cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

4240
Views
5
Helpful
2
Replies
Beginner

Permit some IP to connect over port 3389

Hi,

I'm not very good at configuring access-rules, maby someone can help. Below is my show run of a Cisco 800 router (Two VLAN's, single WAN) that works fine. Problem is that in this senario port 3389 is open for everyone. Only two remote users are allowed to connect trough port 3389. Let's say WAN IP's : 22.33.44.55 and 66.77.88.99. How would a good access-rule look like to fix it?

############################

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname cisco-867
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 1
clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59
!
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.10.200 192.168.10.254
!
ip dhcp pool Vlan2
network 192.168.10.0 255.255.255.0
domain-name dsl.local
default-router 192.168.10.254
dns-server 213.144.235.1 213.144.235.2
lease 0 8
!
!
ip cef
no ip bootp server
no ip domain lookup
!
!
!
archive
log config
hidekeys
username admin privilege 15 secret 5 ***
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description ISP Connect
pvc 0/99
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description Business Connect FE0 - FE1
ip address 10.115.2.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description Private Connect FE2 - FE3
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username *** password 7 ***
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 133 interface Dialer0 overload
ip nat inside source static tcp 10.115.2.10 25 interface Dialer0 25
ip nat inside source static tcp 10.115.2.10 443 interface Dialer0 443
ip nat inside source static tcp 10.115.2.10 3389 interface Dialer0 3389
ip nat inside source static tcp 10.115.2.10 80 interface Dialer0 80
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended IPFW-ACL
permit tcp any host 77.88.99.00 eq smtp
permit tcp any host 77.88.99.00 eq 443
permit tcp any host 77.88.99.00 eq www
permit tcp any host 77.88.99.00 eq 3389
!
logging trap debugging
access-list 23 remark TTY security
access-list 23 permit 10.115.2.0 0.0.0.255
access-list 23 permit **.**.**.0 0.0.0.255
access-list 23 permit 172.31.255.0 0.0.0.255
access-list 133 deny   ip 10.115.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 133 deny   ip 192.168.10.0 0.0.0.255 10.115.2.0 0.0.0.255
access-list 133 permit ip 10.115.2.0 0.0.0.255 any
access-list 133 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
control-plane
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

#############################

Any other comments are welcome as well!

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: Permit some IP to connect over port 3389

Hello,

here's the config:

ip access-list extended outside_in

permit tcp host 22.33.44.55 any eq 3389

permit tcp host 66.77.88.99 any eq 3389

deny tcp any any eq 3389 log

permit ip any any

!

int dialer 0

ip access-group outside_in in

Regards,

Roman

View solution in original post

2 REPLIES 2
Rising star

Re: Permit some IP to connect over port 3389

Hello,

here's the config:

ip access-list extended outside_in

permit tcp host 22.33.44.55 any eq 3389

permit tcp host 66.77.88.99 any eq 3389

deny tcp any any eq 3389 log

permit ip any any

!

int dialer 0

ip access-group outside_in in

Regards,

Roman

View solution in original post

Highlighted
Beginner

Re: Permit some IP to connect over port 3389

Thanks Roman, it worked!!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here