Announcement

Collapse
No announcement yet.

cisco837 adsl router ACL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco837 adsl router ACL

    i would like to remote desktop to an XP machine from the outside world
    the machine has a static ip 192.168.2.200
    i am guessing i need to add an ACL as such
    access-list 111 permit rdp any any 192.168.2.200 255.255.255.255
    will this allow remote desktop to access this machine?
    will it allow only this machine?
    the machine will have its own security

  • #2
    Re: cisco837 adsl router ACL

    i am guessing i need to add an ACL as such
    access-list 111 permit rdp any any 192.168.2.200 255.255.255.255
    will this allow remote desktop to access this machine?
    Not as shown above

    If I understand your post correctly, you are wanting to port forward RDP requests from internet to an inside host at 192.168.2.200. I am also assuming you have a dialer interface that obtains a dynamically assigned public IP address. To accomplish this in Cisco IOS, you would first need to modify the ACL that is attached to the outside interface (using your example, ACL 111) to accept RDP and then add a static NAT entry to forward RDP to the inside host. Something like:
    NOTE: I have not tested the example shown below. I'm going from memory, but I should be close
    Code:
    access-list 111 permit tcp any any eq 3389
    ip nat inside source static tcp 192.168.2.200 3389 interface dialer0 3389
    will it allow only this machine?
    Yes
    the machine will have its own security
    Just my opinion here... but since you are "permitting" the entire planet access to your Microsoft based host via RDP, I would suggest changing the RDP connection to use a non-standard port other than the well known 3389. Something like 53389 will help with the wanna-be script kiddies of the world probing for RDP hosts. To accomplish this, just change the above code example to map 53389 -> 3389. Something like: Again, I'm going from memory here.
    Code:
    access-list 111 permit tcp any any eq 53389
    ip nat inside source static tcp 192.168.2.200 3389 interface dialer0 53389
    Another option... If your 837 IOS image supports crypto, then configure it as a VPN server. Then connect to the 837 using the cisco VPN client. This will then allow you access to your XP box via the VPN tunnel. At least you are not directly exposing your Microsoft based host to the public internet.

    Comment

    Working...
    X