Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4696
Views
25
Helpful
23
Replies

port forward help for remote desktop

Go to solution
Katsikantais
Level 1
Level 1

‎07-22-2017 06:19 AM - edited ‎03-08-2019 11:25 AM

Hello,

I'm having a problem with port forward for remote desktop.

My Cisco 2801 is connected as 2cd router. FE0/0 is my wan
and FE0/1 in my local.

On main 1st router I have ports 3389 (for remote desktop)
and 23 (for accessing the cisco) forward to cisco wan ip (fe0/0)

trying to connect to cisco with telnet on port 23 works ok

but remote desktop don't

Here is my config....

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret xxxxxxxxx
enable password xxxxxxxx
!
no aaa new-model
clock timezone UTC 2
no network-clock-participate wic 1
ip source-route
!
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
username xxxxx password xxxxxxx
archive
log config
hidekeys
!
!
controller E1 0/1/0
shutdown
!
!
!
!
!
interface FastEthernet0/0
description wan.interface
ip address 172.xx.xx.xx 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
no mop enabled
!
interface FastEthernet0/1
description local.interface
ip address 192.xx.xx.xx 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
half-duplex
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.xx.xx.xx
!
!
no ip http server
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.xx.xx.xx 3389 interface FastEthernet0/0 3389
!
ip access-list extended no_telnet
deny tcp any any eq telnet
!
access-list 10 permit 192.xx.xx.xx 0.0.0.255
access-list 100 deny icmp any any echo
access-list 100 permit ip any any
disable-eadi
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
login local
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
end

Can you please tell me what the problem with my 2801 config.

Thank you.

Labels:
0 Helpful
23 Replies 23

Go to solution
paul driver
VIP
VIP
In response to Katsikantais

‎07-24-2017 06:08 AM

Hello

Not matter if you use single/double nat or bridging you will have to append a static nat rule statement on the mikrotic rtr

As for the single nat option, second addressing on the mikrotic rtr would be required to accommodate that new subnet

Whats the reason you cannot nat or bridge on the Cisco?

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Katsikantais
Level 1
Level 1
In response to paul driver

‎07-24-2017 06:44 AM

I tried the bridge you suggested on cisco but I didn't make it work..

Maybe I did something wrong. I try again tomorrow.

thanks

0 Helpful

Go to solution
Katsikantais
Level 1
Level 1
In response to Katsikantais

‎07-28-2017 07:20 AM

Hi,

I finaly fixed and now port forward is working.

I also added some rules to protect access to lan & router from internet

Here is my config. Any suggestions are welcome.

Current configuration : 1922 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxx
enable password 7 xxxx
!
no aaa new-model
clock timezone UTC 2
no network-clock-participate wic 1
no ip source-route
!
!
!
!
ip cef
no ip bootp server
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
username xxxx password 7 xxxxx
archive
log config
hidekeys
!
!
controller E1 0/1/0
shutdown
!
!
!
!
!
interface FastEthernet0/0
description wan.interface
ip address 1xx.xx.xx.xx 255.xx.xx.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description local.interface
ip address 1xx.xx.xx.xx 255.xx.xx.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1xx.xx.xx.xx
!
!
no ip http server
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 1xx.xx.xx.xx 3389 interface FastEthernet0/0 3389
!
ip access-list standard NAT
permit 1xx.xx.xx.0 0.0.xx.xx
!
access-list 10 permit 1xx.xx.xx 0.0.0.255
access-list 100 deny icmp any any echo
access-list 100 permit ip any any
access-list 100 deny tcp any host 1xx.xx.xx.xx eq telnet
access-list 100 deny ip any any log
access-list 100 deny tcp any host 1xx.xx.xx.xx eq 22
disable-eadi
no cdp run

!
!
!
control-plane
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 60 0
login local
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
end

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Katsikantais

‎07-28-2017 09:04 AM

So now your Cisco is the Internet edge device ? Or is the MIkrotik still the router actually connected to the Internet ?

Go to solution
Katsikantais
Level 1
Level 1
In response to Georg Pauwen

‎07-28-2017 09:49 PM

Mikrotik is the edge router and cisco is the 2cd.

Had to change some rules in mikrotik first the I reconfigure cisco from start to make it work.

thanks

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Katsikantais

‎07-28-2017 03:07 PM

Hello

Glad to hear that!

FYI-
ip access-list standard NAT - Not required as it isnt being called by thing

access-list 100 deny icmp any any echo
access-list 100 permit ip any any
access-list 100 deny tcp any host 1xx.xx.xx.xx eq telnet
access-list 100 deny ip any any log
access-list 100 deny tcp any host 1xx.xx.xx.xx eq 22

<--- default acl is to deny all anyway, and after the second ace the rest of this acl will not be used and its being matched by everything.

You need to apply the most specific entries first

Example:
access-list 100 deny icmp any any echo
access-list 100 deny tcp any host 1xx.xx.xx.xx eq 22
access-list 100 deny tcp any host 1xx.xx.xx.xx eq telnet
access-list 100 permit  xxxx etc.......( but not any any)......
access-list 100 deny ip any any log  <--- just for logging purposes

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Katsikantais
Level 1
Level 1
In response to paul driver

‎07-28-2017 10:27 PM

Hi,

thanks for suggestion. I fixed the rules now. 

I got little confused about the rule 
access-list 100 permit  xxxx etc.......( but not any any)......

How exaclty should this rule be. If I change anything I dont have internet

in my PC.

thanks

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to Katsikantais

‎07-29-2017 03:54 AM

Hello
i would say remove it but if you wish to control and allow certain access with an Acl on your 2nd rtr wan interface interface then a simple cbac rule can help

Example:
access-list 100 permit  icmp any any echo-reply
access-list 100 permit icmp any any echo
access-list 100 deny ip any any log

Ip inspect name CBAC tcp
ip inspect name CBAC udp
Ip inspect name  CBAC icmp

Interface fa0/0
description 2nd rtr wan link
ip access-group 100 in
ip inspect CBAC out

res
paul

sent by iPhone


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
paul driver
VIP
VIP
In response to Katsikantais

‎07-23-2017 12:07 PM

Hello


I can't NAT all on Cisco.
I use mikrotik to offer free wifi to customers with hotspot
and I use cisco to give internet to offices

If that the case than, you have an option to bridge the mikrotik local lan over the cisco .

Doing this will bridge the mikrotik local lan addressing to users attached to the cisco with the Port forwading set on the mikrotik rtr.

Example forcisco rtr: and no NAT

bridge irb
bridge 1 protocol ieee
bridge 1 route ip

interface x/x
description link to mikrotik
bridge-group 1


interface x/x
description  Cisco lan switch
bridge-group 1


interface BVI1
ip address 172.xx.xx.xx 255.255.255.0

ip route 0.0.0.0 0.0.0.0 172.xx.xx.xx

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents