RV042G - prevent foreign IP addresses from accessing server via RDP

Harry Geist · ‎12-03-2013

I am using Remote Desktop (RDP) in Windows 7 to connect to a server that is behind a Cisco RV042G router. I am the only one authorized to access the server, but it appears that others are trying to access the server via RDP. I want to prevent access to this server via RDP (port 3389) except for me. I know my IP address, so I want to know how to either:

1. set up a filter (?) so any IP address other than mine is blocked from access (or only my IP address is allowed access) - AND/OR -

2. change the port used for RDP from 3389 to some other port.

I know how to log into the router, but once there, I am not clear how to set this up. I would appreciate a detailed set of steps to do this. Thanks in advance.

Li Zhang · ‎12-04-2013

This can be done by adding two ACL's.

Suppose your server is 192.168.1.100, your RV042G has 10.1.1.100 for WAN1, and you use port forwarding to allow RDP access from Internet.

Setup->Forwarding->Port Range Forwarding:

RDP [TCP/3389~3389]->192.168.1.100 [Enabled]

Now you want only 10.1.1.101 can RDP to your server.

Please add two ACL's in order:

--- First:

Action: Deny

Service: RDP [TCP/3389~3389]

Source Interface: WAN1

Source IP: any

Destination IP: single, 192.168.1.100

--- Then:

Action: Allow

Service: RDP [TCP/3389~3389]

Source Interface: WAN1

Source IP: single, 10.1.1.101

Destination IP: single, 192.168.1.100

Harry Geist · ‎12-04-2013

I'm confused, so I'll try to be more explicit. Let's say my office IP address is 142.142.142.142 and my workstation IP address is 192.168.1.190. My home IP address is 68.68.68.68 and my home workstation IP address is 192.168.0.100. I want to remote in from home to my office workstation, preferably using a non-standard port, say port 3393. Can you use these IP addresses and port to restate the solution? I tried to "translate" the above, but something did not work. Also, when I use RDP at my home, do what IP address do I specify, and do I need to append the port (My guess is 142.142.142.142:3393 - did I get that correct?) Again, thanks in advance for your response.

Tom Watts · ‎12-04-2013

Hi Harry, you need to first 'bypass' the state table otherwise attempts would be futile. Try to use this method exactly by first making a rule to deny everything then make a rule such as the second to fit your needs.

Per example would be

Action Deny

Service All

Source interface WAN

Source IP any

Destination IP any

Save

Action Permit

Service RDP

Source interface WAN

Source IP - YOUR HOME WAN

Destination IP - YOUR SERVER

Save

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Li Zhang · ‎12-04-2013

Harry,

Then your setup is like below, right?

HomeStation ----- HomeGateway ----- Internet ----- RV042G ----- OfficeStation

192.168.0.100 68.68.68.68 142.142.142.142 192.168.1.190

To make OfficeStation accessible from Internet, first you should create a service with TCP port 3393, then create a port forwarding rule: Service3393 [TCP/3393~3393]->192.168.1.190 [Enabled]

Next add two ACL's in order:

--- First:

Action: Deny

Service:Service3393 [TCP/3393~3393]

Source Interface: WAN1

Source IP: any

Destination IP: single, 192.168.1.190

--- Then:

Action: Allow

Service:Service3393 [TCP/3393~3393]

Source Interface: WAN1

Source IP: single, 68.68.68.68

Destination IP: single, 192.168.1.190

And to your second question, yes you are correct, you should specify 142.142.142.142:3393 in your RDP client.