Solved: Cannot RDP out through a 2811 with Firewall feature set

Eggzter100 · ‎06-23-2010

Hi all,

I’ve inherited a 2811 router with a firewall feature pack from a previous support guy and it looks in a bit of a mess.

I'm having problems RDPing out through our 2811 with firewall feature set. I have a route map pointing to an access list permit ip internal-network any. There's another access list on the inside interface in, permit ip any any. I've attached my cleaned config. Any ideas how to get RDP working?

Also, since a recent save of the config, lots of the remarks in the access-lists seem to repeat themselves. Any ideas why?

Regards

Egg

Jennifer Halim · ‎06-23-2010

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389

TO:

permit tcp any any eq 3389

Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

View solution in original post

Jennifer Halim · ‎06-23-2010

Can you please reattach the config, as it didn't get attached to your initial post.

Do you have NAT configured for the RDP traffic (TCP/3389)?

Where does the RDP fail? Prior to authentication or after it authenticates? Are you able to telnet on port 3389 to the RDP server?

Assuming that you can RDP from the same subnet, do you have any windows firewall on the host that might prevent RDP from different subnet?

Eggzter100 · ‎06-23-2010

sorry, I'll try again.

Jennifer Halim · ‎06-23-2010

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389

TO:

permit tcp any any eq 3389

Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

Eggzter100 · ‎06-23-2010

Thanks Halijenn,

Scoolboy error, the subnet msk should've been reversed, yeah?

What do you make of the remarks repeating themselves in the access lists?

Regards

Egg

Jennifer Halim · ‎06-23-2010

The remarks seem to have been added by SDM automatically.

I would suggest that you check the line# for each ACL, for example ACL 109:

sh ip access-list 109

Then for those duplicated remarks just check out the line#, and remove it as follows:

ip access-list extended 109

no

etc ....

Eggzter100 · ‎06-23-2010

Hi halijenn,

Yeah, I already thought of that but remarks don't show up as line# in the sho ip access-list adsl24external command. Only the permit and deny statements. How would I remove the remarks?

Regards

Egg

Jennifer Halim · ‎06-23-2010

In that case, you would need to remove the complete ACL with a no statement, and reconfigure it without the remarks.

However, pls be very careful when you remove the ACL. I would suggest that you perform the change after hours and through console session, otherwise, you might lock yourself out from accessing the router (via ssh or telnet).