Joaquim is a student of mine that brought a problem to the class. He need to allow access to through RDP to a machine inside his network for a specific address that belong to a client. This must be done in a Cisco 1900 series that he uses to connect to the Internet.
He asked me if it was possible to create a NAT rule to permit a specific external address to access a specific internal address in one protocol – rdp.
We will simulate this topology using UnetLab (thank you guys, you are the best). So the external addresses will be private and, the Internet will be a router also performing NAT to the real Internet.
hostname R-Joaquim ! interface Ethernet0/0 description Joaquim's Local Lan ip address 192.168.0.254 255.255.255.0 ip nat inside no shutdown ! interface Ethernet0/1 description Internet Connection ip address 10.0.0.1 255.255.255.252 ip nat outside no shutdown ! ! PAT CONFIGURATION FOR INTERNET ACCESS ip nat inside source list NAT interface Ethernet0/1 overload ip route 0.0.0.0 0.0.0.0 10.0.0.2 ! ip access-list extended NAT permit ip 192.168.0.0 0.0.0.255 any deny ip any any
hostname R-Client ! ip dhcp excluded-address 172.16.0.254 ! ! DHCP for the WIN-Client ip dhcp pool LAN network 172.16.0.0 255.255.255.0 dns-server 18.104.22.168 domain-name bsnetworking.bllog default-router 172.16.0.254 lease 2 ! interface Ethernet0/0 description Client's Local Lan ip address 172.16.0.254 255.255.255.0 ip nat inside no shutdown ! interface Ethernet0/1 description Internet Connection ip address 10.0.0.6 255.255.255.252 ip nat outside no shutdown ! ip nat inside source list NAT interface Ethernet0/1 overload ip route 0.0.0.0 0.0.0.0 10.0.0.5 ! ip access-list extended NAT permit ip 172.16.0.0 0.0.0.255 any deny ip any any
hostname INTERNET ! interface Ethernet0/0 description Connects to R1 ip address 10.0.0.2 255.255.255.252 ip nat inside no shutdown ! interface Ethernet0/1 description Connects to R2 ip address 10.0.0.5 255.255.255.252 ip nat inside no shutdown ! interface Ethernet0/2 description Connects to Real Internet ip address dhcp ip nat outside no shutdown ! interface Ethernet0/3 description Connects to Internet Host ip address 10.0.0.9 255.255.255.252 ip nat inside no shutdown ! ip nat inside source list NAT interface Ethernet0/2 overload ! ! Default route to my gateway ip route 0.0.0.0 0.0.0.0 172.16.210.254 ! ip access-list extended NAT permit ip 10.0.0.0 0.0.0.3 any permit ip 10.0.0.4 0.0.0.3 any permit ip 10.0.0.8 0.0.0.3 any deny ip any any
Static IP Configuration in Win7
Add user and remote desktop configuration
DHCP IP Configuration in Win7
R-Joaquim – Solution – NAT and ACL
! Static NAT (or PortForward) from the external address to the ! remote desktop maching for protocol tcp port 3389 (rdp) ip nat inside source static tcp 192.168.0.1 3389 10.0.0.1 3389 ! ! ACL ip access-list extended ALLOW-RDP-FROM-CLIENT ! Allow traffic from the client to the external address if it is RDP permit tcp host 10.0.0.6 host 10.0.0.1 eq 3389 ! Block RDP from all other location deny tcp any host 10.0.0.1 eq 3389 ! In the example all other traffic is permitted which it is not the ! normal configuration (very unsecure) permit ip any any ! ! Add the ACL to the external interface in the inbound direction interface Ethernet0/1 ip access-group ALLOW-RDP-FROM-CLIENT in
Just remember that RDP as several known hacks and for that it is not safe to use without other security precautions. That will be on the next post.
Until then, stay good