09-10-2006 11:19 AM - edited 03-03-2019 01:57 PM
Hi,
There are 9 remote & 1 central locations in our network. As you knew, these routers have ADSL port as a wan interface. We already configured all of these 877 routers via SDM. Basic firewall was enabled in this config. And we permitted 3389 port for remote desktop connection in NAT in central router. Remote locations cannot connect to the internet. They only connect to central office (p2p) for executing application in central office.
But, when we enable basic firewall in this configuration other locations cannot connect to central office for executing the application.
1. How can remote locations connect to central office while basic firewall is enabled ?
2. How can we protect the central office router from ping, telnet, and etc. ?
Thanks & regards
09-10-2006 05:32 PM
Please confirm you enabled the an UDP port of 3389.
1) Yes, depends on the configuration to allow what traffic.
2) Just block the unwanted traffic or allow the application you want is fine. So in this case, you only allow the remote desktop then it already prevent the traffic other than remote desktop to pass through.
Hope this helps.
09-10-2006 10:50 PM
09-11-2006 12:56 AM
Sorry, I can't find any command in the router that allow thye remote desktop only. You have to configure the UDP 3389 as the only allowed traffic for remote sites.
Moreover, there are some ACL that are not required or duplicated function w/ the "deny any any" in 101.
And, can you please try to remove the access-group command in dialer and VLAN and test the connectivity first. It is used to isolate the problem of the connecitivity or the ACL.
Finally, please check below link to determine is there any need to adjust the MTU & tcp adjust-mss for larger packet.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
Hope this helps.
09-11-2006 02:10 AM
I tried to remove access-group commands from vlan1 and dialer0 interfaces. Then everybody started to connect to this router and executed the application via 3389 port.
But now i want to secure this device. I mean, close to telnet, ping, and etc. But remote locations should connect via 3389 port.
How can i do that ?
First, i will remove access-group commands from vlan and dialer interfaces. Then, what should i do ?
Regards,
09-11-2006 06:12 PM
The reason to remove the access-group is to prove the remote desktop function, seems it works so you can edit the ACL to limit the allowed traffic only in the link.
1) Copy the existing ACL to a notepad for backup
2) Edit the ACL in notepad
3) Remove the ACL in router
4) Copy the modified ACL from notepad to router
5) Enable the access-group in interface
You can modify the ACL to allow the required traffic only. Just configure it like your current ACL but add the required list. Check below link for details.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080430e5b.html
e.g. for telnet
access-list 101 permit tcp 10.1.1.1 255.255.255.0 20.1.1.0 255.255.255.0 eq telnet
access-list 101 deny ip any any
The first ACL is used to allow telnet traffic, the second ACL is used to deny all traffic except the list above this command.
Moreover, if you want to add an ACL to a configure ACL in router, you better use notepad to copy the whole ACL and edit it in notepad then remove that copy ACL by'no access-list 101" then copy the whole ACL from the notepad to router. Moreover, the ACL will be scanned by the router one-by-one in sequence, so be sure to put the "deny ip any any" at last, otherwise, it will block the traffic which listed below this command.
Please let us know if there is any issue.
Or please list what traffic you want to allow or filter then I try to help. You can read the links above to understand how to configure ACL first.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide