Cisco 2811 blocking remote destkop - help with map-policy statement?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Tamizpa

Thread Starter
Joined
Jun 5, 2007
Messages
30
I have an internal user that needs to remote desktop to an external internet server. I can traceroute and ping from his desktop to that server. I have a Cisco 2811 that is internet facing that I think is blocking the remote desktop. It does not access lists, but has a map-policy which I am unfamiliar with and can't seem to find much when I google about doing a remote desktop on a map-policy. Could someone look at this and let me know if you can add remote desktop as a policy or something else blocking it, or do I need to build an access list. Let me know if you need the whole config.

class-map type inspect match-any internet-traffic-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol ftps
match protocol ssh
match protocol ntp
match protocol telnet
match protocol ica
match protocol imap
!
!
policy-map type inspect internal-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
drop
!
zone security internal (applied to Internal interface further in config)
description internal network
zone security internet (applied to Internet facing interface further in config)
description outside
zone-pair security internal-internet source internal destination internet
service-policy type inspect internal-internet-policy
!
!
 

TerryNet

Terry
Moderator
Joined
Mar 23, 2005
Messages
81,619
Are you sure that the problem is not at the other end? If you knew my address you could ping me but Remote Desktop would fail because I have not port forwarded on my router (and because I don't have Remote Desktop enabled on my computer).

I have no clue about your actual question.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,772
Would you post the rest of your configuration?

I haven't played with the software firewalling capabilities of IOS but it looks sort of like you have CBAC enabled or maybe reflexive ACLs.
 

Tamizpa

Thread Starter
Joined
Jun 5, 2007
Messages
30
Thanks! Here is my config..

Current configuration : 4851 bytes
!
! Last configuration change at 20:30:37 EST Tue Mar 8 2011 by admin
! NVRAM config last updated at 20:31:07 EST Tue Mar 8 2011 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname InetRtr
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-24.T1.bin
boot-end-marker
!
logging message-counter syslog
logging console informational
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST -4
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name centralpenn.edu
ip multicast-routing
no ipv6 cef
ntp server 10.254.254.9
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
username admin privilege 15 password 7 XXXXXXXXX
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key secret address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set aes-crypto esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile tunnel_crypto
set transform-set aes-crypto
!
!
archive
log config
hidekeys
!
!
ip scp server enable
!
track 10 ip sla 1 reachability
!
class-map type inspect match-any internet-traffic-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol ftps
match protocol ssh
match protocol ntp
match protocol telnet
match protocol ica
match protocol imap
!
!
policy-map type inspect internal-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
drop
!
zone security internal
description internal network
zone security internet
description outside
zone-pair security internal-internet source internal destination internet
service-policy type inspect internal-internet-policy
!
!
!
!
interface Tunnel0
bandwidth 2000
bandwidth receive 8000
ip address XXX.XXX.XXX.XXX 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication dmvpn!
ip nhrp map multicast dynamic
ip nhrp map 10.254.1.1 XXX.XXX.XXX.XXX
ip nhrp map multicast XXX.XXX.XXX.XXX
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.254.1.1
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
zone-member security internal
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
load-interval 30
delay 5000
qos pre-classify
tunnel source FastEthernet0/0.254
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile tunnel_crypto
!
interface FastEthernet0/0
bandwidth 2000
bandwidth receive 8000
no ip address
ip flow ingress
duplex full
speed auto
no mop enabled
!
interface FastEthernet0/0.253
description lancaster lan edge
encapsulation dot1Q 253
ip address XXX.XXX.XXX.XXX 255.255.255.248
no ip redirects
ip flow ingress
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
zone-member security internal
!
interface FastEthernet0/0.254
description internet edge
encapsulation dot1Q 254
ip address XXX.XXX.XXX.XXX 255.255.255.248
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security internet
!
interface FastEthernet0/1
no ip address
no ip proxy-arp
shutdown
duplex auto
speed auto
!
router eigrp 100
redistribute static route-map eigrp-default-only
network 10.0.0.0
distribute-list route-map eigrp-tag out
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX track 10
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 254
ip route XXX.XXX.XXX.XXX 255.255.255.0 Null0
no ip http server
no ip http secure-server
!
ip as-path access-list 10 permit ^$
!
ip nat inside source list outbound_nat interface FastEthernet0/0.254 overload
!
ip access-list standard outbound_nat
permit 172.16.0.0 0.0.255.255
permit 10.254.0.0 0.0.255.255
!
!
ip prefix-list default-only seq 5 permit 0.0.0.0/0
ip sla 1
icmp-echo 68.86.209.6
timeout 300
frequency 30
ip sla schedule 1 life forever start-time now
!
!
!
!
route-map eigrp-default-only permit 10
match ip address prefix-list default-only
set metric 8000 100 255 1 1500
!
route-map dmvpn_networks permit 10
set local-preference 90
!
route-map eigrp-tag permit 10
set tag 10
!
!
!
control-plane
!
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 15 0
password 7 xxxxxxxxxxxxx
transport input telnet ssh
!
scheduler allocate 20000 1000
end
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,772
So I had to do some digging. It looks like you're using a new feature of IOS called Zone-Based Policy Firewall. Here is a link to a Cisco document which talks about it: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

It appears that indeed the 2811 router is blocking RDP traffic based on the information I've read so far. Doing some more digging, you'll need to add these lines to make RDP work.

ip port-map RDP port tcp 3389

Then under your class map:

class-map type inspect match-any internet-traffic-class

Add this line:

match protocol RDP

This should get you going. I guess I'll have to do a little more playing around with this new feature.
 

Tamizpa

Thread Starter
Joined
Jun 5, 2007
Messages
30
Thanks! I'll have to try that. Meanwhile I got it working under the class map with:

match protocol tcp

I'll try your workaround to narrow it down to rdp only.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top