Solved: Allowing port 3389

eddiebrown1986 · ‎07-16-2013

Hello Fellow Cisco Professionals,

I am looking to grant public access to a private RDP server via RD gateway. Now I have set up the front end of this server but am having difficulties in deciding what I should do about the backend access. I have an 891 Cisco router that is apart of a router on a stick configuration. Right now it is using NAT overloading from the inside to the outside. Along side of a static default route we are able to gain access to the public world.

Here is the configuration for this:

end

Now is the best way to do this using an access list? Or a new NAT command with a preference of my external being translated to my interal private IP? Or a combination of the both?

If I add a new NAT preference point my external address to my internal server address would that compromise the functionality of my network?

Any insight would be appreciated on this.

Thanks,

Eddie

Kelvin Willacey · ‎07-16-2013

A static NAT should work fine and if you know the public IP of the sources that are trying to connect then you can restrict it, otherwise a VPN might be better if your router supports it.

View solution in original post

Kelvin Willacey · ‎07-16-2013

Yes it will still work with your existing IP address, you will just need to do a static PAT.

View solution in original post

Kelvin Willacey · ‎07-16-2013

Hey Eddie, remove your public IP and passwords. You may want to change your password at this point.

eddiebrown1986 · ‎07-16-2013

These are old configs with old IP addresses, nothing to worry about.

Kelvin Willacey · ‎07-16-2013

A static NAT should work fine and if you know the public IP of the sources that are trying to connect then you can restrict it, otherwise a VPN might be better if your router supports it.

eddiebrown1986 · ‎07-16-2013

What if I want to reuse my public IP address that is assigned to my outside interface? Is that possible or do I need to purchase a second IP address?

Kelvin Willacey · ‎07-16-2013

Yes it will still work with your existing IP address, you will just need to do a static PAT.

eddiebrown1986 · ‎07-22-2013

Ok so I have set up the static NAT to route all incoming traffic on port 443, 80, and 3389 to my inside private address.

I have also opened up ports 443, 80, and 3389 via access list 101. I have applied 101 to my outside interface heading in the inbound direction. I have also enabled CBAC on all interfaces to inspect both inbound and outbound. I am still unable to get to my RDWEB page hosted by my rdconnection server.

This is my current configuration:

service timestamps log datetime msec

service password-encryption

!

hostname ROLIAJ01

!

boot-start-marker

boot-end-marker

!

enable secret 4 avq1sKoPiePO9fyYwxoCGtXKX9/uitvC9ih8omI4b1.

!

no aaa new-model

!

clock timezone utc 2 0

!

no ipv6 cef

ip source-route

ip cef

!

ip inspect name GMRA tcp router-traffic

ip inspect name GMRA udp router-traffic

ip inspect name GMRA icmp router-traffic

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1941/K9 sn FGL161920AW

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description External Interface

ip address 81.x.x.x 255.255.255.252

ip access-group 101 in

ip nat outside

ip inspect GMRA in

ip inspect GMRA out

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Internal Interface

no ip address

ip nat inside

ip inspect GMRA in

ip inspect GMRA out

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1.20

description Vlan20 Trunk

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.30

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

!

interface GigabitEthernet0/1.40

encapsulation dot1Q 40

ip address 10.10.10.1 255.255.255.128

!

interface GigabitEthernet0/1.99

description Vlan99 Trunk

encapsulation dot1Q 99

ip address 192.168.99.1 255.255.255.0

!

interface FastEthernet0/0/0

no ip address

!

interface FastEthernet0/0/1

no ip address

!

interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

no ip address

!

interface Vlan1

no ip address

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat pool GMRA 81.x.x.x 81.x.x.x prefix-length 30

ip nat source static tcp 192.168.20.37 80 81.x.x.x 80 extendable

ip nat source static tcp 192.168.20.37 443 81.x.x.x 443 extendable

ip nat source static udp 192.168.20.37 3389 81.x.x.x 3389 extendable

ip nat inside source list 7 pool GMRA overload

ip nat inside source static tcp 192.168.20.37 3389 81.x.x.x 3389 extendable

ip route 0.0.0.0 0.0.0.0 81.x.x.x

!

access-list 7 permit 192.168.20.0 0.0.0.255

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 3389

!

Now I am positive I have done everything properly on the server side. I did a "sheilds up!" test on my external IP anddress and even with my access list applied to the outside interface pointing in. "Sheilds Up!" is reporting port 443 and 80 both as closed.

If anyone see's anyhting wrong on my configs can you please highlight.

Thanks,

Eddie