how to allow remote desktop from outside to inside?

Answered Question
Jul 16th, 2010
User Badges:

Dear all,


i have cisco router 2821 and switch-3560G.

for 2821 using internet connection and  connect to switch 3560G.

for switch 3560G create 2 Vlan ( one for Server and other one for client)


on 2821.


Gi0/0: 203189.12.10

Gi0/1: 10.10.101



on switch 3560G


G0/1: 10.10.10.2 connect to router 2821.

Vlan: 20.20.20.1 Vlan server

Vlan: 30.30.30.1 Vlan client


So i would like to allow remote from desktop and smtp, pop3 from outside to inside ( 20.20.20.10)?

1- How can we configure on router?

2- how about switch 3560G we just routing only or need to add ip nat .......?


Best Regards,

Rechard

Correct Answer by Nagaraja Thanthry about 6 years 9 months ago

Hello,


I am assuming that you have not configured CBAC or ZBF on the router. With that assumption, I would suggest you to configure access-lists that allow returnt traffic from internet to your internal hosts (if they are browsing via the router). Also, the access-list is slightly off in that the source port will not be SMTP or POP3 when you are accessing the servers.



p nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable


access-list 103 permit tcp any host eq smtp
access-list 103 permit tcp any host eq pop3

access-list 103 permit tcp any any ack

access-list 103 deny tcp any any syn

access-list 103 permit ip any any


With this, all the return traffic will be allowed (even though this allows UDP/ICMP seamlessly, you can restrict them also if you like) without any issues. Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Fri, 07/16/2010 - 03:46
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear all,


i have cisco router 2821 and switch-3560G.

for 2821 using internet connection and  connect to switch 3560G.

for switch 3560G create 2 Vlan ( one for Server and other one for client)


on 2821.


Gi0/0: 203189.12.10

Gi0/1: 10.10.101



on switch 3560G


G0/1: 10.10.10.2 connect to router 2821.

Vlan: 20.20.20.1 Vlan server

Vlan: 30.30.30.1 Vlan client


So i would like to allow remote from desktop and smtp, pop3 from outside to inside ( 20.20.20.10)?

1- How can we configure on router?

2- how about switch 3560G we just routing only or need to add ip nat .......?


Best Regards,

Rechard

Hi Rechard,


Nat the server (20.20.20.10) in router with public ip  with allowing rdp,smtp and pop3 ports open.


Hope to help !!


Ganesh.H


Remember to rate the helpful post

rechard_hk Fri, 07/16/2010 - 04:07
User Badges:

Dear Ganesh.H,


it should like this?


ip nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable


access-list 103 permit tcp any eq smtp host 20.20.20.10 eq smtp
access-list 103 permit tcp any eq pop3 host 20.20.20.10 eq pop3



Best Regards,

Rechard

Ganesh Hariharan Fri, 07/16/2010 - 04:24
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Dear Ganesh.H,


it should like this?


ip nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable


access-list 103 permit tcp any eq smtp host 20.20.20.10 eq smtp
access-list 103 permit tcp any eq pop3 host 20.20.20.10 eq pop3



Best Regards,

Rechard


Hi Rechard,


Following configuration will be done for user to access local lan server on port smtp/pop3 as it will be from the internet that mean any body can connect to your server i dont think a ACL is required.


ip nat inside source static 20.20.20.10 172.16.131.1 (public ip)
interface e 0
ip address 20.20.20.254 255.255.255.0
ip nat inside

interface s 0
ip address 172.16.130.2 255.255.255.0
ip nat outside

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Hope to help !!

Ganesh.H

Remember to rate the helpful post

Correct Answer
Nagaraja Thanthry Fri, 07/16/2010 - 07:24
User Badges:
  • Cisco Employee,

Hello,


I am assuming that you have not configured CBAC or ZBF on the router. With that assumption, I would suggest you to configure access-lists that allow returnt traffic from internet to your internal hosts (if they are browsing via the router). Also, the access-list is slightly off in that the source port will not be SMTP or POP3 when you are accessing the servers.



p nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable


access-list 103 permit tcp any host eq smtp
access-list 103 permit tcp any host eq pop3

access-list 103 permit tcp any any ack

access-list 103 deny tcp any any syn

access-list 103 permit ip any any


With this, all the return traffic will be allowed (even though this allows UDP/ICMP seamlessly, you can restrict them also if you like) without any issues. Hope this helps.


Regards,


NT

Actions

This Discussion