The router is performing PAT for internet access and I'm trying to enable it as an EZVPN server Using the Cisco VPN client, I'm able to connect it and bring up the tunnel. i can pass traffic by vpn and can ping the local server but can't access it by RDP.
! crypto isakmp client configuration group xxxxxxxxxxxxxx key xxxxxxxxxx dns 188.8.131.52 184.108.40.206 pool VIKING_POOL_1 acl 110 max-users 6 netmask 255.255.255.0 crypto isakmp profile VPNclient description VPN clients profile match identity group xxxxxxxxxxx client authentication list userlist isakmp authorization list groupauthor client configuration address respond ! ! crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-md5-hmac ! crypto dynamic-map VIKING_INDIA_1 65535 set transform-set ESP-3DES-SHA1 set isakmp-profile VPNclient reverse-route ! ! crypto map VIKING_INDIA_1 65535 ipsec-isakmp dynamic VIKING_INDIA_1 ! archive log config hidekeys ! ! ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description *****AIRTEL WAN LINK****** ip address 122.x.x.x 255.255.255.0 ip verify unicast reverse-path no ip redirects no ip unreachables ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto crypto map VIKING_INDIA_1 ! interface Vlan1 ip address 192.168.1.5 255.255.255.0 ip nat inside ip virtual-reassembly ! ip local pool VIKING_POOL_1 192.168.15.1 192.168.15.6 no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 122.x.x.x ! no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389 ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet4 80 ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet4 443 ip nat inside source static tcp 192.168.1.2 445 interface FastEthernet4 445 ip nat inside source list 101 interface FastEthernet4 overload
! ip access-list extended Internet-inbound-ACL permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit gre any any permit esp any any permit tcp any any eq 3389 permit tcp any any ip access-list extended Internet-inbounf-ACL ! access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 110 permit ip 192.168.1.0 0.0.0.255 any dialer-list 1 protocol ip permit snmp-server community public RO no cdp run ! ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 password 7 0610062A45400E260C1916020D ! scheduler max-task-time 5000 end
ip access-list extended Internet-inbound-ACL permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit gre any any permit esp any any permit tcp any any eq 3389 permit tcp any any ip access-list extended Internet-inbounf-ACL ! access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 extended permit tcp host x.x.x.x host x.x.x.x eq 3389 (note: you will probably want to be more specific with what is allowed to RDP, allowing all any host creates a security concern)
Although you have the "permit tcp any" rule above, i think that you need the ACL-list extended rule here below as well.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...