https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408173#M308487 <HTML><HEAD></HEAD><BODY><P>Instead of configuring NAT on the ISP-device as suggested by jumora, I would do it differently: Reconfigure the ISP-modem to be a real modem (at the moment it is configured as a router) so that you have your public IP on the router. Then you can control firewalling and NAT completely on the router.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 21 Nov 2013 15:40:39 GMT Karsten Iwen 2013-11-21T15:40:39Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408171#M308484 <P>Hi,</P><P></P><P>I have a Cisco 887 behind my ISP modem.</P><P></P><P>Is setup a inbound NAT-rule to router the 3389-port to a server.</P><P></P><P>How can i setup the firewall to allow only ip address i've added in the rule?</P><P></P><P></P><P>Below you''l find my configuration:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>version 12.4</P><P>no service pad</P><P>service tcp-keepalives-in</P><P>service tcp-keepalives-out</P><P>service timestamps debug datetime msec localtime show-timezone</P><P>service timestamps log datetime msec localtime show-timezone</P><P>service password-encryption</P><P>service sequence-numbers</P><P>!</P><P>hostname Cisco877</P><P>!</P><P>boot-start-marker</P><P>boot-end-marker</P><P>!</P><P>logging buffered 51200</P><P>logging console critical</P><P>enable secret 5 $1$Zw/5$a5r6xtBQsVR40v27N1uBP/</P><P>!</P><P>no aaa new-model</P><P>clock timezone PCTime -8</P><P>clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00</P><P>!</P><P>crypto pki trustpoint TP-self-signed-3329446285</P><P> enrollment selfsigned</P><P> subject-name cn=IOS-Self-Signed-Certificate-3329446285</P><P> revocation-check none</P><P> rsakeypair TP-self-signed-3329446285</P><P>!</P><P>!</P><P>crypto pki certificate chain TP-self-signed-3329446285</P><P> certificate self-signed 01</P><P>&nbsp; 3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 </P><P>&nbsp; 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 </P><P>&nbsp; 69666963 6174652D 33333239 34343632 3835301E 170D3132 31323035 31303333 </P><P>&nbsp; 35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 </P><P>&nbsp; 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323934 </P><P>&nbsp; 34363238 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 </P><P>&nbsp; 81009475 F7B360BF 10A5F0F0 B031341A 5E969804 171E3070 4539CC44 3C43F4B1 </P><P>&nbsp; 9BC3050A B401D3E1 B72D7061 3EDA7ACE 69C9B97D A8110577 5465AA89 B87932D2 </P><P>&nbsp; A35208A5 C53B7967 098E0E60 CF0FFB44 DB4BB355 6A53F872 90421142 8308CE5D </P><P>&nbsp; 0D8E33E5 2C56C19B 3FD59DB1 8E816305 1A298873 2EEBB2B1 9E4EFA47 FF304797 </P><P>&nbsp; 34550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603 </P><P>&nbsp; 551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6779AC0C </P><P>&nbsp; F43AE5E1 134304F6 5E2A5059 02F1B711 301D0603 551D0E04 16041467 79AC0CF4 </P><P>&nbsp; 3AE5E113 4304F65E 2A505902 F1B71130 0D06092A 864886F7 0D010104 05000381 </P><P>&nbsp; 81002A9A 9F20A8FF 81B275E9 92A32D01 FEC789BB 928CCFB1 2741D3AF 17795AD5 </P><P>&nbsp; 59D56D81 4BC6A4C5 4AFF9207 DC35EA9C D93B53DE 47F315F7 A158ADB3 E6133418 </P><P>&nbsp; A678C128 79EA4643 5BA45B44 94DD42CE BC2FC144 A9406783 F9092BF5 9B37C358 </P><P>&nbsp; E273DB2F 44FFC382 1EB013A0 A01F6A3D DF7C7FA2 1DC24436 36B7F07E 1EA52843 FDA8</P><P>&nbsp;&nbsp; quit</P><P>dot11 syslog</P><P>no ip source-route</P><P>ip cef</P><P>!</P><P>!</P><P>no ip dhcp use vrf connected</P><P>!</P><P>ip dhcp pool sdm-pool1</P><P>&nbsp;&nbsp; import all</P><P>&nbsp;&nbsp; network 192.168.0.0 255.255.255.0</P><P>&nbsp;&nbsp; default-router 192.168.0.1 </P><P>&nbsp;&nbsp; dns-server 195.238.2.21 </P><P>!</P><P>!</P><P>no ip bootp server</P><P>!</P><P>multilink bundle-name authenticated</P><P>!</P><P>archive</P><P> log config</P><P>&nbsp; hidekeys</P><P>!</P><P>!</P><P>ip tcp synwait-time 10</P><P>no ip ftp passive</P><P>ip ssh time-out 60</P><P>ip ssh authentication-retries 2</P><P>!</P><P>!</P><P>!</P><P>interface BRI0</P><P> no ip address</P><P> encapsulation hdlc</P><P> shutdown</P><P>!</P><P>interface ATM0</P><P> no ip address</P><P> shutdown</P><P> no atm ilmi-keepalive</P><P> dsl operating-mode auto </P><P>!</P><P>interface FastEthernet0</P><P> description WAN_Link</P><P> switchport access vlan 2</P><P>!</P><P>interface FastEthernet1</P><P>!</P><P>interface FastEthernet2</P><P>!</P><P>interface FastEthernet3</P><P>!</P><P>interface Vlan1</P><P> description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$</P><P> ip address 192.168.0.1 255.255.255.0</P><P> no ip redirects</P><P> no ip unreachables</P><P> no ip proxy-arp</P><P> ip flow ingress</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P>!</P><P>interface Vlan2</P><P> ip address 192.168.254.2 255.255.255.0</P><P> ip nat outside</P><P> ip virtual-reassembly</P><P> crypto map SDM_CMAP_1</P><P>!</P><P>ip forward-protocol nd</P><P>ip route 0.0.0.0 0.0.0.0 192.168.254.1</P><P>!</P><P>!</P><P>ip http server</P><P>ip http authentication local</P><P>ip http secure-server</P><P>ip http timeout-policy idle 60 life 86400 requests 10000</P><P>ip nat inside source list 101 interface Vlan2 overload</P><P>ip nat inside source static tcp 192.168.0.10 3389 192.168.254.2 3389 extendable</P><P>!</P><P>logging trap debugging</P><P>access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255</P><P>access-list 101 permit ip 192.168.0.0 0.0.0.255 any</P><P>no cdp run</P><P>!</P><P>!</P><P>!</P><P>!</P><P>control-plane</P><P>!</P><P>banner login ^CCCCAuthorized access only!</P><P>Disconnect IMMEDIATELY if you are not an authorized user!</P><P>^C</P><P>!</P><P>line con 0</P><P> login local</P><P> no modem enable</P><P> transport output telnet</P><P>line aux 0</P><P> login local</P><P> transport output telnet</P><P>line vty 0 4</P><P> privilege level 15</P><P> login local</P><P> transport input telnet ssh</P><P>!</P><P>scheduler max-task-time 5000</P><P>scheduler allocate 4000 1000</P><P>scheduler interval 500</P><P>end</P></PRE> Tue, 12 Mar 2019 03:07:56 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408171#M308484 Joost Lauwen 2019-03-12T03:07:56Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408172#M308485 <HTML><HEAD></HEAD><BODY><P>Your WAN IP address is private you need to configure NAT or port forwarding on your ISP device</P><P></P><P>Value our effort and rate the assistance!</P></BODY></HTML> Thu, 21 Nov 2013 15:32:04 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408172#M308485 jumora 2013-11-21T15:32:04Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408173#M308487 <HTML><HEAD></HEAD><BODY><P>Instead of configuring NAT on the ISP-device as suggested by jumora, I would do it differently: Reconfigure the ISP-modem to be a real modem (at the moment it is configured as a router) so that you have your public IP on the router. Then you can control firewalling and NAT completely on the router.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 21 Nov 2013 15:40:39 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408173#M308487 Karsten Iwen 2013-11-21T15:40:39Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408174#M308489 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>NAT/Port Forwarding is already setup on my ISP device. The ISP is forwared all traffic to the cisco.</P><P></P><P>I now have excluded some ip addresses in Windows Firewall, but I want to do this in the cisco.</P></BODY></HTML> Thu, 21 Nov 2013 15:42:19 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408174#M308489 Joost Lauwen 2013-11-21T15:42:19Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408175#M308492 <HTML><HEAD></HEAD><BODY><P> The ISP-modem cannot be configured, because the ISP has blocked the acces to this device. That why they have forwared every traffic to my cisco.</P></BODY></HTML> Thu, 21 Nov 2013 15:43:44 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408175#M308492 Joost Lauwen 2013-11-21T15:43:44Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408176#M308494 <HTML><HEAD></HEAD><BODY><P>Check logs, if you don't see attempts getting to the ASA then traffic is not being forward.</P><P></P><P>Value our effort and rate the assistance!</P></BODY></HTML> Thu, 21 Nov 2013 16:55:35 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408176#M308494 jumora 2013-11-21T16:55:35Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408177#M308497 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>RDP traffic is forwarded to the server throught the ISP-modem and Cisco.</P><P>I want to add a rule so that RDP is firewalled in the Cisco and not with Windows Firewall.</P></BODY></HTML> Mon, 25 Nov 2013 15:01:34 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408177#M308497 Joost Lauwen 2013-11-25T15:01:34Z https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408178#M308499 <HTML><HEAD></HEAD><BODY><P>Ok Joost, </P><P></P><P>if you don´t check the logs and you don´t see hit counts on the ACL then traffic is not getting to the router but you need to follow instructions so we can help you out, did you check logs. </P><P></P><P>If you need assistance and maybe our instructions are not helping you out you should open a TAC case.</P><P></P><P>Value our effort and rate the assistance!</P></BODY></HTML> Mon, 25 Nov 2013 15:08:12 GMT https://community.cisco.com/t5/network-security/allow-ip-addresses-for-rdp/m-p/2408178#M308499 jumora 2013-11-25T15:08:12Z