Solved: Allowing rdp through zone-based firewall

mbluemel · ‎08-09-2012

I hope someone can help me. I have a customer with an 877ISR with zone base firewall.

They want to access two servers on the inside from the internet using RDP but with different ports.

Partial configuration if anyone can tell me where I am going wrong.

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 7 151019030E253F2B3B203C

ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxx password 7 06041D2E46411D1616041B

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.7.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

class-map type inspect match-all ccp-protocol-rdp

match access-group 101

policy-map type inspect ccp-permit-in

class type inspect ccp-protocol-rdp

inspect

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-out-in source out-zone destination in-zone

service-policy type inspect ccp-permit-in

ip nat inside source static tcp 192.168.7.100 3389 interface Dialer0 33888

ip nat inside source static tcp 192.168.7.121 3389 interface Dialer0 3390

access-list 101 permit tcp host <dialer0 address> any eq 33888

access-list 101 permit tcp host <dialer0 address> any eq 3390

Karsten Iwen · ‎08-09-2012

I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:

access-list 101 permit tcp any host 192.168.7.100 eq 3389

access-list 101 permit tcp any host 192.168.7.121 eq 3389

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎08-09-2012

The source- and destination addresses in your ACL 101 have to be reversed. The source is any and the destination is your dialer0-IP.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

mbluemel · ‎08-09-2012

Thanks for the quick reply

Sorry typo when I put the config up. It is actually

access-list 101 permit tcp any host eq 33888

access-list 101 permit tcp any host eq 3390

I cannot understand why it doesnt work as it seems quite simple.

Karsten Iwen · ‎08-09-2012

I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:

access-list 101 permit tcp any host 192.168.7.100 eq 3389

access-list 101 permit tcp any host 192.168.7.121 eq 3389

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

mbluemel · ‎08-09-2012

Hey thanks Karsten. I thought it was close but I just couldnt get it right. Working a treat now.Thanks very much for your prompt help. Happy customers are always good.