RDP ACL question

Hey everybody! Currently, I encountered a problem. I have set up for a RDP client and it works when we reached the WAN IP on port 3389. However, it works for everyone and not only for our network (were an ISP with a 23 network that we work from the desktop). I want only our network in order to control remotely on the server, we have put in place on the client's site.

It's the ACL, I have set up on the WAN interface by using "ip access-group 100 in ' but it does not work, and I don't really know why. It should allow us in, then block everyone. No idea why its not working? When I apply it, no one can remote on this server.

access-list 100 permit tcp 0.0.1.255 X.X.X.X host 192.168.1.4 eq 3389

access-list 100 tcp refuse any any eq 3389

access ip-list 100 permit a whole

What is the subnet configured on WAN?

What is the address of the RDP server used to connect?

A private ip address or pubblic?

Try changing the with the pubblic ip 192.168.1.4.

Kind regards.

Tags: Cisco Support

Similar Questions

  • On the basic ACL question

    I have a few question ACL. I'm not clear on the source address and the destination address in the following cases.

    Case 1

    My IP WAN1 is 1.1.1.1, my FTP server is 192.168.1.2 port 23

    If I have access to FTP from internet, use ftp://1.1.1.1:23, so what's my IP ACL of source and destination IP? 1.1.1.1 is source? destination is 192.168.1.2? or any?

    Internet-(Outside 1.1.1.1) ASA (inside 192.168.1.1) - FTP (192.168.1.2)

    Case 2

    My WAN1 is always 1.1.1.1 and FTP is 192.168.1.2 port 23

    If I use the ftp://1.1.1.1:8023internet FTP access, what the ACL source IP address and destination?

    I tested in both cases = any source and destination = everything is OK.

    But I confused. I still think the Source address is IP WAN1.

    Hello

    You access the server FTP from the Internet and most likely, you won't know what ip address you will be source. In this case, your source ip address will be everything. If you know the ip address on the Internet that will have access to your FTP server, and then you specify it as the source. You access list will be as follows:

    access-list extended 100 permit tcp any host 1.1.1.1 eq 21

    access-list extended 100 permit tcp any host 1.1.1.1 eq 20

    or

    access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21

    access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20

    (if you know the network or host who will have ftp access)

    You must also make sure that you have configured static NAT and inspection of the request to your FTP server

    Thank you

    John

  • ASA ACL question

    I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.

    For example:

    Access-List Corporate1 permit tcp any any eq www

    Access-List permits Corporate1 tcp everything any https eq

    Access list ip Inside_Out allow a whole

    Access-group Coprorate1 in interface outside

    Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?

    I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

    -Jon

    Working with ACLs imply always two steps:

    1. You configure the ACL (with possibly multiple lines but the same name).
    2. You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.

    (If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.

    In your example:

    If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one

     sh run | inc Inside_Out

    If the output shows only the ACL lines, it is unused and can be removed.

     clear configure access-list Inside_Out

    Or it is but not used must be used, and then apply the ACL for the desired purpose.

  • Inbound and outbound ACL question

    I want to restrict inbound and outbound traffic with access-lists on my PIX 515. May be this is a stupid question, but I don't know how the acl pix treatment directions of traffic. Let's say that I encouraged in traffic ntp to the outside to the inside host inbound_acl, I need to open port ntp also in the outbound_acl pass the ntp response?

    Is it the same for the other direction (inside origin traffic)?

    Thanks for any response.

    Hello

    If you open port NTP of outside inside the host, PIX will maintain this session state and will return by the hosts inside circulation. The default is no ACL out (ACL equivalent to entering on the inside of the interface). The statefull inspection rule is the same for all directions/interfaces.

    Thank you

    Nadeem

  • ASA "route inside 0 0 192.168.1.1 by tunnel" interface ACL question

    Hello

    Small question around the road inside 0.0.0.0 0.0.0.0 192.168.1.2 in tunnel command.

    Do you need to add a u-turn traffic within the ACL interfaces (for example internet related http traffic) or 'same-security-traffic permit intra-interface' negates the need of this?

    So if my site remote vpn outside is 10.1.1.0/24 should I add entering permitted statements for the 10.1.1.0/24 inside my interface.

