cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3881
Views
0
Helpful
4
Replies

Allowing rdp through zone-based firewall

mbluemel
Level 1
Level 1

I hope someone can help me. I have a customer with an 877ISR with zone base firewall.

They want to access two servers on the inside from the internet using RDP but with different ports.

Partial configuration if anyone can tell me where I am going wrong.

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 7 151019030E253F2B3B203C

ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxx password 7 06041D2E46411D1616041B

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.7.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

class-map type inspect match-all ccp-protocol-rdp

match access-group 101

policy-map type inspect ccp-permit-in

class type inspect ccp-protocol-rdp

  inspect

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-out-in source out-zone destination in-zone

service-policy type inspect ccp-permit-in

ip nat inside source static tcp 192.168.7.100 3389 interface Dialer0 33888

ip nat inside source static tcp 192.168.7.121 3389 interface Dialer0 3390

access-list 101 permit tcp host <dialer0 address> any eq 33888

access-list 101 permit tcp host <dialer0 address> any eq 3390

1 Accepted Solution

Accepted Solutions

I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:

access-list 101 permit tcp any host 192.168.7.100 eq 3389

access-list 101 permit tcp any host 192.168.7.121 eq 3389

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

4 Replies 4

The source- and destination addresses in your ACL 101 have to be reversed. The source is any and the destination is your dialer0-IP.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for the quick reply

Sorry typo when I put the config up. It is actually

access-list 101 permit tcp any host eq 33888

access-list 101 permit tcp any host eq 3390

I cannot understand why it doesnt work as it seems quite simple.

I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:

access-list 101 permit tcp any host 192.168.7.100 eq 3389

access-list 101 permit tcp any host 192.168.7.121 eq 3389

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hey thanks Karsten. I thought it was close but I just couldnt get it right. Working a treat now.Thanks very much for your prompt help. Happy customers are always good.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: