Solved: Allowing RDP on 891w

Showtimeroute · ‎09-25-2012

I am trying to allow RDP through my 891w.

I have tried a few different yjing to no avail.

Here's my config

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXX
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
no logging monitor
enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxxxx

enable password hdhdhdhd!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Bogota -5
service-module wlan-ap 0 bootimage autonomous
!
!
ip source-route
!
!
!
ip dhcp pool Wireless
!
!
ip cef
ip name-server 209.27.52.51
ip name-server 209.27.52.56
ip name-server 4.2.2.2
ip inspect log drop-pkt
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

license udi pid CISCO891W-AGN-A-K9 sn FTX161684RJ
!
!
username Administrator privilege 15 view root secret 5 $1$..pj$cbdhuhudededed!
!
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol aol aol-servers
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any RDP
match protocol exec
match protocol login
match protocol msrpc
match access-group name RDP
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map RDP
match access-group name RDP
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
allow
class type inspect http ccp-app-httpmethods
allow
class type inspect http ccp-app-nonascii
allow
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group valu-med
key valupharmacy20120525valu
dns 192.168.10.120
domain valu-med.local
pool SDM_POOL_1
acl 101
split-dns valu-med.local
max-users 100
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group valu-med
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set vmed esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set vmed
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $ETH-WAN$
no ip address
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
arp timeout 0
!
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4
switchport mode trunk
!
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.250 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
!
interface Vlan4
ip address 192.168.30.1 255.255.255.0
!
!
interface Async1
no ip address
encapsulation slip
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address ZZZ.ZZZ.ZZZ.ZZZ 255.255.255.0
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username lime password 0 lime
ppp ipcp dns request accept
!
!
ip local pool SDM_POOL_1 192.168.20.1 192.168.20.100
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat pool pool1 192.168.10.0 192.168.10.255 netmask 255.255.255.0
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source list acl1 pool pool1
ip nat inside source static tcp 192.168.10.87 3389 interface Dialer0 3389
ip nat inside source static udp 192.168.10.87 3389 interface Dialer0 3389
ip route 0.0.0.0 0.0.0.0 ZZZ.ZZZ.XX.xx
ip access-list extended RDP
remark CCP_ACL Category=128
permit ip any host 192.168.10.140
permit tcp any host 192.168.10.140
permit tcp any host 192.168.10.140 eq 3389
permit udp any host 192.168.10.140 eq 3389
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
access-list 2 remark ccp_acl category=2
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip host 192.168.10.0 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password jdcjdcjj

line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
password hjddhchdc!
scheduler max-task-time 5000
end

What am I doing wrong?

cadet alain · ‎09-27-2012

Hi,

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outtoin

policy-map type inspect ccp-pol-outtoin

class class-default

drop

You're dropping all traffic from out-zone to in-zone

policy-map type inspect ccp-pol-outToIn -----> not used anywhere and no class-map attached

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match access-group name RDP ----> not called in any policy-map

So if you do this:

no policy-map type inspect ccp-pol-outtoin

policy-map type inspect ccp-pol-outToIn

class type inspect match-all ccp-cls-ccp-pol-outToIn-1

inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

no service-policy type inspect ccp-pol-outtoin

service-policy type inspect ccp-pol-outToIn

Your RDP should work now but I have to look at initial config to eventually add some class-maps to this policy to enable other type of traffic. Test your RDP and tell me if it is working then i'll look at your config to edit the policy-map if needed.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎09-25-2012

Hi,

can you do this:

no class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match access-group name RDP

Regards.

Alain

Don't forget to rate helpful posts.

Showtimeroute · ‎09-26-2012

Thanks for the response.

I couldn't delete the class-map with the 'no class...' statement because it says its in use so I simply added the 'match access-group... ' statement.

It didnt make a difference.

is there a way to turn on logging so I see whats happening when the RDP is being attempted?

cadet alain · ‎09-26-2012

Hi,

delete the policy-map that uses this class-map, delete the class-map then recreate it as i said then recreate the policy-map.

tell us if it worked.

There is the ip inspect log drop-pkt global config command but I don't know if it works on IOs 15.

Regards.

Alain

Don't forget to rate helpful posts.

Showtimeroute · ‎09-26-2012

How can I tell which policy-map uses this class-map.

cadet alain · ‎09-26-2012

Hi,

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

pass

class type inspect ccp-cls-ccp-pol-outToIn-1

inspect

class class-default

drop log

This is this one.

Regards.

Alain

Don't forget to rate helpful posts.

Showtimeroute · ‎09-26-2012

Ok,

I did that..

no policy-map type inspect ccp-pol-outtoin

no class-map type inspect match-all ccp-cls-ccp-pol-outtoin-1

class-map type inspect match-all ccp-cls-ccp-pol-outtoin-1

match access-group name RDP

Showtimeroute · ‎09-26-2012

No difference

Showtimeroute · ‎09-26-2012

I'm not even seeing the RDP attempts in the console logs

cadet alain · ‎09-26-2012

Hi,

did you reenter the policy-map ? you must do it

from where are you doing RDP ? does your ACL get hits?

Regards.

Alain

Don't forget to rate helpful posts.

Showtimeroute · ‎09-26-2012

I have reentered the poicy-map "policy-map type inspect ccp-pol-outtoin"

I noticed that in the logging i only receive messages like the following:

Sep 26 19:55:36.666: %FW-6-LOG_SUMMARY: 1 packet were dropped from 117.197.29.39

:12643 => 208.157.149.XX:57091 (target:class)-(ccp-zp-out-self:class-default)

Sep 26 19:55:36.666: %FW-6-LOG_SUMMARY: 1 packet were dropped from 72.185.236.12

3:18099 => 208.157.149.XX:57091 (target:class)-(ccp-zp-out-self:class-default)

Sep 26 19:55:36.666: %FW-6-LOG_SUMMARY: 1 packet were dropped from 88.177.81.193

:20010 => 208.157.149.XX:57091 (target:class)-(ccp-zp-out-self:class-default)

Sep 26 19:55:36.666: %FW-6-LOG_SUMMARY: 1 packet were dropped from 94.88.32.66:1

9544 => 208.157.149.XX:57091 (target:class)-(ccp-zp-out-self:class-default)

nothing from

ccp-cls-ccp-pol-outtoin-1

cadet alain · ‎09-26-2012

Hi,

from where are you doing RDP ? does your ACL get hits?

Regards.

Alain

Don't forget to rate helpful posts.

Showtimeroute · ‎09-27-2012

I'm Making progress it seems.

I actually had the wrong IP address for the RDP server in the IP NAT command so after correcting that I get the following when trying to RDP

Sep 27 15:46:14.161: %FW-6-DROP_PKT: Dropping tcp session 208.168.230.128:50900

192.168.10.140:3389 due to policy match failure with ip ident 0

which Policy its trying to match is the next question

cadet alain · ‎09-27-2012

Hi,

the question is still from where are you doing this test, from an outside PC or from inside and if from outside do you see hits increasing for the RDP ACL ?

Regards.

Alain

Don't forget to rate helpful posts.

Showtimeroute · ‎09-27-2012

I am doing RDP from Outside. how do I check the hits on the RDP ACL

I see this

Valumed#sh access-list RDP
Extended IP access list RDP
    10 permit ip any host 192.168.10.140 (24 matches)
    20 permit tcp any host 192.168.10.140
    30 permit tcp any host 192.168.10.140 eq 3389
    40 permit udp any host 192.168.10.140 eq 3389