Cannot RDP out through a 2811 with Firewall feature set

Answered Question
Jun 23rd, 2010
User Badges:

Hi all,

I’ve inherited a 2811 router with a firewall feature pack from a previous support guy and it looks in a bit of a mess.

I'm having problems RDPing out through our 2811 with firewall feature set. I have a route map pointing to an access list permit ip internal-network any. There's another access list on the inside interface in, permit ip any any. I've attached my cleaned config. Any ideas how to get RDP working?

Also, since a recent save of the config, lots of the remarks in the access-lists seem to repeat themselves. Any ideas why?

Regards


Egg

Correct Answer by Jennifer Halim about 7 years 1 month ago

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389


TO:

permit tcp any any eq 3389


Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 06/23/2010 - 04:47
User Badges:
  • Cisco Employee,

Can you please reattach the config, as it didn't get attached to your initial post.

Do you have NAT configured for the RDP traffic (TCP/3389)?

Where does the RDP fail? Prior to authentication or after it authenticates? Are you able to telnet on port 3389 to the RDP server?

Assuming that you can RDP from the same subnet, do you have any windows firewall on the host that might prevent RDP from different subnet?

Correct Answer
Jennifer Halim Wed, 06/23/2010 - 05:16
User Badges:
  • Cisco Employee,

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389


TO:

permit tcp any any eq 3389


Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

Eggzter100 Wed, 06/23/2010 - 05:56
User Badges:

Thanks Halijenn,


Scoolboy error, the subnet msk should've been reversed, yeah?


What do you make of the remarks repeating themselves in the access lists?


Regards


Egg

Jennifer Halim Wed, 06/23/2010 - 06:01
User Badges:
  • Cisco Employee,

The remarks seem to have been added by SDM automatically.


I would suggest that you check the line# for each ACL, for example ACL 109:

sh ip access-list 109


Then for those duplicated remarks just check out the line#, and remove it as follows:

ip access-list extended 109

     no

     no

etc ....

Eggzter100 Wed, 06/23/2010 - 06:36
User Badges:

Hi halijenn,


Yeah, I already thought of that but remarks don't show up as line# in the sho ip access-list adsl24external command. Only the permit and deny statements. How would I remove the remarks?


Regards


Egg

Jennifer Halim Wed, 06/23/2010 - 14:55
User Badges:
  • Cisco Employee,

In that case, you would need to remove the complete ACL with a no statement, and reconfigure it without the remarks.

However, pls be very careful when you remove the ACL. I would suggest that you perform the change after hours and through console session, otherwise, you might lock yourself out from accessing the router (via ssh or telnet).

Actions

This Discussion