Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port 3389 router 831 SDM

Why is this not working from the outside?

Ole

!This is the running config of the router: 10.10.10.1

!-

!version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxxxxxx

!

username administrator privilege 15 secret 5 xxxxxxxxxxxxx

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

no aaa new-model

ip subnet-zero

no ip source-route

!

!

ip tcp synwait-time 10

ip domain name aofnord.dk

ip name-server 10.10.10.15

no ip bootp server

ip cef

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip ips po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $ES_WAN$$FW_OUTSIDE$

ip address 68.68.68.68 255.255.255.248

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 68.68.68.67

ip route 10.10.20.0 255.255.255.0 10.10.10.10 permanent

ip route 10.10.30.0 255.255.255.0 10.10.10.10 permanent

ip route 10.10.40.0 255.255.255.0 10.10.10.10 permanent

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 10.10.10.5 3389 interface Ethernet1 3389

!

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 remark Permit NAT Passthrough

access-list 2 remark SDM_ACL Category=1

access-list 2 remark Public IP Address

access-list 2 permit 68.68.68.68

access-list 100 remark auto generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip 68.68.68.67 0.0.0.7 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 10.10.10.15 eq domain host 68.68.68.68

access-list 101 permit tcp host 10.10.10.5 eq 3389 host 68.68.68.68

access-list 101 deny ip 10.10.10.0 0.0.0.255 any

access-list 101 permit icmp any host 68.68.68.68 echo-reply

access-list 101 permit icmp any host 68.68.68.68 time-exceeded

access-list 101 permit icmp any host 68.68.68.68 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

no cdp run

!

end

1 REPLY
New Member

Re: Port 3389 router 831 SDM

Check this site:

http://www.cisco.com/warp/public/556/5.html

it could be your order of operations, because you are not using cbac on the inside interface, and you have a deny in the acl, it maybe that you are dropping it as it gets natted before the acl ... what are you seeing in the logs of the router....

193
Views
0
Helpful
1
Replies
CreatePlease login to create content