdsl/asymmetric-digital-subscriber-line-adsl/12905-827spat.html
0
 
LVL 26

Accepted Solution

by:
Soulja earned 500 total points
Comment Utility
Insure that you enable ip nat outside on your external interface and ip nat inside on your internal router interface.

The NAT command which kimputer is speaking of is:

ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable

in your case it would be

ip nat inside source static tcp 192.168.1.222 3389 x.x.x.x 3389 extendable

x's represents your wan ip.
0
 

Author Comment

by:SqueezeOJ
Comment Utility
Thank you both!

Soulja:   Using this command:  

ip nat inside source static tcp 192.168.1.222 3389 x.x.x.x 3389 extendable

( Where x's represents my wan ip )

Will that enable the ip nat outside on my external interface and the ip nat inside on my internal router interface?  Or do I need to issue additional commands?
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
No,

You have to go under your interface and enter ip nat inside or ip nat outside.

for example:

conf t
int fa0/0
ip nat outside

int fa0/1
ip nat inside
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:SqueezeOJ
Comment Utility
Hello Soulja,

I used the CLI to execute this command:

ip nat inside source static tcp 192.168.1.222 3389 24.39.111.222 3389 extendable

Unfortunately it failed, saying there was an "Invalid input detected at '^' marker." And that marker pointed to the "nat".

So, I tried using your other commands:

conf t
int fa0/0
ip nat outside

But the second one failed, with the error marker under the "fa".

As you can see, I know very little about this device, but would really like to get RDP working.  What should I do next?

Thanks, Jason
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
Can you post your config.

My example of the nat outside command was just an example of the interface. Fa0/0 may not be an interface on your router.

Post the following:

sh ip int br

and

attach your running config

sh run
0
 

Author Comment

by:SqueezeOJ
Comment Utility
Hello Soulja,

Sorry it took me so long, but here are my configuration listings:
sh ip int br

Interface                  IP-Address      OK? Method Status                Prot                                          ocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down                                          
GigabitEthernet0/0         42.39.210.150   YES NVRAM  up                    up                                            
GigabitEthernet0/1         192.168.1.1     YES NVRAM  up                    up                                            
NVI0                       42.39.210.150   YES unset  up                    up                                            
Virtual-Template2          192.168.1.1     YES unset  up                    down                           

Open in new window

...and...
sh run

Building configuration...

Current configuration : 6410 bytes
!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Suobil
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 65535
!
aaa new-model
!
!
aaa authentication login LocalAuthentication local
aaa authentication enable default none
aaa authorization network LocalAuthorization local
!
!
!
!
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool DHCPPool
 network 192.168.1.0 255.255.255.0
 dns-server 192.168.1.1
 default-router 192.168.1.1
!
!
ip domain timeout 1
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1964817048
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1964817048
 revocation-check none
 rsakeypair TP-self-signed-1964817048
!
!
crypto pki certificate chain TP-self-signed-1964817048
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31393634 38313730 3438301E 170D3132 31303035 30353333
  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363438
  31373034 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A810 3A257B91 79DA5AA4 B9F2A497 C462F6B4 78A3629C BD9724EA A6070470
  38A54342 F8F74B3F 24D3F8B9 089D5999 1510F754 5EA7B18C 2B9ACD1C 8E4AF87C
  4E5EAAB5 F48A86DE 21657138 D1F3179C 0D230E66 69F1946B E590B2C2 F7FB13F6
  81BC6BF1 2BA45912 559553DA 5B0A2091 F5F27A96 7FF2F390 9100C9F4 D0B3657A
  E35D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14AF76B9 17B16DF5 30057082 EDE6DEC2 45B37AF5 4C301D06
  03551D0E 04160414 AF76B917 B16DF530 057082ED E6DEC245 B37AF54C 300D0609
  2A864886 F70D0101 05050003 8181002C C3AAAB60 C1F0A717 9945ED07 68A86B58
  C4CEB52B CE376565 92EF2F49 9CF39CA2 638E04EC 0B255495 7165EA04 57BB6A48
  6B4E4FE3 59F5A234 918A77BD 7A1C8A44 EA17A2D3 821BEFF7 60253CA4 953A05B1
  3F4CFB3F 8C79B5E0 41755D23 E0F18A3F F25F44CB 24152DED 1271CFB0 3458CB43
  B36C7A04 90B3A6C3 B2059B74 559C49
        quit
license udi pid CISCO1941/K9 sn FTX1640Y00E
!
!
username admin privilege 15 secret 4 PMD6SvZps1eXr9NqH/xzpBTtkroB.5FsUuDtSvb/ook
!
redundancy
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group IPSecClient
 key Ann3s3
 dns 192.168.1.1
 pool VPNPool
 acl VPNPermitList
 max-users 10
 netmask 255.255.255.0
crypto isakmp profile SuobilUser-ike-profile-1
   match identity group IPSecClient
   client authentication list LocalAuthentication
   isakmp authorization list LocalAuthorization
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto ipsec profile SuobilUser
 set transform-set myset
 set isakmp-profile SuobilUser-ike-profile-1
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list LocalAuthentication
crypto map clientmap isakmp authorization list LocalAuthorization
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Outside Internet$ES_WAN$
 ip address 42.39.210.150 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map clientmap
!
interface GigabitEthernet0/1
 description Inside$ES_LAN$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 qos pre-classify
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SuobilUser
!
ip local pool VPNPool 192.168.2.100 192.168.2.125
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns view default
 domain timeout 1
 dns forwarding timeout 1
 domain round-robin
 dns forwarder 216.136.95.2
 dns forwarder 64.132.94.250
 dns forwarder 8.8.8.8
ip dns view-list dns-view
 view default 10
ip dns server view-group dns-view
ip dns server
ip nat portmap RTP
 appl sip-rtp startport 49152 size 64
ip nat inside source list NatAddresses interface GigabitEthernet0/0 overload
ip nat inside source static udp 192.168.1.222 5070 interface GigabitEthernet0/0 5070
ip nat inside source static udp 192.168.1.222 5060 interface GigabitEthernet0/0 5050
ip nat inside source list PortRangeForwardHost1 interface GigabitEthernet0/0 overload portmap RTP
ip route 0.0.0.0 0.0.0.0 42.39.210.149
!
ip access-list extended NatAddresses
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any
ip access-list extended PortRangeForwardHost1
 permit ip host 192.168.1.222 any
ip access-list extended RestrictManagement
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VPNPermitList
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 23 permit 204.168.114.105
access-list 23 permit 192.168.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 60 0
 privilege level 15
 logging synchronous
 transport input all
line vty 5 15
 access-class 23 in
 exec-timeout 60 0
 privilege level 15
 logging synchronous
 transport input all
!
scheduler allocate 20000 1000
ntp update-calendar
end

Open in new window

Just to refresh your memory, I'm trying to setup simple RDP port forwarding from outside to 192.168.1.222.  That's it.

THANK YOU!
0
 

Author Closing Comment

by:SqueezeOJ
Comment Utility
Thanks for your help!

I couldn't figure it out, so I hired a local consultant, but you =gave me hope.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Suggested Solutions

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now