×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

setting up RDP on Cisco 861 HELP !

Unanswered Question
Dec 9th, 2011
User Badges:

Hi,



Before I installed the Cisco 861 I used a simple Linksys router and RDP worked just fine. I just forwarded port 3389 to the servers IP 192.168.0.1 and everything worked, I could log in into the server.

Now I'm trying to set up RDP on a Cisco 861, but..... not working......

My router got a fixed ip though the ISP. Can someone please give me some help ? Thanks in advance !


My routerconfig:






Building configuration...







Current configuration : 9282 bytes



!



! Last configuration change at 07:25:33 PCTime Tue Jan 3 2006 by DVMAdmin



! NVRAM config last updated at 07:25:33 PCTime Tue Jan 3 2006 by DVMAdmin



!



version 15.0



no service pad



service tcp-keepalives-in



service tcp-keepalives-out



service timestamps debug datetime msec localtime show-timezone



service timestamps log datetime msec localtime show-timezone



service password-encryption



service sequence-numbers



!



hostname administratie01



!



boot-start-marker



boot-end-marker



!



logging buffered 51200



logging console critical



enable secret 5 $1$IqhW$06dr6Y2q7cscIOR5bUsWr1



!



no aaa new-model



memory-size iomem 10



clock timezone PCTime 1



clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00



!



crypto pki trustpoint TP-self-signed-635537874



enrollment selfsigned



subject-name cn=IOS-Self-Signed-Certificate-635537874



revocation-check none



rsakeypair TP-self-signed-635537874



!



!



crypto pki certificate chain TP-self-signed-635537874



certificate self-signed 01



  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030



  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274



  69666963 6174652D 36333535 33373837 34301E17 0D303630 31303231 32303034



  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F



  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3633 35353337



  38373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100



  D77176FC D35ED86B 20C86E2E 46003C34 58DDA68D 26D4FEC4 73DAE739 D7BF6E0C



  CF06D14B F1B6664B 67CDE7FD C5EDB66E BBC0184E B96A3A8D 8C8E8BF1 64D6FC61



  961E32D4 42A93E69 A8DEA22E C89E34E5 EFAB44F3 359EC235 96E670B1 CB0B5695



  014FE5D8 FE2740A6 396B9FD7 BB69F048 BA3AEC80 1E74157F 34060078 13D97613



  02030100 01A37E30 7C300F06 03551D13 0101FF04 05300301 01FF3029 0603551D



  11042230 20821E61 646D696E 69737472 61746965 30312E79 6F757264 6F6D6169



  6E2E636F 6D301F06 03551D23 04183016 8014FD97 79FA75CB 647A32B3 0DEFCA16



  07328239 D2ED301D 0603551D 0E041604 14FD9779 FA75CB64 7A32B30D EFCA1607



  328239D2 ED300D06 092A8648 86F70D01 01040500 03818100 46B40985 B9DD44D6



  E83F36F9 6AE91FE4 C2BB5662 4E965E8D 396FC35D F574A71A 88453EC4 201F92CF



  6B177CCC 14E24123 97B16215 6E9CC0A3 76A96360 71C68937 3DA57479 D9F3BB52



  905DE3DB 1BC5C933 D6D089C3 9C592636 A69AF443 34F00B47 77DC58CE C2B7B0E3



  8D02D164 3D4807AE 0B567FF6 849EE77F 28113565 077587DB



            quit



no ip source-route



!



!



!



!



ip cef



no ip bootp server



no ip domain lookup



ip domain name yourdomain.com



!



!



license udi pid CISCO861-K9 sn FCZ1533C0NT



!



!



object-group service RDP



description RDP



tcp-udp eq 3389



tcp-udp source eq 3389



!



object-group service REMOTE_DESKTOP



tcp eq 3389



tcp source eq 3389



!



username DVMAdmin privilege 15 secret 5 $1$NLY2$LhTwKyL5zJ8qhDdGPgnzr0



username admin privilege 15 view root secret 5 $1$DWOC$Q3HI0KDRTd547WqCCIm4o0



!



!



ip tcp synwait-time 10



ip ssh time-out 60



ip ssh authentication-retries 2



!



class-map type inspect match-any SDM_BOOTPC



match access-group name SDM_BOOTPC



class-map type inspect match-any SDM_HTTPS



match access-group name SDM_HTTPS



class-map type inspect match-any SDM_SSH



match access-group name SDM_SSH



class-map type inspect match-any SDM_SHELL



match access-group name SDM_SHELL



class-map type inspect match-any sdm-cls-access



match class-map SDM_HTTPS



match class-map SDM_SSH



match class-map SDM_SHELL



class-map type inspect match-any SDM_DHCP_CLIENT_PT



match class-map SDM_BOOTPC



class-map type inspect match-any ccp-skinny-inspect



match protocol skinny



class-map type inspect match-any sdm-cls-bootps



match protocol bootps



class-map type inspect match-any ccp-cls-insp-traffic



match protocol cuseeme



match protocol dns



match protocol ftp



match protocol https



match protocol icmp



match protocol imap



match protocol pop3



match protocol shell



match protocol realmedia



match protocol rtsp



match protocol smtp



match protocol sql-net



match protocol streamworks



match protocol tftp



match protocol vdolive



match protocol tcp



match protocol udp



class-map type inspect match-all ccp-insp-traffic



match class-map ccp-cls-insp-traffic



class-map type inspect match-any ccp-h323nxg-inspect



match protocol h323-nxg



class-map type inspect match-any ccp-cls-icmp-access



match protocol icmp



match protocol tcp



match protocol udp



class-map type inspect match-any ccp-h225ras-inspect



match protocol h225ras



class-map type inspect match-any ccp-h323annexe-inspect



match protocol h323-annexe



class-map type inspect match-all sdm-access



match class-map sdm-cls-access



match access-group 101



class-map type inspect match-any ccp-h323-inspect



match protocol h323



class-map type inspect match-all ccp-icmp-access



match class-map ccp-cls-icmp-access



class-map type inspect match-all ccp-invalid-src



match access-group 100



class-map type inspect match-any ccp-sip-inspect



match protocol sip



class-map type inspect match-all ccp-protocol-http



match protocol http



!



