Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing rdp through zone-based firewall

I hope someone can help me. I have a customer with an 877ISR with zone base firewall.

They want to access two servers on the inside from the internet using RDP but with different ports.

Partial configuration if anyone can tell me where I am going wrong.

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 7 151019030E253F2B3B203C

ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxx password 7 06041D2E46411D1616041B

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.7.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

class-map type inspect match-all ccp-protocol-rdp

match access-group 101

policy-map type inspect ccp-permit-in

class type inspect ccp-protocol-rdp

  inspect

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-out-in source out-zone destination in-zone

service-policy type inspect ccp-permit-in

ip nat inside source static tcp 192.168.7.100 3389 interface Dialer0 33888

ip nat inside source static tcp 192.168.7.121 3389 interface Dialer0 3390

access-list 101 permit tcp host <dialer0 address> any eq 33888

access-list 101 permit tcp host <dialer0 address> any eq 3390

  • Firewalling
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: Allowing rdp through zone-based firewall

I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:

access-list 101 permit tcp any host 192.168.7.100 eq 3389

access-list 101 permit tcp any host 192.168.7.121 eq 3389

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

Allowing rdp through zone-based firewall

The source- and destination addresses in your ACL 101 have to be reversed. The source is any and the destination is your dialer0-IP.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Allowing rdp through zone-based firewall

Thanks for the quick reply

Sorry typo when I put the config up. It is actually

access-list 101 permit tcp any host eq 33888

access-list 101 permit tcp any host eq 3390

I cannot understand why it doesnt work as it seems quite simple.

VIP Purple

Re: Allowing rdp through zone-based firewall

I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:

access-list 101 permit tcp any host 192.168.7.100 eq 3389

access-list 101 permit tcp any host 192.168.7.121 eq 3389

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Allowing rdp through zone-based firewall

Hey thanks Karsten. I thought it was close but I just couldnt get it right. Working a treat now.Thanks very much for your prompt help. Happy customers are always good.

2604
Views
0
Helpful
4
Replies