Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1229
Views
5
Helpful
5
Replies

Port Forward RDP Port with Multiple Vlans

tsak
Level 1
Level 1

‎12-08-2020 02:20 AM

Hello everyone,


I have a strange network setup and what I want to achieve is to RDP into an internal computer from the outside word. The basic setup is as following

 

Basic ISP router ( Internet / 192.168.10.254 ) -> Cisco Router ( 192.168.10.1 ) ->  Switches and internal network -> PC ( 192.168.11.50

 

We have multiple VLANs configured and the main goal is to RDP into the Public IPv4 port and redirect all traffic to the User PC ( 192.168.11.50 ).

The ISP router has been configured with static routes for the 3 internal networks ( 192.168.11.0/24, 192.168.12/24, 192.168.13/24 ) that are used for the workstations, wifi access and voip services. I have also set a port forwarding rule under the ISP router to redirect all traffic from the WAN address to 192.168.10.1 for port 3389 which is the IP address of our cisco router.

 

I need to configure a NAT rule on the cisco router itself now to redirect the already redirected traffic for TCP 3389 from

192.168.10.1 ( Cisco IP ) to 192.168.11.50 ( User PC ) i guess.

I already have set the following:
==

ip nat inside source static tcp 192.168.11.50 3389 interface Vlan1 3389
==

Here is also the config for my router for your review. 

==

Building configuration...

Current configuration : 4195 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C887
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.13.1 192.168.13.5
ip dhcp excluded-address 192.168.12.1 192.168.12.4
ip dhcp excluded-address 192.168.11.1 192.168.11.5
!
ip dhcp pool Local_data
network 192.168.10.0 255.255.255.0
domain-name Janchart
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool Janchart_users_Vlan_11
network 192.168.11.0 255.255.255.0
domain-name Janchart
default-router 192.168.11.1
dns-server 8.8.8.8
!
ip dhcp pool VoIP_VLan_12
network 192.168.12.0 255.255.255.0
domain-name Janchart
default-router 192.168.12.1
dns-server 8.8.8.8
!
ip dhcp pool Wireless_Vlan_13
network 192.168.13.0 255.255.255.0
domain-name Janchart
default-router 192.168.13.1
dns-server 8.8.8.8
!
ip dhcp pool static-addresses
host 192.168.11.4 255.255.255.0
client-identifier 0110.e7c6.6292.7c
!
!
!
ip domain name Janchart.ltd
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ2201908J
!
!
object-group network Janchart_users_Vlan
192.168.11.0 255.255.255.0
!
object-group network Local_Data
192.168.10.0 255.255.255.0
!
object-group network VoIP_Vlan
192.168.12.0 255.255.255.0
!
object-group network Wireless_Vlan
192.168.13.0 255.255.255.0
!
!
no spanning-tree vlan 1
username Admin privilege 15 password 7 04712B080C296C5C1D
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
description OTE
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
description WAN
no ip address
!
interface Ethernet0.835
description OTE_VDSL
encapsulation dot1Q 835
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport trunk allowed vlan 1,2,10-13,1002-1005
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport access vlan 11
no ip address
!
interface FastEthernet2
switchport access vlan 11
no ip address
!
interface FastEthernet3
switchport access vlan 13
no ip address
!
interface Vlan1
description Local
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan11
description Janchart_users
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan12
description VoIP
ip address 192.168.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan13
description Wireless
ip address 192.168.13.1 255.255.255.0
ip access-group Block_Wifi_to_lan in
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description OTE_VDSL_WAN
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname janc66@otenet.gr
ppp chap password 7 1316051D12331624
ppp pap sent-username janc66@otenet.gr password 7 0100140B42341401
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip dns server
ip nat inside source list Nat_List interface Dialer1 overload
ip nat inside source tcp 192.168.11.50 3389 interface Vlan1 3389
ip route 0.0.0.0 0.0.0.0 192.168.10.254
!
ip access-list extended Block_Wifi_to_lan
deny ip object-group Wireless_Vlan object-group Local_Data
deny ip object-group Wireless_Vlan object-group Janchart_users_Vlan
deny ip object-group Wireless_Vlan object-group VoIP_Vlan
permit ip any any
ip access-list extended Nat_List
permit ip object-group Local_Data any
permit ip object-group Janchart_users_Vlan any
permit ip object-group VoIP_Vlan any
permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

==

 

 

Any Advises what I am doing wrong ?

Labels:
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎12-08-2020 05:48 AM

 

Why not just do the port forward to the PC on the ISP router ie. no need to do NAT on there and then NAT again on your Cisco router. 

 

Jon

0 Helpful

tsak
Level 1
Level 1
In response to Jon Marshall

‎12-08-2020 07:36 AM

Hello,

 

ISP Router has the IP 192.168.10.254

User PC is being picking an IP from the cisco router within the range of 192.168.11.0/24

 

I simply can't forward from the ISP router to a different range, it won't let me. All i can do is forward something within the 192.168.10.0/24 range which is not the range of our internal computers

0 Helpful

tsak
Level 1
Level 1
In response to tsak

‎12-10-2020 05:32 AM

Any clues on the above?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to tsak

‎12-10-2020 06:29 AM

 

Your topology diagram doesn't match the configuration ie. your router uses 192.168.10.1 and the ISP router uses 192.168.10.254 so why is vlan 1 on your router "ip nat inside", it should be "ip nat outside" for this to work. 

 

Also what is the dialer interface on your router doing ? 

 

Jon

0 Helpful

John York
Level 1
Level 1

‎12-10-2020 09:54 PM

I'm just curious if your aware the security ramifications of allowing RDP from the Internet?  That is a bad idea, unless you have an RD Gateway or be tunneled inside of a VPN SSL or IPSec tunnel.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card