Can't limit RDP using NAT and route-maps

jsinsabaugh · ‎06-18-2017

Even if my config looks like this;

ip nat inside source route-map nonat interface GigabitEthernet0/1 overload

ip nat inside source static tcp 192.168.1.10 3389 50.50.50.50 3389 route-map outside-connect

route-map outside-connect deny 5
match ip address 103

access-list 103 permit ip any any

I still get RDP access to the host.

#show ip access-list

Extended IP access list 103
10 permit ip any any (812722 matches)

#show route-map

route-map outside-connect, deny, sequence 5
Match clauses:
ip address (access-lists): 103
Policy routing matches: 0 packets, 0 bytes

I would like to lock down access to only a few hosts, any help?

Georg Pauwen · ‎06-18-2017

Hello,

as far as I recall, for conditional NAT you need to permit the route map. If you want to just allow access for a few hosts, the configuration would look like this:

ip nat inside source static tcp 192.168.1.10 3389 50.50.50.50 3389 route-map outside-connect

route-map outside-connect permit 10
match ip address 103

access-list 103 permit ip host x.x.x.x any
access-list 103 permit ip host y.y.y.y any

jsinsabaugh · ‎06-21-2017

The route map doesn't manipulate traffic either way.

Georg Pauwen · ‎06-21-2017

Hello,

can you post the full configuration of your router...