    Thank you

    same-security-traffic permit intra-interface allows then-input-output traffic on a single interface

    allowed incoming 10.1.1.0/24 statement in the list ACL allows traffic (output - then-) penetration on a single interface, but you must disable the RPF check

  • ACL question

    I plan to put this ACL inside interface to the following ports prevent out of the ' net. I do not want to interrupt the other IP traffic and hoped just a validation test to ensure I have make it a law. I wouldn't ruin my inside interface.

    access-list 130 tcp refuse any any eq 135

    access-list 130 deny udp any any eq 135

    access-list 130 deny udp any any eq netbios-ns

    access-list 130 deny udp any any eq netbios-dgm

    access-list 130 tcp refuse any any eq 138

    access-list 130 tcp refuse any any eq netbios-ssn

    access-list 130 tcp refuse any any eq 445

    access-list 130 tcp refuse any any eq 593

    access-list 130 tcp refuse any any 3127 3199 Beach

    access-list 130 ip allow a whole

    I don't know if I should put the "permit ip any any" at the end of the ACL or early.

    the entry that allows any one must be placed at the end of the acl, as the acl works in order.

  • RVS4000 Firewall ACL Question

    I work to install and configure a RVS4000 for a friend and wanted to check my understanding of the firewall section.  He by default the firewall allows traffic from any source to any destination, including Wan.  I realize with NAT, this isn't a huge concern / should not be the case... but I tend to prefer the highest standards rather than more flexible.

    I wanted to make sure that it permits launched in-house traffic outgoing and inbound external traffic dropped, so I created the rules as an attachment shows.  I look at this properly?  Is the firewall ACL section to implement a dynamic firewall or what a pure ACL and the rule of the last of the WAN is required for the return of traffic which has already been in the NAT search engine?

    If someone could help me please clear this one small detail I would greatly appreciate.

    Thanks in advance.

    The ACL is just this ACL. The rules that you are fine, the difference with your implementation and the default value is that you explicitly deny traffic; that is not an idea of bed. On that note, this does not mean that traffic has been explicitly allowed before (default configuration).

    Before the creation of all the rules are a "deny an entire" is already in place but not displayed. This is typical routers small businesses and consumers. The only thing I would change is to supplement the subnet, right on it "any."

    I hope this helps.

  • Crypto ACL question

    Hello

    I have a star topology IPSec VPN using a Cisco ASA as the hub and a PIX506e such as the rays.

    Two of the rays also have an IPSec VPN between them.

    The hub site connects to a WAN.

    The sites of two rays have the following ranges

    Spoke 1 = 10.154.10.0/24

    Spoke 2 = 10.156.10.0/24

    Hub = 10.8.0.0/24 site - but also connects to all other addresses in the range 10.0.0.0/8 with a back end WAN connection.

    I was looking for a way to 'Nice' configure crypto ACLs so that the traffic between the spokes 1 and 2 would be direct and then everything from 10 would go through the hub site. Rather than try to clear all the subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.

    If I order the cryptographic cards on the RADIUS, so the most accurate is first example (the map speaks of talking), then a card encryption to 10.0.0.0/8 for hub is second, it would work?

    So we talked 1.

    !

    allowed to access-list to-speaks-2 ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0

    IP 10.154.10.0 allow Access-list to hub 255.255.255.0 10.0.0.0 255.0.0.0

    !

    outside_map 100 ipsec-isakmp crypto map
    card crypto outside_map 100 match address to-speaks-2
    card crypto outside_map 100 peer set 1.2.3.4
    transform-set set card crypto outside_map 100 standard
    outside_map 200 ipsec-isakmp crypto map
    card crypto outside_map 200 correspondence address to hub
    peer set card crypto outside_map 200 8.9.10.11
    transform-set set outside_map 200 crypto card standard

    !

    Any thoughts?

    Yes, reject the order is absolutely supported. Well... I forgot about 'decline' crypto ACL

  • Error SMTP sending reports by e-mail - not you usual ACL question

    Apex 4.2.5.00.08

    Data services Oracle REST 2.0.9

    Recently, we changed our architecture around a bit of the APEX. Previously we used the Oracle HTTP server on the same host as the database. Now we pass the 'web' part of the APEX to another server using ADR with Apache TomCat. Under the old configuration, we have been able to send emails without any problem. However, when we try to do under the new configuration, we get the following SMTP error stack:

    ORA-29279: SMTP permanent error: 503 #5.3.3 AUTH is not available

    I would have thought that email would still go database server in the new configuration but, perhaps, it's fake.

    1 ACL have been created

    Start

    () mailserver_acl

    "mailserver_acl.xml,"

    "ACL for mail server used to connect,"

    "APEX_040200,"

    TRUE,

    'connect',

    "MAILHOST",.

    (null);

    end;

    /

    TURN ON THE COMPUTER HOST, ACL

    OF DBA_NETWORK_ACLS

    WHERE ACL LIKE '% mailserver_acl.xml ';

    HOST ACL
    mailhost/ sys/ACLs/mailserver_acl. XML

    2. I am able to send an email with success by Telnet to port 25 on * is * host and send emails directly from the command line interface.

