Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
5
Helpful
5
Replies

Limit Global addresses that can RDP 3389 through a Cisco 891 router

David Goetsch
Level 1
Level 1

‎08-23-2016 02:07 AM - edited ‎03-12-2019 01:10 AM

I want to allow only a few ranges of outside IP addresses to RDP into a single server on the inside.  It seem to me I need a bunch of Nat statements.  I have tried to make an access list describing the IP address ranges and then using IP NAT OUTSIDE SOURCE LIST [access-list] POOL [a pool of one internal IP address of the server].  Doesn't seem to work as the IP NAT TRANSLATIONS show nothing getting natted.  What am I doing wrong?

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎08-23-2016 05:47 PM

Hi David. My comments below:

- You should only need a single static NAT that binds a global IP/port to the servers local IP/port. 

- Then you can configure an extended access list and apply it in the inbound direction of the public interface that:

1. Permits > Source IPs that you want to allow > Destination IP of the RDP server for TCP 3389

2. Deny > Source ANY > Destination IP of the RDP server for TCP 3389

3. Permit everything else

I hope this makes sense

Thank you for rating helpful posts!

Thank you for rating helpful posts!

David Goetsch
Level 1
Level 1
In response to nspasov

‎08-24-2016 06:20 AM

Yes, Neno Spasov, I was trying to cram everything in the NAT statement where what I needed to do is limit 3389 traffic entering the outside interface, right?  Then whatever makes it past the ACL will get NATted to the correct port and IP address.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to David Goetsch

‎08-24-2016 09:50 AM

That is correct. Here is the order of operations for Cisco Routers:

Outside-to-Inside
    • If IPSec then check input access list
    • decryption - for CET or IPSec
    • check input access list
    • check input rate limits
    • input accounting
    • redirect to web cache
    • NAT outside to inside (global to local translation)
    • policy routing
    • routing
    • crypto (check map and mark for encryption)
    • check output access list
    • inspect CBAC
    • TCP intercept
    • encryption
    • Queueing

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

David Goetsch
Level 1
Level 1
In response to nspasov

‎08-25-2016 05:17 AM

Judging by the command line config,  this router has been configured with SDM and CCP!  What a mess!  Can anyone give me a couple lines of the acl?  I have 5 outside IP ranges to allow to RDP to a single server.  They are all in the x.x.x.x 0.0.0.15 range. 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to David Goetsch

‎08-26-2016 05:30 PM

Sure thing. So let's make the following assumptions:

1. The RDP Server IP is 192.168.1.10

2. The public range of IPs is 200.0.0.0 /24

3. Your outisde/internet facing interface is g0/0

4. You are doing a static NAT to the g0/0

NAT:

ip nat inside source static tcp 192.168.1.10 3389 interface GigabitEthernet0/0 3389

ACL:

ip access-list extended 101 permit tcp 200.0.0.0 0.0.0.255 192.168.1.10 eq 3389 
ip access-list extended 101 deny tcp any 192.168.1.10 eq 3389 
ip access-list extended 101 permit ip any any

Interface:

interface g0/0
ip access-group 101 in

Here is a link with some more examples of ACLs:

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card