https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951310#M401025 <HTML><HEAD></HEAD><BODY><P>Thanks for the quick reply </P><P></P><P>Sorry typo when I put the config up. It is actually </P><P></P><P>access-list 101 permit tcp any host <DIALER0 ip=""> eq 33888</DIALER0></P><P>access-list 101 permit tcp any host <DIALER0 ip=""> eq 3390</DIALER0></P><P></P><P>I cannot understand why it doesnt work as it seems quite simple.</P></BODY></HTML> Thu, 09 Aug 2012 11:39:01 GMT mbluemel 2012-08-09T11:39:01Z https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951308#M401022 <P>I hope someone can help me. I have a customer with an 877ISR with zone base firewall.</P><P>They want to access two servers on the inside from the internet using RDP but with different ports.</P><P>Partial configuration if anyone can tell me where I am going wrong.</P><P></P><P>interface Dialer0</P><P> description $FW_OUTSIDE$</P><P> ip address negotiated</P><P> no ip redirects</P><P> no ip unreachables</P><P> no ip proxy-arp</P><P> ip flow ingress</P><P> ip nat outside</P><P> ip virtual-reassembly</P><P> zone-member security out-zone</P><P> encapsulation ppp</P><P> dialer pool 1</P><P> dialer-group 1</P><P> ppp authentication chap pap callin</P><P> ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</P><P> ppp chap password 7 151019030E253F2B3B203C</P><P> ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxx password 7 06041D2E46411D1616041B</P><P>!</P><P>interface BVI1</P><P> description $ES_LAN$$FW_INSIDE$</P><P> ip address 192.168.7.1 255.255.255.0</P><P> no ip redirects</P><P> no ip unreachables</P><P> no ip proxy-arp</P><P> ip flow ingress</P><P> ip nat inside</P><P> ip virtual-reassembly</P><P> zone-member security in-zone</P><P></P><P>class-map type inspect match-all ccp-protocol-rdp</P><P> match access-group 101</P><P></P><P>policy-map type inspect ccp-permit-in </P><P> class type inspect ccp-protocol-rdp</P><P>&nbsp; inspect</P><P> class class-default</P><P>&nbsp; drop</P><P>!</P><P>zone security out-zone</P><P>zone security in-zone</P><P>zone-pair security ccp-zp-out-in source out-zone destination in-zone</P><P> service-policy type inspect ccp-permit-in</P><P></P><P>ip nat inside source static tcp 192.168.7.100 3389 interface Dialer0 33888</P><P>ip nat inside source static tcp 192.168.7.121 3389 interface Dialer0 3390</P><P></P><P>access-list 101 permit tcp host &lt;dialer0 address&gt; any eq 33888</P><P>access-list 101 permit tcp host &lt;dialer0 address&gt; any eq 3390</P> Mon, 11 Mar 2019 23:40:15 GMT https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951308#M401022 mbluemel 2019-03-11T23:40:15Z https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951309#M401023 <HTML><HEAD></HEAD><BODY><P>The source- and destination addresses in your ACL 101 have to be reversed. The source is any and the destination is your dialer0-IP.</P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 09 Aug 2012 11:20:46 GMT https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951309#M401023 Karsten Iwen 2012-08-09T11:20:46Z https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951310#M401025 <HTML><HEAD></HEAD><BODY><P>Thanks for the quick reply </P><P></P><P>Sorry typo when I put the config up. It is actually </P><P></P><P>access-list 101 permit tcp any host <DIALER0 ip=""> eq 33888</DIALER0></P><P>access-list 101 permit tcp any host <DIALER0 ip=""> eq 3390</DIALER0></P><P></P><P>I cannot understand why it doesnt work as it seems quite simple.</P></BODY></HTML> Thu, 09 Aug 2012 11:39:01 GMT https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951310#M401025 mbluemel 2012-08-09T11:39:01Z https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951311#M401027 <HTML><HEAD></HEAD><BODY><P>I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><SPAN style="font-family: 'courier new', courier;">access-list 101 permit tcp any host 192.168.7.100 eq 3389</SPAN></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;"><SPAN style="font-family: 'courier new', courier;">access-list 101 permit tcp any host 192.168.7.121 eq 3389</SPAN></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Thu, 09 Aug 2012 13:18:41 GMT https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951311#M401027 Karsten Iwen 2012-08-09T13:18:41Z https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951312#M401029 <HTML><HEAD></HEAD><BODY><P> Hey thanks Karsten. I thought it was close but I just couldnt get it right. Working a treat now.Thanks very much for your prompt help. Happy customers are always good.</P></BODY></HTML> Thu, 09 Aug 2012 14:16:10 GMT https://community.cisco.com/t5/network-security/allowing-rdp-through-zone-based-firewall/m-p/1951312#M401029 mbluemel 2012-08-09T14:16:10Z