    3. I am able to send successfully from the database using the PL/SQL interface.

    Any ideas?

    Thank you

    -Joe

    When configure you the new application server, you MUST have reconfigured APEX, correct?  So you can have the apex_mail settings not the same as the old installation.

    Thank you

    Tony Miller
    Software LuvMuffin
    Ruckersville, WILL

  • [VPN Site-to-Site] Network that overlap

    Hello

    We have a Cisco ASA 9.1 and many VPN clients that work very well to this topic.

    Now, he must connect to a partner with VPN Site to Site site.

    We have a few problems:

    • Duplication of IP address (we use 10.145.0.0/16 10.0.0.0/8 and partner use)
    • Partner cannot use NAT on the router

    What are the best solutions to configure the VPN Site to Site?

    Thanks for your help,

    Patrick

    Hi Patrick,

    Best option here is that you can specify the required subnets only in the field of /encryption cryptomap...

    said in other 10.0.0.0/8 need access only a few subnets 10.1.0.0/24, 10.10.20.0/24... You can specify only in your crypto acl... Alternatively, you can use refuse instruction for the specific 10.145.0.0/16 crypto card but am not sure if this gives you the best result.

    If you have the required access is mixed with several 10.x.x.x/8 instructions... then you can have the crypto ACL like sub areas of encryption... Here you jump only 10.145.0.0/16 of the subnet range...

    10.0.0.0/9 to 10.145.0.0/16
    10.128.0.0/12 to 10.145.0.0/16
    10.146.0.0/15 to 10.145.0.0/16
    10.148.0.0/14 to 10.145.0.0/16
    10.152.0.0/13 to 10.145.0.0/16
    10.160.0.0/11 to 10.145.0.0/16

    10.192.0.0/10 to 10.145.0.0/16

    but make sure you have not all servers in 10.145.0.0/16 on your local network that the client requires access...

    Link to have refuse to crypto ACL'; s

    https://supportforums.Cisco.com/discussion/10909276/crypto-ACL-question

    Concerning

    Knockaert

  • Best VPN debugging commands?

    Hello

    I was wondering what your best VPN debugging commands are on an ASA or the router about the phase 1 and 2 and the ACL?

    For example I have a site-to-site between 2 ASAs and phase 1 and 2 are on the rise, but each site cannot ping a PC on each site.  I'm looking to NAT and ACLs for the moment, but all useful commands would be most appreciated.

    Thank you

    Two 1 go - to orders are:

    ISAKMP crypto to show his

    Crypto ipsec to show his

    If the Phase 1 and Phase 2 are not upward by these respective commands, then go to:

    Debug crypto isakmp 7

    Debug crypto ipsec 7

    You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focusing on those that you are interested in with a filter:

    Debug crypto peer condition

    Once you have Phase 1 and 2 but established that you are experiencing persistent problems with two-way traffic flow, look at two things:

    1. at the exit of his see the crypto ipsec, decaps proportional increase with the program. If this is not the case, the remote line can't get the return traffic. Confirm with a capture of packets and/or track.

    2. use the command packet - trace (CLI or GUI) on the SAA to review how it will handle a given stream. NAT and ACLs questions often are quickly visible using this tool.

  • Cisco 881 - Access Gateway VPN session

    Nice day

    I configured my Cisco 881 and finally has surpassed "thecan't see my network" issue IPSec VPN.

    I have a usecase where I need to access the gateway of the VPN Session.

    When I connect to the VPN using Cisco VPN Client 4.8 x, I do not return a default gateway on the VPN map. When I try to ping my IP from the LAN (10.20.30.1) bridge that does not work and I cannot access it with other tools.

    I'm sure it's an ACL question and it makes sense to hide the default gateway, but the big question is how to configure my router to see the gateway and access them from the VPN session?

    Please see my attached cleaned configuration.

    Network Info:

    • Internet Internet service provider gateway: 192.168.68.1
    • DNS: 192.168.2.1
    • Address WAN Cisco 881 at: 192.168.68.222
    • Address on Cisco 881 LAN: 10.20.30.1
    • DHCP for LAN on Cisco 881: 10.20.30.10 - 10.20.30.50
    • DHCP for IPSec VPN: 10.20.40.10 - 10.20.40.50

    Thank you in advance for your help!

    Kind regards

    -JsD

    Brand pls kindly this post as answered so that others facing the same issue can follow the workaround solution provided according to your final configuration.

