Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3796
Views
0
Helpful
5
Replies

Enabling RDP connection from outside IP to one device on network Cisco 877

davidmitchell1
Level 1
Level 1

‎09-20-2013 01:09 AM - edited ‎03-04-2019 09:05 PM

Hi,

This is the first Cisco Router I have built, I am sort of jumping between CCP and Putty, I have pretty much got it working the way I want except I need to allow RDP to one device on the network. I have placed my config below and blanked out passwords and IP's etc.

To start with I just want to get the RDP connection working, I can then lock it down so only one external IP can connect in.

The internal IP I want to connect to is 192.168.99.7

First of all I have already got a NAT rule setup (where 77.77.77.77 is just an example IP for the purposes of this query). This NAT allows the device to use that external IP outbound (as it needs to connect to an external device that only accepts connections from that IP).

ip nat inside source static 192.168.99.7 77.77.77.77

My first question is, do I also need to create an inbound NAT rule such as the following?

ip nat inside source static tcp 77.77.77.77.77 3389 192.168.99.7 3389

or does the first NAT rule I have cover that alread?

Secondly I am going to need to allow port 3389 inbound on my router, I was struggling to do this on CCP because I couldn't quite figure out how to create a user defined port (as 3389 is not on the list of defaults)

How would I do this via command line?

Finally I would then need to lock it down to so just one external IP would be allowed to RDP to this device but I can cross that bridge when I get there.

Any help would be mutch appreciated.

Thanks

David

Building configuration...

Current configuration : 8761 bytes
!
! Last configuration change at 11:18:02 UTC Thu Sep 19 2013 by *
! NVRAM config last updated at 11:23:37 UTC Thu Sep 19 2013 by *
! NVRAM config last updated at 11:23:37 UTC Thu Sep 19 2013 by *
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1182812878
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1182812878
revocation-check none
rsakeypair TP-self-signed-1182812878
!
!
crypto pki certificate chain TP-self-signed-1182812878
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313832 38313238 3738301E 170D3133 30393131 31343337
  33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383238
  31323837 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DA35 CC5DFFB8 91390002 86C033E7 811D4FE3 E3DF9020 50A41D7F 7DE64395
  5F627432 683D4D9E 1625C4EC 1EE90A24 E166A011 837CE613 4ED092B6 B2FA9F71
  543009A5 E5DCE7D6 ACB0DDD8 E49CDFA3 21E127A8 0ED961EC F1279C08 0635D0DF
  3FDC73D7 1A5F1704 EE9250C2 B66747EF 86CEB3AE 28669F1B 6E80B8FB 4155AABC
  8CEF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14A371E0 4CF9EE5E ABA8466F DFEBC167 725B6F42 0C301D06
  03551D0E 04160414 A371E04C F9EE5EAB A8466FDF EBC16772 5B6F420C 300D0609
  2A864886 F70D0101 05050003 81810082 D8940AF2 10AEA426 96789F16 746B63AB
  C1D4B3AF 2743E3A9 52C4CD9A 736755E9 F66B3E47 A5DCB92E 8137D59D 6B3168E1
  46B671FA CDBCF1C9 A7D0A78D C09C038C 8A048938 6F8A9A30 1B4C488E 5496F714
  F5FB6D88 79A4AE2C 89EE86AE 399A2CC6 A1980BBC 5F86375B 98A7C61B 5690F0A2
  B05906CB 00C3CDF5 EE37CD7B 90EFA1
   quit
ip source-route
!
!
!
ip dhcp excluded-address 192.168.99.1 192.168.99.20
!
ip dhcp pool edi-client-dhcp
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 83.170.69.2 83.170.63.2
domain-name *
lease 8
!
!
ip cef
ip name-server *.*.*.*
ip name-server *.*.*.*
no ipv6 cef
!
!
password encryption aes
license udi pid CISCO887VA-K9 sn FCZ1648C23R
!
!
username * privilege 15 password *
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect SDM_GRE
  pass
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
  pass
class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
fair-queue
hold-queue 100 out
!
interface ATM0
ip address *.*.*.* 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.99.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname *@hg43.btclick.com
ppp chap password *
ppp pap sent-username *@hg43.btclick.com password *
ppp ipcp dns request
ppp ipcp wins accept
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.99.5 *.*.*.*
ip nat inside source static 192.168.99.6 *.*.*.*
ip nat inside source static 192.168.99.7 *.*.*.*
ip nat inside source static 192.168.99.8 *.*.*.*
ip route profile
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.99.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq 22
access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq 443
access-list 101 permit tcp 192.168.99.0 0.0.0.255 host 192.168.99.1 eq cmd
access-list 101 deny   tcp any host 192.168.99.1 eq telnet
access-list 101 deny   tcp any host 192.168.99.1 eq 22
access-list 101 deny   tcp any host 192.168.99.1 eq www
access-list 101 deny   tcp any host 192.168.99.1 eq 443
access-list 101 deny   tcp any host 192.168.99.1 eq cmd
access-list 101 deny   udp any host 192.168.99.1 eq snmp
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.99.0 0.0.0.255 any
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 102 in
exec-timeout 120 0
password 7 11282A0A191B083F07382E332C213C341615300A19775554
login local
length 0
transport input ssh
!
end