!



policy-map type inspect ccp-permit-icmpreply



class type inspect sdm-cls-bootps



  pass



class type inspect ccp-icmp-access



  inspect



class class-default



  pass



policy-map type inspect ccp-inspect



class type inspect ccp-invalid-src



  drop log



class type inspect ccp-protocol-http



  inspect



class type inspect ccp-insp-traffic



  inspect



class type inspect ccp-sip-inspect



  inspect



class type inspect ccp-h323-inspect



  inspect



class type inspect ccp-h323annexe-inspect



  inspect



class type inspect ccp-h225ras-inspect



  inspect



class type inspect ccp-h323nxg-inspect



  inspect



class type inspect ccp-skinny-inspect



  inspect



policy-map type inspect ccp-permit



class type inspect sdm-access



  inspect



class type inspect SDM_DHCP_CLIENT_PT



  pass



class class-default



  drop



!



zone security out-zone



zone security in-zone



zone-pair security ccp-zp-self-out source self destination out-zone



service-policy type inspect ccp-permit-icmpreply



zone-pair security ccp-zp-in-out source in-zone destination out-zone



service-policy type inspect ccp-inspect



zone-pair security ccp-zp-out-self source out-zone destination self



service-policy type inspect ccp-permit



!



!



!



!



!



!



!



interface FastEthernet0



!



interface FastEthernet1



!



interface FastEthernet2



!



interface FastEthernet3



!



interface FastEthernet4



description $ES_WAN$$FW_OUTSIDE$



ip address dhcp client-id FastEthernet4



no ip redirects



no ip unreachables



no ip proxy-arp



ip flow ingress



ip nat outside



ip virtual-reassembly



zone-member security out-zone



duplex auto



speed auto



!



interface Vlan1



description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$



ip address 192.168.0.10 255.255.255.0



no ip redirects



no ip unreachables



no ip proxy-arp



ip flow ingress



ip nat inside



ip virtual-reassembly



zone-member security in-zone



ip tcp adjust-mss 1452



!



ip forward-protocol nd



ip http server



ip http authentication local



ip http secure-server



ip http timeout-policy idle 60 life 86400 requests 10000



!



ip nat inside source list 1 interface FastEthernet4 overload



ip nat inside source static tcp 192.168.0.1 3389 interface FastEthernet4 3389



!



ip access-list extended RDP



remark CCP_ACL Category=1



permit object-group RDP any host 192.168.0.1



ip access-list extended REMOTE_DESKTOP



remark CCP_ACL Category=1



permit object-group REMOTE_DESKTOP any host 192.168.0.1



ip access-list extended SDM_BOOTPC



remark CCP_ACL Category=0



permit udp any any eq bootpc



ip access-list extended SDM_HTTPS



remark CCP_ACL Category=1



permit tcp any any eq 443



ip access-list extended SDM_SHELL



remark CCP_ACL Category=1



permit tcp any any eq cmd



ip access-list extended SDM_SSH



remark CCP_ACL Category=1



permit tcp any any eq 22



!



logging trap debugging



access-list 1 remark INSIDE_IF=Vlan1



access-list 1 remark CCP_ACL Category=2



access-list 1 permit 192.168.0.0 0.0.0.255



access-list 100 remark CCP_ACL Category=128



access-list 100 permit ip host 255.255.255.255 any



access-list 100 permit ip 127.0.0.0 0.255.255.255 any



access-list 101 remark CCP_ACL Category=128



access-list 101 permit ip any any



no cdp run







!



control-plane



!



banner exec ^C



% Password expiration warning.



-----------------------------------------------------------------------






Cisco Configuration Professional (Cisco CP) is installed on this device



and it provides the default username "cisco" for  one-time use. If you have



already used the username "cisco" to login to the router and your IOS image



supports the "one-time" user option, then this username has already expired.



You will not be able to login to the router with this username after you exit



this session.






It is strongly suggested that you create a new username with a privilege level



of 15 using the following command.






username <myuser> privilege 15 secret 0 <mypassword>






Replace <myuser> and <mypassword> with the username and password you



want to use.






-----------------------------------------------------------------------



^C



banner login ^CAuthorized access only!



Disconnect IMMEDIATELY if you are not an authorized user!^C



!



line con 0



login local



no modem enable



transport output telnet



line aux 0



login local



transport output telnet



line vty 0 4



privilege level 15



login local



transport input telnet ssh



!



scheduler max-task-time 5000



scheduler allocate 4000 1000



scheduler interval 500



end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cadet alain Sat, 12/10/2011 - 10:34
User Badges:
  • Purple, 4500 points or more

Hi,


this is due to your ZBF config, you must configure a policy from out to in that inspects RDP:


ip inspect log drop-pkt

access-list extended RDP

permit tcp any host 192.168.0.1 eq 3389

permit udp any host 192.168.0.1 eq 3389

class-map type inspect RDP_TRAFFIC

match access-group name RDP

policy-map type inspect RDP_POLICY

class type inspect RDP_TRAFFIC

  inspect

zone-pair security RDP_OUT_IN source out-zone destination in-zone

service-policy type inspect RDP_POLICY


Regards.


Alain

Actions

This Discussion