Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2479
Views
10
Helpful
2
Replies

Port Forwarding for RDP 3389 is not working

jasonhammer30
Level 1
Level 1

‎02-04-2014 07:22 AM - edited ‎03-11-2019 08:40 PM

Hi,

I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20).  I have made sure it is not an issue with the servers firewall, its just the cisco.  I highlighted in red to what i thought I need in my config to get this  to work.  I have removed the last 2 octets of the public IP info for security .Here is the configuration below:

TAMSATR1#show run

Building configuration...

Current configuration : 11082 bytes

version 15.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname TAMSATR1

!

boot-start-marker

boot system flash:/c880data-universalk9-mz.152-1.T.bin

boot-end-marker

!

!

logging count

logging buffered 16384

enable secret

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ipsec-vpn local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization console

aaa authorization exec default local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone CST -6 0

clock summer-time CDT recurring

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1879941380

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1879941380

revocation-check none

rsakeypair TP-self-signed-1879941380

!

!

crypto pki certificate chain TP-self-signed-1879941380

certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035

  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939

  34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C

  ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31

  88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4

  E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03

  542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

!

!

!

ip dhcp excluded-address 10.20.30.1 10.20.30.99

ip dhcp excluded-address 10.20.30.201 10.20.30.254

ip dhcp excluded-address 10.20.30.250

!

ip dhcp pool tamDHCPpool

import all

network 10.20.30.0 255.255.255.0

default-router 10.20.30.1

domain-name domain.com

dns-server 10.20.30.20 8.8.8.8

!

!

ip domain name domain.com

ip name-server 10.20.30.20

ip cef

no ipv6 cef

!

!

license udi pid CISCO881W-GN-A-K9 sn

!

!

crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1

!

!

!

!

!

ip tftp source-interface Vlan1

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

!

!

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

  pass

!

zone security sslvpn-zone

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp policy 20

encr aes 192

authentication pre-share

group 2

crypto isakmp key password

!

crypto isakmp client configuration group ipsec-ra

key password

dns 10.20.30.20

domain tamgmt.com

pool sat-ipsec-vpn-pool

netmask 255.255.255.0

!

!

crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

!

crypto ipsec profile VTI

set security-association replay window-size 512

set transform-set TSET

!

!

!

crypto dynamic-map dynmap 10

set transform-set ipsec-ra

reverse-route

!

!

crypto map clientmap client authentication list ipsec-vpn

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface Loopback0

ip address 10.20.250.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

!

interface Tunnel0

description To AUS

ip address 192.168.10.1 255.255.255.252

load-interval 30

tunnel source

tunnel mode ipsec ipv4

tunnel destination

tunnel protection ipsec profile VTI

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 1.2.3.4

ip access-group INTERNET_IN in

ip access-group INTERNET_OUT out

ip nat outside

ip virtual-reassembly in

no ip route-cache cef

ip route-cache policy

ip policy route-map IPSEC-RA-ROUTE-MAP

duplex auto

speed auto

crypto map clientmap

!

interface Virtual-Template1

ip unnumbered Vlan1

zone-member security sslvpn-zone

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.20.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239

ip default-gateway 71.41.20.129

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload

ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389

ip nat inside source static 10.20.30.20 (public ip)

ip route 0.0.0.0 0.0.0.0 public ip

ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN

!

ip access-list extended ACL-POLICY-NAT

deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15

deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15

deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15

permit ip 10.20.30.0 0.0.0.255 any

permit ip 10.20.31.208 0.0.0.15 any

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended INTERNET_IN

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit esp host 24.153. host 66.196

permit udp host 24.153 host 71.41.eq isakmp

permit tcp host 70.123. host 71.41 eq 22

permit tcp host 72.177. host 71.41 eq 22

permit tcp host 70.123. host 71.41. eq 22

permit tcp any host 71..134 eq 443

permit tcp host 70.123. host 71.41 eq 443

permit tcp host 72.177. host 71.41. eq 443

permit udp host 198.82. host 71.41 eq ntp

permit udp any host 71.41. eq isakmp

permit udp any host 71.41eq non500-isakmp

permit tcp host 192.223. host 71.41. eq 4022

permit tcp host 155.199. host 71.41 eq 4022

permit tcp host 155.199. host 71.41. eq 4022

permit udp host 192.223. host 71.41. eq 4022

permit udp host 155.199. host 71.41. eq 4022

permit udp host 155.199. host 71.41. eq 4022

permit tcp any host 10.20.30.20 eq 3389

evaluate INTERNET_REFLECTED

deny   ip any any

ip access-list extended INTERNET_OUT

permit ip any any reflect INTERNET_REFLECTED timeout 300

ip access-list extended IPSEC-RA-ROUTE-MAP

deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255

deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255

deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255

deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255

deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255

deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255

permit ip 10.20.30.208 0.0.0.15 any

deny   ip any any

!

access-list 23 permit 70.123.

access-list 23 permit 10.20.30.0 0.0.0.255

access-list 24 permit 72.177.

no cdp run

!

!

!

!

route-map IPSEC-RA-ROUTE-MAP permit 10

match ip address IPSEC-RA-ROUTE-MAP

set ip next-hop 10.20.250.2

!

!

!

banner motd ^C

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device.  All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.

^C

!

line con 0

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0

access-class 23 in

privilege level 15

logging synchronous

transport input telnet ssh

line vty 1 4

access-class 23 in

exec-timeout 5 0

privilege level 15

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 198.82.1.201

!

webvpn gateway gateway_1

ip address 71.41. port 443

http-redirect port 80

ssl encryption rc4-md5

ssl trustpoint TP-self-signed-1879941380

inservice

!

webvpn context TAM-SSL-VPN

title "title"

logo file titleist_logo.jpg

secondary-color white

title-color #CCCC66

text-color black

login-message "RESTRICTED ACCESS"

!

policy group policy_1

   functions svc-enabled

   svc address-pool "sat-ipsec-vpn-pool"

   svc default-domain "domain.com"

   svc keep-client-installed

   svc split dns "domain.com"

   svc split include 10.0.0.0 255.0.0.0

   svc split include 192.168.0.0 255.255.0.0

   svc split include 172.16.0.0 255.240.0.0

   svc dns-server primary 10.20.30.20

   svc dns-server secondary 66.196.216.10

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

!

ssl authenticate verify all

inservice

!

end

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎02-04-2014 07:33 AM

Hi,

I didnt see anything marked with red in the above? (Atleast when I was reading)

I have not really had to deal with Routers at all since we all access control and NAT with firewalls.

But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.

There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?

- Jouni

cinmar1957
Level 1
Level 1

‎02-22-2016 06:25 AM

I understand this is 2 years but maybe it help for others who knows.

My was solve by forwarding 443 along side with 3389. 

add this:

ip nat inside source static tcp 10.20.30.20 443 interface FastEthernet4 443

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card