Labels:
0 Helpful
5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

‎09-20-2013 01:58 AM

Hi,

Port forwarding is done with "ip nat inside source static tcp 192.168.99.7 3389  interface dialer 0 3389"

if you don't specify tcp/udp and port then you are opening all ports on the inside hosts.

As you've got Zone Based firewall configured you should do this to let any outside host connect:

ip access-list extended RDP-IN-ACL

permit tcp any host 192.168.99.7 eq 3389

deny ip any any

class-map type inspect RDP-IN

match access-group RDP-IN-ACL

no policy-map type inspect ccp-pol-outToIn

policy-map type inspect ccp-pol-outToIn

class type inspect RDP-IN

inspect

class type inspect CCP_PPTP

  pass

class class-default

  drop log

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

davidmitchell1
Level 1
Level 1
In response to cadet alain

‎09-20-2013 06:18 AM

Thanks for your response Alain,

I had some trouble adding in the Zone part of the firewall, I was getting an invalid output message (see below), can you see anything I might be doing wrong?

David

HOSTNAME(config)#ip access-list extended RDP-IN-ACL

HOSTNAME(config-ext-nacl)#permit tcp any host 192.168.99.7 eq 3389

HOSTNAME(config-ext-nacl)#deny ip any any

HOSTNAME(config-ext-nacl)#class-map type inspect RDP-IN

HOSTNAME(config-cmap)#match access-group RDP-IN

                                         ^

% Invalid input detected at '^' marker.

HOSTNAME(config-cmap)#no policy-map type inspect ccp-pol-outToIn

HOSTNAME(config)#policy-map type inspect ccp-pol-outToIn

HOSTNAME(config-pmap)#class type inspect RDP-IN

HOSTNAME(config-pmap-c)#inspect

%No specific protocol or access-group configured in class RDP-IN for inspection. All packets will be dropped

HOSTNAME(config-pmap-c)#class type inspect CCP_PPTP

HOSTNAME(config-pmap-c)#pass

HOSTNAME(config-pmap-c)#class class-default

HOSTNAME(config-pmap-c)#drop log

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to davidmitchell1

‎09-20-2013 06:48 AM

Hi,

sorry I made a typo, the correct syntax is "match access-group name RDP-IN-ACL"

This should be working this time.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

davidmitchell1
Level 1
Level 1
In response to cadet alain

‎09-20-2013 07:43 AM

Thanks, I was able to put setup the Zone firewall now with no errors.

I am still unable to RDP to the PC within my network though, this is what my NAT rules look like now, does that look right?

The IP I want to RDP to the external IP 99.99.99.6 (it is actually something else but I have modified it for the public forum) so it will allow me to connect to 192.168.99.7

Just so you are aware the 99.99.99.7 is not the same IP as my dialer0 IP address. (however I tested both ways just in case)

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static 192.168.99.5 99.99.99.5

ip nat inside source static 192.168.99.6 99.99.99.6

ip nat inside source static tcp 192.168.99.7 3389 99.99.99.7 3389

ip nat inside source static 192.168.99.8 99.99.99.8

ip route profile

ip route 0.0.0.0 0.0.0.0 Dialer0

Thanks

David

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to davidmitchell1

‎09-20-2013 10:11 AM

Hi,

remove your other static NAT entries and only leave the one I told you but specifying the outside IP you want to connect to from Internet.This IP must be reachable by your ISP and to test it you must connect from an outside IP, if it is still failing then add this command : ip inspect log drop-pkt and enable logging with following commands:

en

terminal monitor

conf t

logging on

logging monitor 6

logging console 6

Then try to connect from outside and if you get a log from ZBF then it is the firewall blocking.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card