    Great update and explanation btw. Thank you for that.

  • Question S4048-on ACL

    Hello

    You have a few questions of ACL.

    I have 2 VM on the single ESXi host.

    VM - a eth0-> vlan 250, 10.172.250.20 dgw 10.172.250.1

    VM - b eth0-> vlan GTS 250, of 10.173.250.20/24 10.173.250.1

    I have the S4048 interface vlan 250.  and vlan added as a trunk ports that connect to the esx host.

    So many VM - a I can ping the GTS and VM - b I can ping the GTS

    I have assigned 10.172.250.1/24 to the interface and added secondary 10.173.250.1/24 as an ip address.

    If I want to block all traffic from VLAN 250 except for access to 10.32.80.7

    I can create a standard ACL

    and to add

    allow any host 10.32.80.7

    refuse any any newspaper

    !! I know that I do not need to deny downstairs, as it is implicit, but for the sake of clarity, I have added

    I would apply this to the penetration or the output of the VLAN250.

    I can limit the traffic so that 10.172.250.0/24 can initiate traffic to 10.173.250.0/24, but the response to tcp traffic initiated from 10.173.250.0/24

    If Yes, how do I write me the ACL and can I speak it IN or OUT?

    Sorry for the late reply. Without moving would be used in conjunction with a card without moving the policy used in an iSCSI environment.

  • ACL VPN question

    I have two questions that regarding ACL is used in the instructions on the Card Crypto:

    1. the two devices VPN should have the same ACE in the ACL? I know that without the second ACE site B below will not see as interesting udp traffic, but the will of the vpn tunnel fails because the ACL is not the same ACE?

    That is to say...

    Site has

    Access-list 110 permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

    Access-list 110 permit udp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

    Site B

    Access-list 110 permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

    2. once a tunnel is established it will send ANY/ALL traffic destined to the remote network through this tunnel. If the first ACE in the ACL 110 to Site A list is used to bring up the tunnel, only tcp from to 10.0.2.0/24 10.0.1.0/24 traffic will use the tunnel or all traffic from 10.0.1.0/24 intended for the remote network to cross the tunnel?

    I guess my thought is this. The ACL is only used to determine valuable traffic and once the tunnel is up it is a free for all. Or the ACL only allows traffic that meets the criteria specified in the ACL list to flow once the tunnel is established?

    Thank you

    Brian

    Brian,

    Your statement

    'Or the ACL allows only traffic that meets the criteria specified in the ACL list to flow after the tunnel is established'

    Is correct, only the traffic that meets the ACL crypto will go through the vpn tunnel and all other traffic will be denied. If you need UDP traffic to travel through the tunnel, you need crypto ACL on both sides and not only on one side, that is, SITE A.

    Hope this helps,

    Jay

  • ACL IPSEC site to site VPN question

    Okay, so just as a test of validation, I have a question for the group.  When you configure the cryptographic ACL that defines interesting traffic for a tunnel, are we able to use summaries?

    So let say site B is 10.5.10.0/24 and site A can be summarized with 10.10.0.0/16. Is it acceptable to write something like below for the crypto acl?

    access-list 101 permit ip 10.5.10.0 0.0.0.255 10.10.0.0 0.0.255.255

    A site would have the networks

    10.10.0.0/24

    10.10.1.0/24

    etc.

    Terminal head, then the ACL would be:

    access-list 101 permit ip 10.10.0.0 0.0.255.255 10.5.10.0 0.0.0.255

    Thanks for all your comments!

    Hello

    Yes, that's perfectly fine.

    As long as we have routes set up correctly, nothing should stand in your way of configuring the acl like this.

    Kind regards

    Praveen

Maybe you are looking for

  • Favorites list left to save or fix the documents window

    All of a sudden now when I save a document, i.e. Safari or want to attach a file, say in email, the Favorites list on the left side of the popup window no longer displays my favorite folders as options. It's VERY annoying.  Does anyone know how to ge

  • LVR vs LVR2

    What is the difference between LVR and LVR2 from Sony? Fact the buttons on the LVR (1st version) are difficult or I received a defective product?

  • Model of VAIO Duo 11 SVD11225CXB & Vaio Update

    I bought this yesterday, and it works well, except that the Vaio Update fails to run correctly. When I run it, a web browser opens with a message saying "the Web site refused to view this page." VAIO Update then says: "Could not acquire information."

  • LabVIEW .vi implement

  • try to restore the Recycle Bin in xp.

    I'm asking a question to the Group of xp. I lost my trash and also my desktop icon, can someone help me get it back please?