Solved: how to allow remote desktop from outside to inside?

rechard_hk · ‎07-16-2010

Dear all,

i have cisco router 2821 and switch-3560G.

for 2821 using internet connection and connect to switch 3560G.

for switch 3560G create 2 Vlan ( one for Server and other one for client)

on 2821.

Gi0/0: 203189.12.10

Gi0/1: 10.10.101

on switch 3560G

G0/1: 10.10.10.2 connect to router 2821.

Vlan: 20.20.20.1 Vlan server

Vlan: 30.30.30.1 Vlan client

So i would like to allow remote from desktop and smtp, pop3 from outside to inside ( 20.20.20.10)?

1- How can we configure on router?

2- how about switch 3560G we just routing only or need to add ip nat .......?

Best Regards,

Rechard

Nagaraja Thanthry · ‎07-16-2010

Hello,

I am assuming that you have not configured CBAC or ZBF on the router. With that assumption, I would suggest you to configure access-lists that allow returnt traffic from internet to your internal hosts (if they are browsing via the router). Also, the access-list is slightly off in that the source port will not be SMTP or POP3 when you are accessing the servers.

p nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable

access-list 103 permit tcp any host eq smtp
access-list 103 permit tcp any host eq pop3

access-list 103 permit tcp any any ack

access-list 103 deny tcp any any syn

access-list 103 permit ip any any

With this, all the return traffic will be allowed (even though this allows UDP/ICMP seamlessly, you can restrict them also if you like) without any issues. Hope this helps.

Regards,

NT

View solution in original post

Ganesh Hariharan · ‎07-16-2010

Dear all,

i have cisco router 2821 and switch-3560G.

for 2821 using internet connection and connect to switch 3560G.

for switch 3560G create 2 Vlan ( one for Server and other one for client)

on 2821.

Gi0/0: 203189.12.10

Gi0/1: 10.10.101

on switch 3560G

G0/1: 10.10.10.2 connect to router 2821.

Vlan: 20.20.20.1 Vlan server

Vlan: 30.30.30.1 Vlan client

So i would like to allow remote from desktop and smtp, pop3 from outside to inside ( 20.20.20.10)?

1- How can we configure on router?

2- how about switch 3560G we just routing only or need to add ip nat .......?

Best Regards,

Rechard

Hi Rechard,

Nat the server (20.20.20.10) in router with public ip with allowing rdp,smtp and pop3 ports open.

Hope to help !!

Ganesh.H

Remember to rate the helpful post

rechard_hk · ‎07-16-2010

Dear Ganesh.H,

it should like this?

ip nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable

access-list 103 permit tcp any eq smtp host 20.20.20.10 eq smtp
access-list 103 permit tcp any eq pop3 host 20.20.20.10 eq pop3

Best Regards,

Rechard

Ganesh Hariharan · ‎07-16-2010

Dear Ganesh.H,
it should 
like this?
ip
 nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable
ip
 nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable
access-list
 103 permit tcp any eq smtp host 20.20.20.10 eq smtp
access-list 103 
permit tcp any eq pop3 host 20.20.20.10 eq pop3
Best Regards,
Rechard

Hi Rechard,

Following configuration will be done for user to access local lan server on port smtp/pop3 as it will be from the internet that mean any body can connect to your server i dont think a ACL is required.

ip nat inside source static 20.20.20.10 172.16.131.1 (public ip)
 interface e 0
 ip address 20.20.20.254 255.255.255.0
 ip nat inside

 interface s 0
 ip address 172.16.130.2 255.255.255.0
 ip nat outside

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Hope to help !!

Ganesh.H

Remember to rate the helpful post

Nagaraja Thanthry · ‎07-16-2010

Hello,

I am assuming that you have not configured CBAC or ZBF on the router. With that assumption, I would suggest you to configure access-lists that allow returnt traffic from internet to your internal hosts (if they are browsing via the router). Also, the access-list is slightly off in that the source port will not be SMTP or POP3 when you are accessing the servers.

p nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable

ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable

access-list 103 permit tcp any host eq smtp
access-list 103 permit tcp any host eq pop3

access-list 103 permit tcp any any ack

access-list 103 deny tcp any any syn

access-list 103 permit ip any any

With this, all the return traffic will be allowed (even though this allows UDP/ICMP seamlessly, you can restrict them also if you like) without any issues. Hope this helps.

Regards,

NT