Announcement

Collapse
No announcement yet.

"Split tunnel" for RDP traffic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • "Split tunnel" for RDP traffic

    I have been tasked to split traffic from LAN1-- All RDP to an MPLS
    LAN/WAN/internet to other network.

    LAN 1 route 3389 traffic to LAN 3

    LAN 1 route all other traffic to LAN 2

    First thought
    1. VLAN 1 port on 3560 > route/ port forward 3389 to that VLAN
    2. Define route outside to internet router
    (see attached image)

    I think I had the concept-- just not the commands
    I do not have a test environment-- live only.

    If this is correct, please help with proper commands- if not correct- please offer viable alternative with commands.


    Thank you in advance!

    JD
    Attached Files

  • #2
    Re: "Split tunnel" for RDP traffic

    If you want to route based on port or protocol you would need to setup policy based routing.


    access-list 101 permit tcp any any eq 3389

    route-map RDP_ONLY permit 10
    match ip address 101
    set ip next-hop "next hop to vlan 3"

    Then assign the policy to your interface on LAN 1

    ip policy route-map RDP_ONLY

    Then you can use a default route to route anything else over to Lan 2

    ip route 0.0.0.0 0.0.0.0 "next hop "
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: "Split tunnel" for RDP traffic

      This is as far as I have gotten,,


      Switch(config)#ip routing


      Swtich(config)#vlan 4

      Switch(config)#name x


      Switch(config)#interface Vlan4

      Switch(config−if)#ip address 172.16.1.253 255.255.255.0

      Switch(config−if)#no shutdown



      Switch(config)#interface FastEthernet 0/1

      Switch(config−if)#deception ##VLAN 4##

      Switch(config−if)#switchport mode access

      Switch(config−if)#switchport access vlan 4

      Switch(config−if)#no shutdown


      Switch(config)#interface FastEthernet 0/1

      Switch(config−if)#no switchport

      Switch(config−if)#ip address 172.16.2.2 255.255.255.0

      Switch(config−if)#no shutdown


      Switch(config)#interface FastEthernet 0/1

      Switch(config−if)#no switchport

      Switch(config−if)#ip address 172.16.2.1 255.255.255.0 (Ip of ISP router)

      Switch(config−if)#no shutdown

      Switch(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1

      access-list inside extended permit tcp any host 172.16.1.0 eq 3389

      route inside any TCP 3389 255.255.255.0 192.168.1.250 (IP of RDP Host)



      route outside <IP oF Internet Router> 1

      Comment


      • #4
        Re: &quot;Split tunnel&quot; for RDP traffic

        Switch(config)#ip routing


        Swtich(config)#vlan 3

        Switch(config)#name x


        Switch(config)#interface Vlan2

        Switch(config−if)#ip address 172.16.1.253 255.255.255.0

        Switch(config−if)#no shutdown



        Switch(config)#interface FastEthernet 0/1

        Switch(config−if)#deception ##VLAN 2##

        Switch(config−if)#switchport mode access

        Switch(config−if)#switchport access vlan 3

        Switch(config−if)#no shutdown


        Switch(config)#interface FastEthernet 0/1

        Switch(config−if)#no switchport

        Switch(config−if)#ip address 172.16.2.2 255.255.255.0

        Switch(config−if)#no shutdown


        Switch(config)#interface FastEthernet 0/1

        Switch(config−if)#no switchport

        Switch(config−if)#ip address 172.16.2.1 255.255.255.0 (Ip of ISP router)

        Switch(config−if)#no shutdown

        Switch(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1


        access-list 101 permit tcp any any eq 3389

        route-map RDP_ONLY permit 10
        match ip address 101
        set ip next-hop "next hop to vlan 3"

        Then assign the policy to your interface on LAN 1

        ip policy route-map RDP_ONLY

        Then you can use a default route to route anything else over to Lan 2

        ip route 0.0.0.0 0.0.0.0 "next hop "




        ----------------------------------------------------------------

        access-list 101 permit tcp any any eq 3389

        route-map RDP_ONLY permit 10
        match ip address 101
        set ip next-hop "next hop to vlan 3"

        Then assign the policy to your interface on LAN 1

        ip policy route-map RDP_ONLY

        Then you can use a default route to route anything else over to Lan 2

        ip route 0.0.0.0 0.0.0.0 "next hop "


        -----------------------------------------------------
        looking at "next Hop"
        The next Hop IP would be the IP of the "Internet Router" ?

        Comment


        • #5
          Re: &quot;Split tunnel&quot; for RDP traffic

          Okay where is the PIX/ASA in this mix:


          route inside any TCP 3389 255.255.255.0 192.168.1.250 (IP of RDP Host)



          route outside <IP oF Internet Router> 1
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment

          Working...
          X