Solved: Allow RDP access from the outside to specific host inside with NAT and ZBFW

fimonteiro · ‎03-01-2019

I'm struggling with the configuration for NAT and ZBFW to allow RDP access from the outside to a specific host inside.

When I try to RDP from the outside to my router public IP I receive this log message:

Mar 1 14:38:34.892: %FW-6-DROP_PKT: Dropping tcp session xxx.xx.xx.xxx:57183 172.17.69.254:3389 due to policy match failure with ip ident 0

NOTE: I have hidden with X's the public IP address, that is trying to RDP into, for security reasons.

I have this configuration on a Cisco 2851:

class-map type inspect match-any CM_INSIDE_TO_OUTSIDE
description INSPECT TRAFFIC FROM INSIDE TO OUTSIDE AND ALLOW RETURN TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
match protocol http
match protocol https
match protocol ntp
class-map type inspect match-any CM_SELF_TO_OUTSIDE
description INSPECT TRAFFIC FROM ROUTER TO OUTSIDE AND ALLOW RETURN TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
match protocol ntp
class-map type inspect match-all CM_OUTSIDE_TO_SELF
description ALLOW ACL FOR TRAFFIC FROM OUTSIDE TO ROUTER
match access-group name OUTSIDE_ACL_IN
class-map type inspect match-all CM_PERMIT_ICMP_ANY
description PERMIT ICMP ANY ANY
match access-group name PERMIT_ICMP_ANY_ACL
class-map type inspect match-all CM_PERMIT_IP_ANY
description PERMIT IP ANY ANY
match access-group name PERMIT_IP_ANY_ACL
class-map type inspect match-all CM_ISAKMP_IPSEC
description ALLOW ACL FOR IPSEC TRAFFIC
match access-group name ISAKMP_IPSEC_ACL
class-map type inspect match-all CM_RDP_IN
description PERMIT OUTSIDE RDP ACCESS TO DESKTOP 172.17.69.254
match access-group name RDP_IN_ACL
!
!
policy-map type inspect PM_SELF_TO_OUTSIDE
class type inspect CM_SELF_TO_OUTSIDE
pass
class type inspect CM_ISAKMP_IPSEC
pass
class type inspect CM_PERMIT_ICMP_ANY
pass
class class-default
pass
policy-map type inspect PM_INSIDE_TO_OUTSIDE
class type inspect CM_INSIDE_TO_OUTSIDE
inspect
class class-default
drop log
policy-map type inspect PM_OUTSIDE_TO_SELF
class type inspect CM_OUTSIDE_TO_SELF
pass
class type inspect CM_ISAKMP_IPSEC
pass
class type inspect CM_PERMIT_ICMP_ANY
pass
class type inspect CM_RDP_IN
inspect
class class-default
drop log
policy-map type inspect PM_INSIDE_TO_SELF
class type inspect CM_PERMIT_IP_ANY
pass
class class-default
pass log
policy-map type inspect PM_SELF_TO_INSIDE
class type inspect CM_PERMIT_IP_ANY
pass
class class-default
pass log
!
zone security INSIDE
description INTERNAL NETWORKS
zone security OUTSIDE
description PUBLIC INTERNET
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM_INSIDE_TO_OUTSIDE
zone-pair security ZP_INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect PM_INSIDE_TO_SELF
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
zone-pair security ZP_SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect PM_SELF_TO_INSIDE
zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PM_SELF_TO_OUTSIDE
!

!

!
interface GigabitEthernet0/0.100
description DATA VLAN
encapsulation dot1Q 100
ip address 172.17.69.1 255.255.255.0
ip helper-address 172.27.69.1
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!

!

!
interface Dialer1
description ADSL ROUTER
bandwidth 10000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer-group 1
keepalive 10 3
ppp authentication chap pap callin
ppp chap hostname *******
ppp chap password 0 *******
ppp pap sent-username ******** password 0 ********
no cdp enable
!

!

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 172.17.69.254 3389 interface Dialer1 3389
ip nat inside source static udp 172.17.69.254 3389 interface Dialer1 3389
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!

!
ip access-list extended ISAKMP_IPSEC_ACL
permit ahp any any
permit gre any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
ip access-list extended OUTSIDE_ACL_IN
remark ** OUTSIDE / PUBLIC INTERNET ACL **
remark -- ALOW NTP REPLY FROM SERVERS --
permit udp host 88.157.128.22 any eq ntp
remark -- Logged Implicit Deny All --
deny tcp any any
deny udp any any
deny ip any any
ip access-list extended PERMIT_ICMP_ANY_ACL
permit icmp any any
ip access-list extended PERMIT_IP_ANY_ACL
permit ip any any
permit gre any any
ip access-list extended RDP_IN_ACL
remark PERMIT OUTSIDE RDP ACCESS TO DESKTOP 172.17.69.254
permit tcp any host 172.17.69.254 eq 3389
permit udp any host 172.17.69.254 eq 3389
deny ip any any
!

!

access-list 1 remark ** Allow networks to PAT **
access-list 1 permit 172.17.69.0 0.0.0.255
!
!

Georg Pauwen · ‎03-01-2019

Hello,

there is no OUTSIDE to INSIDE security pair as far as I can see ? What are you trying to accomplish ?

View solution in original post

Georg Pauwen · ‎03-01-2019

Hello,

there is no OUTSIDE to INSIDE security pair as far as I can see ? What are you trying to accomplish ?

fimonteiro · ‎03-01-2019

That's it!!!! Thank you :)

I was so blind with trials I didn't see I was missing that. I added the RDP policy map to the OUTSIDE to self instead.

Now its working.

!
policy-map type inspect PM_OUTSIDE_TO_INSIDE
class type inspect CM_RDP_IN
inspect
class class-default
drop log
!
!
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PM_OUTSIDE_TO_INSIDE