Cannot RDP out through a 2811 with Firewall feature set

Answered Question
Jun 23rd, 2010

Hi all,

I’ve inherited a 2811 router with a firewall feature pack from a previous support guy and it looks in a bit of a mess.

I'm having problems RDPing out through our 2811 with firewall feature set. I have a route map pointing to an access list permit ip internal-network any. There's another access list on the inside interface in, permit ip any any. I've attached my cleaned config. Any ideas how to get RDP working?

Also, since a recent save of the config, lots of the remarks in the access-lists seem to repeat themselves. Any ideas why?

Regards

Egg

Correct Answer by Jennifer Halim about 6 years 8 months ago

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389

TO:

permit tcp any any eq 3389

Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 06/23/2010 - 04:47

Can you please reattach the config, as it didn't get attached to your initial post.

Do you have NAT configured for the RDP traffic (TCP/3389)?

Where does the RDP fail? Prior to authentication or after it authenticates? Are you able to telnet on port 3389 to the RDP server?

Assuming that you can RDP from the same subnet, do you have any windows firewall on the host that might prevent RDP from different subnet?

Correct Answer
Jennifer Halim Wed, 06/23/2010 - 05:16

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389

TO:

permit tcp any any eq 3389

Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

Eggzter100 Wed, 06/23/2010 - 05:56

Thanks Halijenn,

Scoolboy error, the subnet msk should've been reversed, yeah?

What do you make of the remarks repeating themselves in the access lists?

Regards

Egg

Jennifer Halim Wed, 06/23/2010 - 06:01

The remarks seem to have been added by SDM automatically.

I would suggest that you check the line# for each ACL, for example ACL 109:

sh ip access-list 109

Then for those duplicated remarks just check out the line#, and remove it as follows:

ip access-list extended 109

     no

     no

etc ....

Eggzter100 Wed, 06/23/2010 - 06:36

Hi halijenn,

Yeah, I already thought of that but remarks don't show up as line# in the sho ip access-list adsl24external command. Only the permit and deny statements. How would I remove the remarks?

Regards

Egg

Jennifer Halim Wed, 06/23/2010 - 14:55

In that case, you would need to remove the complete ACL with a no statement, and reconfigure it without the remarks.

However, pls be very careful when you remove the ACL. I would suggest that you perform the change after hours and through console session, otherwise, you might lock yourself out from accessing the router (via ssh or telnet).

Actions

This Discussion