Hi,
I have a problem with setting up NAT for RDP on a Cisco 831. I've set it up with de SDM interface. Everything works, the webserver, the mailserver... except the remote desktop! Is there something strange in my config file? (don't mind the port numbers, they are correct):
!This is the running config of the router: 10.0.0.138
!----------------------------------------------------------------------------
!version 12.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
no logging buffered
enable secret 5 $1$rKZQ$5XMF72eqpCNxnCdsRDkeo0
!
username admin privilege 15 secret 5 $1$F6Jj$B.1W5LpAEDcSfcoSnVtIN0
clock timezone PCTime 1
ip subnet-zero
ip domain name ecsit.nl
ip name-server 194.109.6.66
ip name-server 194.109.9.99
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 10.0.0.138 255.255.255.0
ip access-group 100 in
ip access-group 101 out
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 102 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ecsit@xs4all.nl password 0 sigma01
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.201 3392 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.201 81 interface Dialer0 80
ip nat inside source static tcp 10.0.0.201 21 interface Dialer0 21
ip nat inside source static tcp 10.0.0.201 25 interface Dialer0 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.255.255.0 Dialer0
ip http server
no ip http secure-server
!
access-list 1 remark Van intern naar internet
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.201
access-list 2 remark SDM_ACL Category=1
access-list 2 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuran
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.109.9.99 eq domain any
access-list 101 permit udp host 194.109.6.66 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 81
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3390
access-list 101 permit tcp any any eq 3391
access-list 101 deny ip 172.16.0.0 0.0.255.255 any log
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host 80.126.135.8 eq 3389
access-list 102 permit udp any any eq 3389
access-list 102 permit tcp any any eq 3399
access-list 102 permit tcp any any eq 3390
access-list 102 permit tcp any any eq 3391
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 81
access-list 102 permit tcp any any eq smtp
access-list 102 permit udp host 194.109.9.99 eq domain any
access-list 102 permit udp host 194.109.6.66 eq domain any
access-list 102 deny ip 10.0.0.0 0.0.0.255 any log
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
!
end
I have a problem with setting up NAT for RDP on a Cisco 831. I've set it up with de SDM interface. Everything works, the webserver, the mailserver... except the remote desktop! Is there something strange in my config file? (don't mind the port numbers, they are correct):
!This is the running config of the router: 10.0.0.138
!----------------------------------------------------------------------------
!version 12.2
service config
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
logging queue-limit 100
no logging buffered
enable secret 5 $1$rKZQ$5XMF72eqpCNxnCdsRDkeo0
!
username admin privilege 15 secret 5 $1$F6Jj$B.1W5LpAEDcSfcoSnVtIN0
clock timezone PCTime 1
ip subnet-zero
ip domain name ecsit.nl
ip name-server 194.109.6.66
ip name-server 194.109.9.99
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 10.0.0.138 255.255.255.0
ip access-group 100 in
ip access-group 101 out
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 102 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ecsit@xs4all.nl password 0 sigma01
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.201 3392 interface Dialer0 3389
ip nat inside source static tcp 10.0.0.201 81 interface Dialer0 80
ip nat inside source static tcp 10.0.0.201 21 interface Dialer0 21
ip nat inside source static tcp 10.0.0.201 25 interface Dialer0 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.255.255.0 Dialer0
ip http server
no ip http secure-server
!
access-list 1 remark Van intern naar internet
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.201
access-list 2 remark SDM_ACL Category=1
access-list 2 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuran
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.109.9.99 eq domain any
access-list 101 permit udp host 194.109.6.66 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 81
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3390
access-list 101 permit tcp any any eq 3391
access-list 101 deny ip 172.16.0.0 0.0.255.255 any log
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host 80.126.135.8 eq 3389
access-list 102 permit udp any any eq 3389
access-list 102 permit tcp any any eq 3399
access-list 102 permit tcp any any eq 3390
access-list 102 permit tcp any any eq 3391
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 81
access-list 102 permit tcp any any eq smtp
access-list 102 permit udp host 194.109.9.99 eq domain any
access-list 102 permit udp host 194.109.6.66 eq domain any
access-list 102 deny ip 10.0.0.0 0.0.0.255 any log
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any log
access-list 102 deny ip 172.16.0.0 0.15.255.255 any log
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
!
line con 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
!
end