How to block RDP Access from a Router

kumar86rakesh · ‎11-24-2015

Hi,

We have a mail server on which we have two NIC installed one NIC use for public and other one use for private network.

On public network int we have given a static IP which is provided by our ISP and its directly connected with a WAN Router.

On private network int we directly connected our primary mail server.

So is there any option to block Server RDP from Router side because everyday some outsider try to connect our server.

We have tried to block RDP from windows firewall but its not worked.

On router we have added below command to block RDP but its not worked.

ip access-list extended icmp
permit tcp any host 10.XX.XX.XX eq 3389 (primary mail Server IP)
deny icmp any any echo
deny tcp any host 12.XX.XX.XX eq 3389 ( Secondry mail Server IP on which we want to block RDP from outside)
permit ip any any
!

Please help me out this problem.

Thanks & Regards

Rakesh Kumar

Seb Rupik · ‎11-25-2015

Hi there,

What interface have you configured this ACL on and how is the access-group statement written?

cheers,

Seb.

kumar86rakesh · ‎11-25-2015

Hi Rupik,

We dont use any acccess list on WAN router and I am also not very expert about router operation and this router was configured by our ISP.

Please find the attached sho run result for better understanding.

ROUTER#sho run
Building configuration...

Current configuration : 1459 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 skld;jfe958049rlkj908989zxz.
enable password abcdef
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name abcde.com
!
username cisco privilege 15 secret 5 skld;jfe958049rlkj908989zxz
!
!
!
interface FastEthernet0/0
description ### Lan Pool ##
ip address 12.XX.XX.XX 255.255.XX.XX
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description ### Airtel Uplink ###
ip address 12.XX.XX.XX 255.255.XX.XX
ip access-group icmp in
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 125.XX.XX.XX 255.255.255.240 125.XX.XX.XX
!
no ip http server
!
ip access-list extended icmp
permit icmp host 10.XX.XX.XX any
permit tcp any host 10.XX.XX.XX eq 3389
permit tcp any host 10.XX.XX.XX eq 443
permit tcp any host 10.XX.XX.XX eq www
deny icmp any any echo
deny tcp any host 125.XX.XX.XX eq 3389
permit ip any any
!
no cdp run
!
control-plane
!
!
line con 0
password abcdef
login
line aux 0
line vty 0 4
password abcdef
login local
transport input all
!
end

Seb Rupik · ‎11-25-2015

Hello again,

The 'permit ip any any' statement makes much of your ACL redundant. With it there is no need for for any of the 'permit' statements. I suggest you remove it so that the implicit deny is restored.

If you think that you need it, can you provide the output of 'sh ip route'. Perhaps external devices are able to connect to the internal 10.XX.XX.XX address.

cheers,

Seb.

paul driver · ‎11-25-2015

Hello

Not sure I understand this configuration, Do you have overlapping addressing here or do you have two allocated public address scopes from the ISP?

Interface FastEthernet0/0
description ### Lan Pool ##
ip address 12.XX.XX.XX 255.255.XX.XX

interface Serial0/0/0
description ### Airtel Uplink ###
ip address 12.XX.XX.XX 255.255.XX.XX

ip route 125.XX.XX.XX 255.255.255.240 125.XX.XX.XX

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul