Solved: RDP access for only outside IP

Hillson01 · ‎10-16-2012

Hi there,

An remote computer should have RDP access to an computer on the inside. So already made some changes to the Cisco Router, and from an outside IP address the inside PC is reachable with the RDP protocol. So that is working fine! But for security reasons I want that only 1 outside PC with an fixed IP can access the RDP PC.

In the NAT I added the following line:

ip nat inside source static tcp 192.168.1.95 8000 xx.xx.xx.xx 8000 extendable

Where xx is standing for the IP of the cisco, and port 8000 is the RDP port.

The ACL is looking lke this:

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

Can anyone help me please with only allowing RDP access from outsite UP yy.yy.yy.yy?

Jennifer Halim · ‎10-16-2012

You can configure ACL and apply it on the outside interface:

access-list 130 permit tcp host host eq 8000

Then you would also need to configure "inspect" to allow return traffic for outbound traffic.

ip inspect name fw-outbound tcp

ip inspect name fw-outbound udp

ip inspect name fw-outbound icmp

Then apply "ip inspect fw-outbound out" on the router outside interface.

View solution in original post

Jennifer Halim · ‎10-16-2012

ACL 130 destination host needs to be the public IP of the server, not the private IP.

access-list 130 permit tcp host (Outside-PC-IP) host (PublicIP-of-server) eq 8000

View solution in original post

Jennifer Halim · ‎10-16-2012

You can configure ACL and apply it on the outside interface:

access-list 130 permit tcp host host eq 8000

Then you would also need to configure "inspect" to allow return traffic for outbound traffic.

ip inspect name fw-outbound tcp

ip inspect name fw-outbound udp

ip inspect name fw-outbound icmp

Then apply "ip inspect fw-outbound out" on the router outside interface.

Hillson01 · ‎10-16-2012

Thanks for the fast replay!

I added to the router:

access-list 130 permit tcp host host eq 8000

ip inspect name fw-outbound tcp

ip inspect name fw-outbound udp

ip inspect name fw-outbound icmp

Though I am not sure how I should apply 'Ip inspect fw-outbound out" on the router outside interface. In the config I get the message

r-router(config)#ip inspect fw-outbound out

% Invalid input detected at '^' marker.

But since you are saying 'outside the interface, I got a feeling I am doing it wrong.

Jennifer Halim · ‎10-16-2012

Which is the interface that is connected to the internet?

Go into that interface, and from that interface mode, configure the 2 lines:

ip inspect fw-outbound out

ip access-group 130 in

Hillson01 · ‎10-16-2012

ah, should have known that, that makes sense.

The interface is now looking like this:

interface FastEthernet0/1

ip address xx.xx.xx.xx 255.255.255.240

ip access-group 130 in

ip inspect fw-outbound out

ip nat outside

ip virtual-reassembly

duplex full

speed 100

Nat:

ip nat inside source static tcp 192.168.1.95 8000 xx.xx.xx.xx 8000 extendable

ACL:

ip access-list extended acl-outside-inside

ip access-list extended acl-outsite-inside

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

But RDP access it not allowed possible anymore from any machine.

Think something still should be changed in the ACL?

Jennifer Halim · ‎10-16-2012

Are you doing RDP on port 8000? is the RDP server listening on port 8000?

Also, i don't see access-list 130 configured on your above configuration.

Hillson01 · ‎10-16-2012

oops, sorry. pasted an copy of the old ACL. The ACL now looks like this:

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 130 permit tcp host (Outside-PC-IP) host 192.168.1.95 eq 8000

no cdp run

And yep, changed the default RDP port on the local machine to 8000, tested that and that was working great.

Jennifer Halim · ‎10-16-2012

ACL 130 destination host needs to be the public IP of the server, not the private IP.

access-list 130 permit tcp host (Outside-PC-IP) host (PublicIP-of-server) eq 8000

Hillson01 · ‎10-16-2012

That did the trick, stuppid I did not saw it

Though after those mutations, webmail and remote working was also not allowed anymore. So looks like I have to make a few more exeptions in the ACL.

But that is a challenge for me