06-23-2010 04:23 AM - edited 03-11-2019 11:02 AM
Hi all,
I’ve inherited a 2811 router with a firewall feature pack from a previous support guy and it looks in a bit of a mess.
I'm having problems RDPing out through our 2811 with firewall feature set. I have a route map pointing to an access list permit ip internal-network any. There's another access list on the inside interface in, permit ip any any. I've attached my cleaned config. Any ideas how to get RDP working?
Also, since a recent save of the config, lots of the remarks in the access-lists seem to repeat themselves. Any ideas why?
Regards
Egg
Solved! Go to Solution.
06-23-2010 05:16 AM
Can you please change the following ACL line for "adsl24outgoing" ACL:
FROM:
permit tcp 0.0.0.0 255.255.255.0 any eq 3389
TO:
permit tcp any any eq 3389
Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.
06-23-2010 04:47 AM
Can you please reattach the config, as it didn't get attached to your initial post.
Do you have NAT configured for the RDP traffic (TCP/3389)?
Where does the RDP fail? Prior to authentication or after it authenticates? Are you able to telnet on port 3389 to the RDP server?
Assuming that you can RDP from the same subnet, do you have any windows firewall on the host that might prevent RDP from different subnet?
06-23-2010 05:08 AM
06-23-2010 05:16 AM
Can you please change the following ACL line for "adsl24outgoing" ACL:
FROM:
permit tcp 0.0.0.0 255.255.255.0 any eq 3389
TO:
permit tcp any any eq 3389
Please kindly make sure that when you change the ACL, it's above the "deny ip any any" rule for "adsl24outgoing" ACL.
06-23-2010 05:56 AM
Thanks Halijenn,
Scoolboy error, the subnet msk should've been reversed, yeah?
What do you make of the remarks repeating themselves in the access lists?
Regards
Egg
06-23-2010 06:01 AM
The remarks seem to have been added by SDM automatically.
I would suggest that you check the line# for each ACL, for example ACL 109:
sh ip access-list 109
Then for those duplicated remarks just check out the line#, and remove it as follows:
ip access-list extended 109
no
no
etc ....
06-23-2010 06:36 AM
Hi halijenn,
Yeah, I already thought of that but remarks don't show up as line# in the sho ip access-list adsl24external command. Only the permit and deny statements. How would I remove the remarks?
Regards
Egg
06-23-2010 02:55 PM
In that case, you would need to remove the complete ACL with a no statement, and reconfigure it without the remarks.
However, pls be very careful when you remove the ACL. I would suggest that you perform the change after hours and through console session, otherwise, you might lock yourself out from accessing the router (via ssh or telnet).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide