Joaquim’s Problem – First Solution – RDP through NAT Static on a Cisco Router

Joaquim’s Problem – First Solution – RDP through NAT Static on a Cisco Router

Joaquim is a student of mine that brought a problem to the class. He need to allow access to through RDP to a machine inside his network for a specific address that belong to a client. This must be done in a Cisco 1900 series that he uses to connect to the Internet.

He asked me if it was possible to create a NAT rule to permit a specific external address to access a specific internal address in one protocol – rdp.

rdp1-1

We will simulate this topology using UnetLab (thank you guys, you are the best). So the external addresses will be private and, the Internet will be a router also performing NAT to the real Internet.

Initial Configuration
UNetLab Topology

rdp1.2.gif

R-Joaquim
hostname R-Joaquim
!
interface Ethernet0/0
 description Joaquim's Local Lan
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Internet Connection
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 no shutdown
!
! PAT CONFIGURATION FOR INTERNET ACCESS
ip nat inside source list NAT interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny   ip any any
R-Client
hostname R-Client
!
ip dhcp excluded-address 172.16.0.254
!
! DHCP for the WIN-Client
ip dhcp pool LAN
 network 172.16.0.0 255.255.255.0
 dns-server 8.8.8.8 
 domain-name bsnetworking.bllog
 default-router 172.16.0.254 
 lease 2
!
interface Ethernet0/0
 description Client's Local Lan
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Internet Connection
 ip address 10.0.0.6 255.255.255.252
 ip nat outside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.5
!
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
 deny   ip any any
Internet
hostname INTERNET
!
interface Ethernet0/0
 description Connects to R1
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Connects to R2
 ip address 10.0.0.5 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/2
 description Connects to Real Internet
 ip address dhcp
 ip nat outside
 no shutdown
!
interface Ethernet0/3
 description Connects to Internet Host
 ip address 10.0.0.9 255.255.255.252
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/2 overload
!
! Default route to my gateway
ip route 0.0.0.0 0.0.0.0 172.16.210.254
!
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.3 any
 permit ip 10.0.0.4 0.0.0.3 any
 permit ip 10.0.0.8 0.0.0.3 any
 deny   ip any any
WIN-Joaquim

Static IP Configuration in Win7

Add user and remote desktop configuration

WIN-Client

DHCP IP Configuration in Win7

R-Joaquim – Solution – NAT and ACL
! Static NAT (or PortForward) from the external address to the
! remote desktop maching for protocol tcp port 3389 (rdp) 
ip nat inside source static tcp 192.168.0.1 3389 10.0.0.1 3389 
!
! ACL 
ip access-list extended ALLOW-RDP-FROM-CLIENT
 ! Allow traffic from the client to the external address if it is RDP
 permit tcp host 10.0.0.6 host 10.0.0.1 eq 3389
 ! Block RDP from all other location
 deny tcp any host 10.0.0.1 eq 3389
 ! In the example all other traffic is permitted which it is not the
 ! normal configuration (very unsecure)
 permit ip any any
!
! Add the ACL to the external interface in the inbound direction
interface Ethernet0/1
 ip access-group ALLOW-RDP-FROM-CLIENT in
Test
From WIN-Joaquim

rdp1-3

rdp1-4

From WIN-Internet

rdp1-5

Just remember that RDP as several known hacks and for that it is not safe to use without other security precautions. That will be on the next post.

Until then, stay good

 

Advertisements

2 thoughts on “Joaquim’s Problem – First Solution – RDP through NAT Static on a Cisco Router

  1. Nice post,

    Clean and easy to understand.
    For me it´s a quick solution to allow a specific public IP to access to our RDP.
    Maybe is not the best solution, but for controlled period of time, it´s work.
    I just need to enable and disable the Static Nat when I need, with no pain.

    Thks, Joaquim

    Like

Comments are closed.