Announcement

Collapse
No announcement yet.

Cisco 837 Forward port 3389 RDP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 837 Forward port 3389 RDP

    Hi,

    I have a cisco 836 with SDM.

    For some strange reason the forward of RDP isn't working anymore.

    I want to connect throught internet to my server with RDP.
    Last edited by jpc.lauwen; 27th October 2010, 15:22.

  • #2
    Re: Cisco 837 Forward port 3389 RDP

    hostname Cisco-836
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$Dl4j$g77qWzndbHV.Ne0DLL/pB1
    !
    clock timezone PCTime 1
    clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip dhcp excluded-address 10.10.10.1 10.10.10.99
    ip dhcp excluded-address 10.10.10.200 10.10.10.254
    !
    ip dhcp pool sdm-pool1
    import all
    network 10.10.10.0 255.255.255.0
    dns-server 194.151.228.18 194.151.228.34
    default-router 10.10.10.1
    !
    !
    ip tcp synwait-time 10
    ip domain name yourdomain.com
    ip name-server 194.151.228.18
    ip name-server 194.151.228.34
    no ip bootp server
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    ip ips po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip port-map pop3 port 110 list 2
    no ftp-server write-enable
    !
    !
    username Admin privilege 15 secret 5 $1$ueKM$sMXId8nsSnVYSQnBok9Yn/
    !
    !
    crypto isakmp xauth timeout 15
    !
    !
    !
    interface Ethernet0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
    ip address 10.10.10.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    no cdp enable
    !
    interface BRI0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    no cdp enable
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    pvc 8/48
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect SDM_LOW out
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname *******
    ppp chap password 7 ******
    ppp pap sent-username ****** password 7 *******
    !
    ip local pool SDM_POOL_1 10.10.10.51 10.10.10.100
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source static tcp 10.10.10.10 3389 interface Dialer0 3389
    ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
    ip nat inside source static tcp 10.10.10.10 110 interface Dialer0 110
    !
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Ethernet0
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.255
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 10.10.10.10
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit tcp any eq pop3 host 10.10.10.10 eq pop3 log
    access-list 101 remark RDP
    access-list 101 permit tcp any eq 3389 host 10.10.10.10 eq 3389 log
    access-list 101 permit tcp any eq pop3 host 10.10.10.10 eq pop3
    access-list 101 permit tcp any host 84.81.124.58 eq smtp
    access-list 101 permit ip host 10.10.10.51 any
    access-list 101 permit ip host 10.10.10.52 any
    access-list 101 permit ip host 10.10.10.53 any
    access-list 101 permit ip host 10.10.10.54 any
    access-list 101 permit ip host 10.10.10.55 any
    access-list 101 permit ip host 10.10.10.56 any
    access-list 101 permit ip host 10.10.10.57 any
    access-list 101 permit ip host 10.10.10.58 any
    access-list 101 permit ip host 10.10.10.59 any
    access-list 101 permit ip host 10.10.10.60 any
    access-list 101 permit ip host 10.10.10.61 any
    access-list 101 permit ip host 10.10.10.62 any
    access-list 101 permit ip host 10.10.10.63 any
    access-list 101 permit ip host 10.10.10.64 any
    access-list 101 permit ip host 10.10.10.65 any
    access-list 101 permit ip host 10.10.10.66 any
    access-list 101 permit ip host 10.10.10.67 any
    access-list 101 permit ip host 10.10.10.68 any
    access-list 101 permit ip host 10.10.10.69 any
    access-list 101 permit ip host 10.10.10.70 any
    access-list 101 permit ip host 10.10.10.71 any
    access-list 101 permit ip host 10.10.10.72 any
    access-list 101 permit ip host 10.10.10.73 any
    access-list 101 permit ip host 10.10.10.74 any
    access-list 101 permit ip host 10.10.10.75 any
    access-list 101 permit ip host 10.10.10.76 any
    access-list 101 permit ip host 10.10.10.77 any
    access-list 101 permit ip host 10.10.10.78 any
    access-list 101 permit ip host 10.10.10.79 any
    access-list 101 permit ip host 10.10.10.80 any
    access-list 101 permit ip host 10.10.10.81 any
    access-list 101 permit ip host 10.10.10.82 any
    access-list 101 permit ip host 10.10.10.83 any
    access-list 101 permit ip host 10.10.10.84 any
    access-list 101 permit ip host 10.10.10.85 any
    access-list 101 permit ip host 10.10.10.86 any
    access-list 101 permit ip host 10.10.10.87 any
    access-list 101 permit ip host 10.10.10.88 any
    access-list 101 permit ip host 10.10.10.89 any
    access-list 101 permit ip host 10.10.10.90 any
    access-list 101 permit ip host 10.10.10.91 any
    access-list 101 permit ip host 10.10.10.92 any
    access-list 101 permit ip host 10.10.10.93 any
    access-list 101 permit ip host 10.10.10.94 any
    access-list 101 permit ip host 10.10.10.95 any
    access-list 101 permit ip host 10.10.10.96 any
    access-list 101 permit ip host 10.10.10.97 any
    access-list 101 permit ip host 10.10.10.98 any
    access-list 101 permit ip host 10.10.10.99 any
    access-list 101 permit ip host 10.10.10.100 any
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit udp host 194.151.228.34 eq domain any
    access-list 101 permit udp host 194.151.228.18 eq domain any
    access-list 101 deny ip 10.10.10.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 101 permit tcp any any eq pop3
    access-list 101 permit tcp any any eq 1879
    access-list 101 permit tcp any any
    access-list 101 permit ip any any log
    access-list 102 remark SDM_ACL Category=2
    access-list 102 deny ip any host 10.10.10.51
    access-list 102 deny ip any host 10.10.10.52
    access-list 102 deny ip any host 10.10.10.53
    access-list 102 deny ip any host 10.10.10.54
    access-list 102 deny ip any host 10.10.10.55
    access-list 102 deny ip any host 10.10.10.56
    access-list 102 deny ip any host 10.10.10.57
    access-list 102 deny ip any host 10.10.10.58
    access-list 102 deny ip any host 10.10.10.59
    access-list 102 deny ip any host 10.10.10.60
    access-list 102 deny ip any host 10.10.10.61
    access-list 102 deny ip any host 10.10.10.62
    access-list 102 deny ip any host 10.10.10.63
    access-list 102 deny ip any host 10.10.10.64
    access-list 102 deny ip any host 10.10.10.65
    access-list 102 deny ip any host 10.10.10.66
    access-list 102 deny ip any host 10.10.10.67
    access-list 102 deny ip any host 10.10.10.68
    access-list 102 deny ip any host 10.10.10.69
    access-list 102 deny ip any host 10.10.10.70
    access-list 102 deny ip any host 10.10.10.71
    access-list 102 deny ip any host 10.10.10.72
    access-list 102 deny ip any host 10.10.10.73
    access-list 102 deny ip any host 10.10.10.74
    access-list 102 deny ip any host 10.10.10.75
    access-list 102 deny ip any host 10.10.10.76
    access-list 102 deny ip any host 10.10.10.77
    access-list 102 deny ip any host 10.10.10.78
    access-list 102 deny ip any host 10.10.10.79
    access-list 102 deny ip any host 10.10.10.80
    access-list 102 deny ip any host 10.10.10.81
    access-list 102 deny ip any host 10.10.10.82
    access-list 102 deny ip any host 10.10.10.83
    access-list 102 deny ip any host 10.10.10.84
    access-list 102 deny ip any host 10.10.10.85
    access-list 102 deny ip any host 10.10.10.86
    access-list 102 deny ip any host 10.10.10.87
    access-list 102 deny ip any host 10.10.10.88
    access-list 102 deny ip any host 10.10.10.89
    access-list 102 deny ip any host 10.10.10.90
    access-list 102 deny ip any host 10.10.10.91
    access-list 102 deny ip any host 10.10.10.92
    access-list 102 deny ip any host 10.10.10.93
    access-list 102 deny ip any host 10.10.10.94
    access-list 102 deny ip any host 10.10.10.95
    access-list 102 deny ip any host 10.10.10.96
    access-list 102 deny ip any host 10.10.10.97
    access-list 102 deny ip any host 10.10.10.98
    access-list 102 deny ip any host 10.10.10.99
    access-list 102 deny ip any host 10.10.10.100
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_2 permit 1
    match ip address 102
    !
    end

    Comment


    • #3
      Re: Cisco 837 Forward port 3389 RDP

      Ok. This won't help resolve your problem but:

      Why do you have SO MANY host specific ACLs ?
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Cisco 837 Forward port 3389 RDP

        Originally posted by tehcamel View Post
        Ok. This won't help resolve your problem but:

        Why do you have SO MANY host specific ACLs ?
        My old colleague has made this configuration. He is no longer working at our company. Because of errors I haven't touched this configuration.

        In the log I see Acces-List 102, but I can't find this list in the Cisco SDM.
        Last edited by jpc.lauwen; 27th October 2010, 15:07.

        Comment


        • #5
          Re: Cisco 837 Forward port 3389 RDP

          Is email working? RDP is enabled on the server?
          CCNA, Network+

          Comment


          • #6
            Re: Cisco 837 Forward port 3389 RDP

            Originally posted by Daze View Post
            Is email working? RDP is enabled on the server?
            Pop3 to server is also not working.

            RDP is enable on the server. RDP works with the internal network.

            Last edited by jpc.lauwen; 27th October 2010, 15:30. Reason: Add image

            Comment


            • #7
              Re: Cisco 837 Forward port 3389 RDP

              Originally posted by jpc.lauwen View Post
              Pop3 to server is also not working.

              RDP is enable on the server. RDP works with the internal network.
              It probably is something with your access-lists. Give this a try. This will take those access-lists off of the interfaces.

              On "Ethernet0"
              Code:
              router(config-inf)#no ip access-group 100 in
              & On Dialer0
              Code:
              router(config-inf)#no ip access-group 101 in
              CCNA, Network+

              Comment


              • #8
                Re: Cisco 837 Forward port 3389 RDP

                Problem Solved.

                I've cleaned up the configuration and made new ACL-lists and NAT routes. After the changes RDP worked fine.

                Thanks for all your help!

                Comment

                Working...
                X