10-16-2012 04:02 AM - edited 03-11-2019 05:09 PM
Hi there,
An remote computer should have RDP access to an computer on the inside. So already made some changes to the Cisco Router, and from an outside IP address the inside PC is reachable with the RDP protocol. So that is working fine! But for security reasons I want that only 1 outside PC with an fixed IP can access the RDP PC.
In the NAT I added the following line:
ip nat inside source static tcp 192.168.1.95 8000 xx.xx.xx.xx 8000 extendable
Where xx is standing for the IP of the cisco, and port 8000 is the RDP port.
The ACL is looking lke this:
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
Can anyone help me please with only allowing RDP access from outsite UP yy.yy.yy.yy?
Solved! Go to Solution.
10-16-2012 04:07 AM
You can configure ACL and apply it on the outside interface:
access-list 130 permit tcp host
Then you would also need to configure "inspect" to allow return traffic for outbound traffic.
ip inspect name fw-outbound tcp
ip inspect name fw-outbound udp
ip inspect name fw-outbound icmp
Then apply "ip inspect fw-outbound out" on the router outside interface.
10-16-2012 05:23 AM
ACL 130 destination host needs to be the public IP of the server, not the private IP.
access-list 130 permit tcp host (Outside-PC-IP) host (PublicIP-of-server) eq 8000
10-16-2012 04:07 AM
You can configure ACL and apply it on the outside interface:
access-list 130 permit tcp host
Then you would also need to configure "inspect" to allow return traffic for outbound traffic.
ip inspect name fw-outbound tcp
ip inspect name fw-outbound udp
ip inspect name fw-outbound icmp
Then apply "ip inspect fw-outbound out" on the router outside interface.
10-16-2012 04:33 AM
Thanks for the fast replay!
I added to the router:
access-list 130 permit tcp host
ip inspect name fw-outbound tcp
ip inspect name fw-outbound udp
ip inspect name fw-outbound icmp
Though I am not sure how I should apply 'Ip inspect fw-outbound out" on the router outside interface. In the config I get the message
r-router(config)#ip inspect fw-outbound out
% Invalid input detected at '^' marker.
But since you are saying 'outside the interface, I got a feeling I am doing it wrong.
10-16-2012 04:37 AM
Which is the interface that is connected to the internet?
Go into that interface, and from that interface mode, configure the 2 lines:
ip inspect fw-outbound out
ip access-group 130 in
10-16-2012 05:04 AM
ah, should have known that, that makes sense.
The interface is now looking like this:
interface FastEthernet0/1
ip address xx.xx.xx.xx 255.255.255.240
ip access-group 130 in
ip inspect fw-outbound out
ip nat outside
ip virtual-reassembly
duplex full
speed 100
Nat:
ip nat inside source static tcp 192.168.1.95 8000 xx.xx.xx.xx 8000 extendable
ACL:
ip access-list extended acl-outside-inside
ip access-list extended acl-outsite-inside
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
But RDP access it not allowed possible anymore from any machine.
Think something still should be changed in the ACL?
10-16-2012 05:13 AM
Are you doing RDP on port 8000? is the RDP server listening on port 8000?
Also, i don't see access-list 130 configured on your above configuration.
10-16-2012 05:21 AM
oops, sorry. pasted an copy of the old ACL. The ACL now looks like this:
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit tcp host (Outside-PC-IP) host 192.168.1.95 eq 8000
no cdp run
And yep, changed the default RDP port on the local machine to 8000, tested that and that was working great.
10-16-2012 05:23 AM
ACL 130 destination host needs to be the public IP of the server, not the private IP.
access-list 130 permit tcp host (Outside-PC-IP) host (PublicIP-of-server) eq 8000
10-16-2012 11:57 PM
That did the trick, stuppid I did not saw it
Though after those mutations, webmail and remote working was also not allowed anymore. So looks like I have to make a few more exeptions in the ACL.
But that is a challenge for me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide