cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
0
Helpful
7
Replies

Allow ip addresses for RDP

Joost Lauwen
Level 1
Level 1

Hi,

I have a Cisco 887 behind my ISP modem.

Is setup a inbound NAT-rule to router the 3389-port to a server.

How can i setup the firewall to allow only ip address i've added in the rule?

Below you''l find my configuration:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Cisco877

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$Zw/5$a5r6xtBQsVR40v27N1uBP/

!

no aaa new-model

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3329446285

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3329446285

revocation-check none

rsakeypair TP-self-signed-3329446285

!

!

crypto pki certificate chain TP-self-signed-3329446285

certificate self-signed 01

  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33333239 34343632 3835301E 170D3132 31323035 31303333

  35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33323934

  34363238 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  81009475 F7B360BF 10A5F0F0 B031341A 5E969804 171E3070 4539CC44 3C43F4B1

  9BC3050A B401D3E1 B72D7061 3EDA7ACE 69C9B97D A8110577 5465AA89 B87932D2

  A35208A5 C53B7967 098E0E60 CF0FFB44 DB4BB355 6A53F872 90421142 8308CE5D

  0D8E33E5 2C56C19B 3FD59DB1 8E816305 1A298873 2EEBB2B1 9E4EFA47 FF304797

  34550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6779AC0C

  F43AE5E1 134304F6 5E2A5059 02F1B711 301D0603 551D0E04 16041467 79AC0CF4

  3AE5E113 4304F65E 2A505902 F1B71130 0D06092A 864886F7 0D010104 05000381

  81002A9A 9F20A8FF 81B275E9 92A32D01 FEC789BB 928CCFB1 2741D3AF 17795AD5

  59D56D81 4BC6A4C5 4AFF9207 DC35EA9C D93B53DE 47F315F7 A158ADB3 E6133418

  A678C128 79EA4643 5BA45B44 94DD42CE BC2FC144 A9406783 F9092BF5 9B37C358

  E273DB2F 44FFC382 1EB013A0 A01F6A3D DF7C7FA2 1DC24436 36B7F07E 1EA52843 FDA8

   quit

dot11 syslog

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.1

   dns-server 195.238.2.21

!

!

no ip bootp server

!

multilink bundle-name authenticated

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

description WAN_Link

switchport access vlan 2

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface Vlan2

ip address 192.168.254.2 255.255.255.0

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.254.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface Vlan2 overload

ip nat inside source static tcp 192.168.0.10 3389 192.168.254.2 3389 extendable

!

logging trap debugging

access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

no cdp run

!

!

!

!

control-plane

!

banner login ^CCCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

7 Replies 7

jumora
Level 7
Level 7

Your WAN IP address is private you need to configure NAT or port forwarding on your ISP device

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Hi,

NAT/Port Forwarding is already setup on my ISP device. The ISP is forwared all traffic to the cisco.

I now have excluded some ip addresses in Windows Firewall, but I want to do this in the cisco.

Instead of configuring NAT on the ISP-device as suggested by jumora, I would do it differently: Reconfigure the ISP-modem to be a real modem (at the moment it is configured as a router) so that you have your public IP on the router. Then you can control firewalling and NAT completely on the router.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

The ISP-modem cannot be configured, because the ISP has blocked the acces to this device. That why they have forwared every traffic to my cisco.

Check logs, if you don't see attempts getting to the ASA then traffic is not being forward.

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Hi,

RDP traffic is forwarded to the server throught the ISP-modem and Cisco.

I want to add a rule so that RDP is firewalled in the Cisco and not with Windows Firewall.

Ok Joost,

if you don´t check the logs and you don´t see hit counts on the ACL then traffic is not getting to the router but you need to follow instructions so we can help you out, did you check logs.

If you need assistance and maybe our instructions are not helping you out you should open a TAC case.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: