Questions

Cisco 871 blocking Remote Desktop Connection

Tags:
+
0 Votes
Locked

Cisco 871 blocking Remote Desktop Connection

pilot80
Hello All.
I have 2 servers running Terminal Services.
I finally got one to work,
192.168.11.11 is accepting connections from the outside on port 7575

I setup another server 192.168.11.13,
I tried to setup the cisco router to allow connection on port 7570 and 3389. I have also created NAT for those two ports to the proper server. Somehow I can connect to the server on either port when I connect locally, but not from the outsided.

Here is my cisco config, if anyone could help I would really appreciate it :)


Building configuration...

Current configuration : 6866 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco871
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$LZp.$ISGfN7gqf6pQEKApHC6nX/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name bhccrane.com
ip name-server 206.13.29.12
ip name-server 206.13.30.12
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 dns
ip inspect name DEFAULT100 rcmd
!
appfw policy-name DEFAULT100
application http
port-misuse p2p action reset alarm
!
!
crypto pki trustpoint TP-self-signed-1961171978
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1961171978
revocation-check none
rsakeypair TP-self-signed-1961171978
!
!
crypto pki certificate chain TP-self-signed-1961171978
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393631 31373139 3738301E 170D3032 30333031 30303035
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363131
37313937 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B964 1CF0FBDF F87DADD6 CFFD3580 EB4618DE 0E25F668 890EDEAF 06EABD88
B0436943 20580F43 380138CF DE37C746 0CF81683 5B3D15E3 7E03333D 29C13A76
7B3BB0F7 45A38FFC 3BC909AB 28BAECF2 CA41E706 396C3CC7 616C38EF 71A1026C
F79291A1 443AD15C 4E1E89FA 851F8D4B DFE5D411 69052D9F 247C128B FA888560
B47B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15436973 636F3837 312E6268 63637261 6E652E63 6F6D301F
0603551D 23041830 168014EF E060C4CF 44BB40F6 B2F289F0 DCF4F42E 5412BD30
1D060355 1D0E0416 0414EFE0 60C4CF44 BB40F6B2 F289F0DC F4F42E54 12BD300D
06092A86 4886F70D 01010405 00038181 0086307C FED20B13 749D751B 8E927640
ECEE2C97 F310717A 4AE8F5A5 E4801CEA AD1D3C3E 30AB338A 2E2F7656 D3E46483
C7DF520D A394330E B0CD5E80 2AF6EBD4 7EB01589 F8E05A5B 636B6303 F5996E8C
C80DC991 62F29DB8 9C7F344D 51342988 E81FC8A5 37CE3F25 F0A11812 383134D3
E21392DC 6574A7B2 59A58D9E 5C04FF47 C9
quit
username BHCAdmin privilege 15 secret 5 $1$BG0G$Qr8UBvjI4/7j0TqjCvBzK0
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_DEFAULT100
class sdm_p2p_gnutella
drop
class sdm_p2p_bittorrent
drop
class sdm_p2p_edonkey
drop
class sdm_p2p_kazaa
drop
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 206.171.90.242 255.255.255.248
ip access-group Outside in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input sdmappfwp2p_DEFAULT100
service-policy output sdmappfwp2p_DEFAULT100
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.11.1 255.255.255.0
ip access-group Inside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 206.171.90.241
!
!
no ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip http secure-port 8888
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT interface FastEthernet4 overload
ip nat inside source static tcp 192.168.11.11 25 206.171.90.242 25 extendable
ip nat inside source static tcp 192.168.11.11 80 206.171.90.242 80 extendable
ip nat inside source static tcp 192.168.11.11 443 206.171.90.242 443 extendable
ip nat inside source static tcp 192.168.11.13 3389 206.171.90.242 3389 extendable
ip nat inside source static tcp 192.168.11.13 7570 206.171.90.242 7570 extendable
ip nat inside source static tcp 192.168.11.11 7575 206.171.90.242 7575 extendable
!
ip access-list standard NAT
remark INSIDE_IF=Vlan1
remark SDM_ACL Category=2
permit 192.168.11.0 0.0.0.255
!
ip access-list extended Inside
deny ip 206.171.90.240 0.0.0.7 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended Outside
permit tcp any any established
permit tcp any any eq 22
permit tcp any host 206.171.90.242 eq smtp
permit tcp any host 206.171.90.242 eq www
permit tcp any host 206.171.90.242 eq 443
permit tcp any host 206.171.90.242 eq 7575
permit udp host 206.13.30.12 eq domain host 206.171.90.242
permit udp host 206.13.29.12 eq domain host 206.171.90.242
permit icmp any host 206.171.90.242 echo-reply
permit icmp any host 206.171.90.242 time-exceeded
permit icmp any host 206.171.90.242 unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log-input
permit tcp any host 206.171.90.242 eq 7570
permit tcp any host 206.171.90.242 eq 3389
!
logging trap debugging
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output none
line aux 0
login local
transport output none
line vty 0 4
privilege level 15
logging synchronous
login local
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
  • +
    0 Votes
    Triathlete1981

    b/c to me, it looks like you're denying the very ip's you're trying to let in.

    "deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any"

    usually in instances like this, it's a misconfigured acl.

    +
    0 Votes

    ACM

    pilot80

    Yes, I realized I was closing the ports.
    I forgot that ACL was reading from top to bottom, so I put those two port permit on the top and it works. I'm kinda new to cisco , thanks to SDM now though

    Thanks for your help

  • +
    0 Votes
    Triathlete1981

    b/c to me, it looks like you're denying the very ip's you're trying to let in.

    "deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any"

    usually in instances like this, it's a misconfigured acl.

    +
    0 Votes

    ACM

    pilot80

    Yes, I realized I was closing the ports.
    I forgot that ACL was reading from top to bottom, so I put those two port permit on the top and it works. I'm kinda new to cisco , thanks to SDM now though

    Thanks for your help