12-28-2019 01:31 PM
I have one cisco router Model : 1921/K9. I want to configure the following settings in this router. please give me complete configuration step by step. It will be a great favour to me.
Local IP : 192.168.1.120 RDP Port number : 3389
192.168.1.120 IIS : 80
192.168.1.121 RDP port number : 3390
Public IP : 181.62.1.137 - Mask 255.255.255.0 - Gateway : 181.62.1.1
I am still unable to RDP to the PC within my network though, this is what my NAT rules look like now, does that look right?
Building configuration...
Current configuration : 15342 bytes
!
! Last configuration change at 20:08:12 UTC Sat Dec 28 2019 by admin
! NVRAM config last updated at 19:44:11 UTC Sat Dec 28 2019 by admin
! NVRAM config last updated at 19:44:11 UTC Sat Dec 28 2019 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router.A
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$FBTx$iSE566NFC3wItmQv4eMLI/
enable password cisco
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.251 192.168.1.254
!
ip dhcp pool ccp-pool1
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.120 8.8.8.8
default-router 192.168.1.1
!
!
ip name-server 190.157.8.33
ip name-server 190.157.8.1
!
multilink bundle-name authenticated
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
key chain kal
key 1
key-string 234
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3286249556
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3286249556
revocation-check none
rsakeypair TP-self-signed-3286249556
!
!
crypto pki certificate chain TP-self-signed-3286249556
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323836 32343935 3536301E 170D3139 31323137 31383531
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32383632
34393535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C7C3 75610166 00BAA646 03AE97DF 0EF6AB20 2E653755 C83A8266 9FE86E88
37D55969 B6A5E7E7 A008B8E5 8FC6FCD3 A2319448 DE6187E0 B59797F9 7BFF6462
6B79931F 63E711CC 690DF48F 799202DD 2118FD19 9A175E4D D2B73487 A56C0E59
523D01C7 F7BB64CF AA4D6751 79DC39FF 688041F0 7877FCBA 0812D96D 6901DDEF
4F030203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145B9DDB 388F49AC 0840D4A9 6B13FF95 7AE87D4F 1A301D06
03551D0E 04160414 5B9DDB38 8F49AC08 40D4A96B 13FF957A E87D4F1A 300D0609
2A864886 F70D0101 05050003 8181000A 163D5FA1 BB60C323 AFE2BFBE A56454A5
6D771253 F30A2812 D30941D1 08E2661A 7D602598 042137E6 17D88A01 457F068B
0602B19A A96EB6BC 6747E888 F52F3E13 A6E6D970 8C7C0050 C2CDEB6A 09D95062
86CB71B0 B3F148CF CBB2642C C71865DA 0F66CACB 629A46BD 250328BA 0B084EDA
A0E40834 056B2FF3 EA702270 7AA6FB
quit
license udi pid CISCO1921/K9 sn FTX164386CV
!
!
object-group network RDPServer
host 192.168.1.120
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
username usercp secret 4 96W4I9Z/u88MgiUIAa7Y5qNuY4TnB4uANyCOX.vK0xE
!
redundancy
!
!
!
!
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 104
match protocol Other
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol Other
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all RDP-IN-ACL
match access-group name RDP-IN-ACL
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 102
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-nat-microsoft-ds-1
match access-group 103
match protocol microsoft-ds
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-microsoft-ds-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class class-default
drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect RDP-IN-ACL
inspect
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet0/0
description $ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 181.62.1.137 255.255.255.0
ip access-group deye in
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/0/1
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/0/2
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/0/3
no ip address
shutdown
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
ip default-gateway 181.62.1.1
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 181.62.1.1
!
ip access-list extended RDP-IN-ACL
permit tcp any host 192.168.1.120 eq 3389
deny ip any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended internet
permit tcp 192.168.1.0 0.0.0.255 any eq www 80 3389 3390
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 remark CCP_ACL Category=16
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 181.62.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
!
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password iris
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
end
Please Help Me
Thanks
Best Regards,
Alex
12-28-2019 01:44 PM
Hello,
if this is the full configuration you have posted, the problem is not with your NAT, but with the ZBF. You do not have access lists 103 and 104 configured anywhere:
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol Other
!
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 104
match protocol Other
12-28-2019 01:55 PM
Hi georg.
I already added the lists you specified, still not connected by rdp from the outside.
Router.A#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router.A(config)#class-map type inspect match-all sdm-nat-user-protocol--1-1
Router.A(config-cmap)#match access-group 103
Router.A(config-cmap)#match protocol other
^
% Invalid input detected at '^' marker.
Router.A(config-cmap)#match protocol Other
^
% Invalid input detected at '^' marker.
Router.A(config-cmap)#exit
Router.A(config)#class-map type inspect match-all sdm-nat-user-protocol--2-1
Router.A(config-cmap)#match access-group 104
Router.A(config-cmap)#match protocol Other
^
% Invalid input detected at '^' marker.
Router.A(config-cmap)#
Router.A#
12-28-2019 02:04 PM
Where in your configuration are access lists 103 and 104 ?
At the very least try and use the 'match-any'keyword:
class-map type inspect match-any sdm-nat-user-protocol--1-1
class-map type inspect match-any sdm-nat-user-protocol--2-1
12-28-2019 02:18 PM
Hello,
actually, try and temporarily disable the ZBF to check if this actually causes your problem:
interface GigabitEthernet0/0
description $ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
--> no zone-member security in-zone
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 181.62.1.137 255.255.255.0
ip access-group deye in
ip nat outside
ip virtual-reassembly in
--> no zone-member security out-zone
duplex auto
speed auto
no cdp enable
12-28-2019 02:27 PM
disable no zone-member security in-zone interface GigabitEthernet0/0 and internet off
12-28-2019 02:19 PM
12-28-2019 02:43 PM
You need to disable the ZBF on both interfaces...
12-29-2019 07:05 AM
ok disable the ZBF on both interfaces.
but still not connecting from outside to the rdp
12-29-2019 08:31 AM - edited 12-29-2019 08:34 AM
Hello,
which IP address do you specify from the outside to access the server ?
Try and add a static NAT entry (in this example port 80 is used) and connect to that port:
ip nat inside source static tcp 192.168.1.x 80 181.62.1.137 80 extendable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide