Solved: Re: Question about RDP

Anon01013 · ‎05-01-2020

Hello, I have a few question about RDP on a Cisco 2851 router. I have a Cisco 2960 switch hooked up to the router and two computer going into that switch. I can RDP into computer 172.16.1.3 but I have to do it through the router ip address (172.16.0.3).

How can I RDP straight into the computer (172.16.1.3) without having to go through the router? I added another computer (172.16.1.4) to that subnet but I can't RDP into that computer. What am I missing or what am I doing wrong?

Also, I ran the "show ip nat tr" command and there is no Outside Local/Global for port 3389, is that something I should be concerned about? I'm still fairly new to networking and routers so any help would be appreciated, thank you!

My host computer IP is 10.11.12.xx
I can RDP into computer 172.16.1.3 but not 172.16.1.4

Here's my start config:

Router(config)#do show run
Building configuration...

Current configuration : 1838 bytes
!
! Last configuration change at 15:16:25 UTC Fri May 1 2020
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$.d4T$hVtZThjEUPfiflpauOaeC1
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip dhcp pool labuser
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 8.8.8.8
!
ip dhcp pool lab_user_computer
host 172.16.1.3 255.255.255.0
client-identifier 0190.b11c.8ee2.92
dns-server 8.8.8.8
!
ip dhcp pool lab1
host 172.16.1.4 255.255.255.0
client-identifier 0134.17eb.b568.79
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2851 sn FTX1302A09N
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.16.1.3 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 172.16.1.4 3389 interface GigabitEthernet0/0 4489
ip route 0.0.0.0 0.0.0.0 172.16.0.1
!
access-list 1 permit any
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
transport input all
line vty 5 15
password cisco
login
transport input all
!
scheduler allocate 20000 1000
end

Router(config)#

Router#show ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 172.16.0.3:3389 172.16.1.3:3389 --- ---
tcp 172.16.0.3:53860 172.16.1.3:53860 52.230.222.68:443 52.230.222.68:443
tcp 172.16.0.3:56101 172.16.1.3:56101 52.242.211.89:443 52.242.211.89:443
tcp 172.16.0.3:56159 172.16.1.3:56159 10.11.12.26:7680 10.11.12.26:7680
tcp 172.16.0.3:56160 172.16.1.3:56160 172.16.0.8:80 172.16.0.8:80
tcp 172.16.0.3:56161 172.16.1.3:56161 172.16.0.8:80 172.16.0.8:80
tcp 172.16.0.3:56162 172.16.1.3:56162 52.148.151.26:443 52.148.151.26:443
udp 172.16.0.3:56604 172.16.1.3:56604 8.8.8.8:53 8.8.8.8:53
tcp 172.16.0.3:4489 172.16.1.4:3389 --- ---
tcp 172.16.0.3:50758 172.16.1.4:50758 72.21.91.29:80 72.21.91.29:80
tcp 172.16.0.3:50960 172.16.1.4:50960 72.21.91.29:80 72.21.91.29:80

paul driver · ‎05-04-2020

Hello

Does your computer reside external to GigabitEthernet0/0 and of so can you ping or reach 172.16.0.3 which is the current wan ip interface of that rtr, So any initiated external RDP connection should be sent with a destination address of 172.16.0.3 port 3389 or 4489

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Meheretab Mengistu · ‎05-01-2020

Hi,

Since you do not have direct route between the host computer network and the lab network, you will need to go through the Router's outside IP address (in this case, 172.16.0.3). If you want to RDP directly to the devices, you will need to add NAT exclusion from the lab network to the host computer network, and add routing between the two networks.

If you continue with what you have now and you need to be able to RDP to 172.16.1.4, do the RDP to port 4489 instead of the default port 3389. i.e., when you run RDP on the host computer, enter 172.16.0.3:4489 as the address.

If you have more questions, feel free to ask.

HTH,

Meheretab

HTH,
Meheretab

gerardothink · ‎05-01-2020

have you thought on adding the route over CMD on the computer?

paul driver · ‎05-02-2020

Hello
Where are you trying to RDP into these two computers from, If you’re on their local subnet 172.16.1.0/24 then you should be able to access both pcs, however if you are coming in from outside the wan interface then you need to access to them via the public assigned ip address( dhcp enabled)

I did notice one of your static NAT statements point to a differing tcp port (4489) so you need to specify that port when initiating a RDP connection internally and externally and obviously the pc needs to be enabled for that port.

Lastly you nat doesn't like to call upon a access-list that has any any so you need to change that to be more specific

Example:
no ip route 0.0.0.0 0.0.0.0 172.16.0.1
no access-list 1 permit any

access-list 1 permit 172.16.1.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 gigabitethernet 0/0 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Anon01013 · ‎05-04-2020

Hello,

I'm trying to RDP from outside the WAN. I updated the ACL and the ip route but does the ACL need to be bound to an interface to work? Or does it apply to all interfaces by default?

Thank you.

paul driver · ‎05-04-2020

Hello

@Anon01013 wrote:
ip nat inside source list 1 interface GigabitEthernet0/0 overload

The acl is being called by your dynamic pat statment, nothing more

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Anon01013 · ‎05-04-2020

Hello,

I updated the config but I'm still unable to RDP into the computer IP address. Could it be because NAT isn't seeing my host computer (10.11.12.26) on the outside local/global or does it matter? Is there something else I'm missing?

Here's my config:

!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.16.1.3 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 172.16.1.4 3389 interface GigabitEthernet0/0 4489
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
!
Router#show ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 172.16.0.3:3389 172.16.1.3:3389 --- ---
tcp 172.16.0.3:52280 172.16.1.3:52280 52.230.222.68:443 52.230.222.68:443
tcp 172.16.0.3:53742 172.16.1.3:53742 52.114.133.61:443 52.114.133.61:443
tcp 172.16.0.3:53743 172.16.1.3:53743 52.114.133.61:443 52.114.133.61:443
tcp 172.16.0.3:53748 172.16.1.3:53748 205.185.216.42:80 205.185.216.42:80
tcp 172.16.0.3:53749 172.16.1.3:53749 172.16.0.8:80 172.16.0.8:80
tcp 172.16.0.3:53750 172.16.1.3:53750 172.16.0.8:80 172.16.0.8:80
tcp 172.16.0.3:53751 172.16.1.3:53751 172.16.0.8:80 172.16.0.8:80
tcp 172.16.0.3:53752 172.16.1.3:53752 172.16.0.8:80 172.16.0.8:80
tcp 172.16.0.3:60996 172.16.1.3:60996 52.242.211.89:443 52.242.211.89:443
tcp 172.16.0.3:4489 172.16.1.4:3389 --- ---
tcp 172.16.0.3:51710 172.16.1.4:51710 72.21.91.29:80 72.21.91.29:80
tcp 172.16.0.3:51808 172.16.1.4:51808 52.242.211.89:443 52.242.211.89:443

paul driver · ‎05-04-2020

Hello

You nat statements are fine, is 10.11.12.26 the public ip address of you wan interface and are you inernal hosts active for RDP?

sh ip interface brief
sh tcp brief

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Anon01013 · ‎05-04-2020

Hello,

10.11.12.26 is the IP address of my computer that I'm using to RDP into the other computers and yes they have RDP enabled.

My computer (10.11.12.26) has a default gateway of 10.11.12.1. Interface g0/0 (172.16.0.3) is going into the firewall while interface g0/1 (172.16.1.1) is going into the Cisco 2960 switch. The other two computers hooked up to that switch and I can ping everything in that subnet if this helps. I can't to ping from my computer to anything on that subnet. I ran sh tcp brief but there's no output.

Router#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 172.16.0.3 YES DHCP up up
GigabitEthernet0/1 172.16.1.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
BRI0/1/0 unassigned YES NVRAM administratively down down
BRI0/1/0:1 unassigned YES unset administratively down down
BRI0/1/0:2 unassigned YES unset administratively down down
NVI0 unassigned YES unset administratively down down
Router#
Router#sh tcp brief

Router#

Thanks for all the help so far!

paul driver · ‎05-04-2020

Hello

Does your computer reside external to GigabitEthernet0/0 and of so can you ping or reach 172.16.0.3 which is the current wan ip interface of that rtr, So any initiated external RDP connection should be sent with a destination address of 172.16.0.3 port 3389 or 4489

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Anon01013 · ‎05-05-2020

Hello, I'm not able to ping to that subnet from my host computer but I'm able to RDP using 172.16.0.3. I guess that'll be sufficient enough as long as I can RDP I should be ok. I think I'm just making more work for myself but thank you for all the help!