08-09-2012 04:07 AM - edited 03-11-2019 04:40 PM
I hope someone can help me. I have a customer with an 877ISR with zone base firewall.
They want to access two servers on the inside from the internet using RDP but with different ports.
Partial configuration if anyone can tell me where I am going wrong.
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 151019030E253F2B3B203C
ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxx password 7 06041D2E46411D1616041B
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.7.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
class-map type inspect match-all ccp-protocol-rdp
match access-group 101
policy-map type inspect ccp-permit-in
class type inspect ccp-protocol-rdp
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-in
ip nat inside source static tcp 192.168.7.100 3389 interface Dialer0 33888
ip nat inside source static tcp 192.168.7.121 3389 interface Dialer0 3390
access-list 101 permit tcp host <dialer0 address> any eq 33888
access-list 101 permit tcp host <dialer0 address> any eq 3390
Solved! Go to Solution.
08-09-2012 06:18 AM
I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:
access-list 101 permit tcp any host 192.168.7.100 eq 3389
access-list 101 permit tcp any host 192.168.7.121 eq 3389
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-09-2012 04:20 AM
The source- and destination addresses in your ACL 101 have to be reversed. The source is any and the destination is your dialer0-IP.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-09-2012 04:39 AM
Thanks for the quick reply
Sorry typo when I put the config up. It is actually
access-list 101 permit tcp any host
access-list 101 permit tcp any host
I cannot understand why it doesnt work as it seems quite simple.
08-09-2012 06:18 AM
I also had to recall the NAT-order-of operation. From outside-to-inside, NAT comes before inspection. Your ACL has to be:
access-list 101 permit tcp any host 192.168.7.100 eq 3389
access-list 101 permit tcp any host 192.168.7.121 eq 3389
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-09-2012 07:16 AM
Hey thanks Karsten. I thought it was close but I just couldnt get it right. Working a treat now.Thanks very much for your prompt help. Happy customers are always good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide