Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cannot RDP out through a 2811 with Firewall feature set

Hi all,

I’ve inherited a 2811 router with a firewall feature pack from a previous support guy and it looks in a bit of a mess.

I'm having problems RDPing out through our 2811 with firewall feature set. I have a route map pointing to an access list permit ip internal-network any. There's another access list on the inside interface in, permit ip any any. I've attached my cleaned config. Any ideas how to get RDP working?

Also, since a recent save of the config, lots of the remarks in the access-lists seem to repeat themselves. Any ideas why?

Regards

Egg

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cannot RDP out through a 2811 with Firewall feature set

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389

TO:

permit tcp any any eq 3389

Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

7 REPLIES
Cisco Employee

Re: Cannot RDP out through a 2811 with Firewall feature set

Can you please reattach the config, as it didn't get attached to your initial post.

Do you have NAT configured for the RDP traffic (TCP/3389)?

Where does the RDP fail? Prior to authentication or after it authenticates? Are you able to telnet on port 3389 to the RDP server?

Assuming that you can RDP from the same subnet, do you have any windows firewall on the host that might prevent RDP from different subnet?

New Member

Re: Cannot RDP out through a 2811 with Firewall feature set

sorry, I'll try again.

Cisco Employee

Re: Cannot RDP out through a 2811 with Firewall feature set

Can you please change the following ACL line for "adsl24outgoing" ACL:

FROM:

permit tcp 0.0.0.0 255.255.255.0 any eq 3389

TO:

permit tcp any any eq 3389

Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.

New Member

Re: Cannot RDP out through a 2811 with Firewall feature set

Thanks Halijenn,

Scoolboy error, the subnet msk should've been reversed, yeah?

What do you make of the remarks repeating themselves in the access lists?

Regards

Egg

Cisco Employee

Re: Cannot RDP out through a 2811 with Firewall feature set

The remarks seem to have been added by SDM automatically.

I would suggest that you check the line# for each ACL, for example ACL 109:

sh ip access-list 109

Then for those duplicated remarks just check out the line#, and remove it as follows:

ip access-list extended 109

     no

     no

etc ....

New Member

Re: Cannot RDP out through a 2811 with Firewall feature set

Hi halijenn,

Yeah, I already thought of that but remarks don't show up as line# in the sho ip access-list adsl24external command. Only the permit and deny statements. How would I remove the remarks?

Regards

Egg

Cisco Employee

Re: Cannot RDP out through a 2811 with Firewall feature set

In that case, you would need to remove the complete ACL with a no statement, and reconfigure it without the remarks.

However, pls be very careful when you remove the ACL. I would suggest that you perform the change after hours and through console session, otherwise, you might lock yourself out from accessing the router (via ssh or telnet).

512
Views
0
Helpful
7
Replies
CreatePlease to create content