Cisco Router config Q

Y

yblocgerg

Limp Gawd
Joined
May 27, 2005
Messages
192
Hey,

So I'm playing around with a Cisco 2651xm router I obtained.

Got it up and running for normal traffic via DHCP, but having some issues with port forwarding. Seem to work in the sense that traffic is hitting the internal IP but will not establish an RDP session.

Here is the config:

1.
sh ip int br

Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 67.81.xxx.xxx YES DHCP up up
FastEthernet0/1 10.0.0.1 YES NVRAM up up

2. partial
sh run

ip dhcp excluded-address 10.0.0.2 10.0.0.100
!
ip dhcp pool Wired
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 4.2.2.1 4.2.2.2
!
!
ip name-server 4.2.2.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source list NATlist interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.50 3389 interface FastEthernet0/0 3389
!
ip access-list standard NATlist
permit 10.0.0.0 0.0.0.255
!


Try to establish RDP sesion from an external machine and it seems to try to get in but wont establish. Side question - what is up with the UDP on the first line below??? Do I need to add a line with something like 'ip forward-protocol' ?

I also tried creating an access list for the RDP access but no success there either...

3.
sh ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 67.81.xxx.xxx:137 10.0.0.50:137 10.255.255.255:137 10.255.255.255:137
tcp 67.81.xxx.xxx:3389 10.0.0.50:3389 209.94.xxx.xxx:3293 209.94.xxx.xxx:3293
tcp 67.81.xxx.xxx:3389 10.0.0.50:3389 --- ---


Any ideas would be appreciated! Playing around with this router at home to get more familiar with IOS.
 
Your NAT statements are fine. Is your host actually listening on 3389? You can test this by doing a "telnet 10.0.0.50 3389" from inside and seeing if it connects, i.e. you get a blank screen.

Bear in mind that your router is wide open to the internet right now, i.e. you have no security settings configured on it at all from the snippet above. If you intend on leaving this up you are going to need to lock it down before someone breaks into it.

Here's a handy site for that: http://www.cymru.com/Documents/secure-ios-template.html. You could also use SDM to lock it down if it's supported on that relative dinosaur. ;)
 
Thanks,.....


I figured it out....windows firewall rules were not configured to allow RDP for the new network name(was only set to allow inbound for the previous network name I had on a different router)....LOL

FACEPALM


edit:

It is indeed a dinosaur...just using it to get more familiar with IOS.....I have a 30mbit connection at home....the router can actually only do about 25mbit of throughput....gets to 90% cpu usage and cant obtain my full speed. Kinda sad :(

Wouldn't 3389 on my IP be the only thing wide open?
 
Last edited:
You still should secure your vty lines with an access list at a minimum (can't see that from what you posted). Right now your router would be pretty easy to mess with since you don't have any ACL on the outside interface. You also have a lot of defaults enabled like CDP, proxy-arp, ip redirects, unreachables, etc... Also anyone on the internet could use you for a DNS server since you have the service enabled but aren't restricting it.

First things I would do are:

no cdp run (or at least disable it on your external interface)
no ip domain-lookup (this should always be set)
no ip dns server (your internal hosts are using external dns anyway)

on int fa0/0 you need (minimum):
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
no cdp enable

You really should set up an ACL to drop traffic sourced from outside with the exception of traffic destined for 3389 as well.
 
Yeah I only posted partial sorry.

Appreciate the other config options...will be enabling/disable.
line con 0
line aux 0
line vty 0 4


What is your idea on this:
udp 67.81.xxx.xxx:137 10.0.0.50:137 10.255.255.255:137 10.255.255.255:137

Thank you
 
UDP 137 is netbios related, the MS file sharing protocol... you can check the Windows event log for what it was doing probably a browser election or trying to resolve a netbios name or something

As far as line options go, you need to set this at a minimum:

ip access-l st 5
permit 10.0.0.0 0.0.0.255

line con 0
logging sync
line vty 0 4
login
password xxxxxx
access-class 5 in

Without login and a password set under the vty section anyone can login to your router without being asked for credentials...

A better solution would be to do:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username test priv 15 secret xxxxxx

Then you wouldn't need to set a password on your vty lines since aaa would be enabled and prompts for a username and password by default.
 
Sorry I wasnt clear I do have a pw set just left it out. heh


!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!

line con 0
line aux 0
line vty 0 4
password ********
login
!
!
end


lll check up on the other options, thanks, as you can see starting from scratch:)
 
You must log in or register to reply here.
Back
Top