RDP on SA520 Router
Hi Techies,
Pardon me because I am just new to Cisco.
Is it possible to configure RDP on SA520 Router? I did try once but no luck. Here my configuration:
My objective to login to a server on a local network on VLAN 10 via RDP at home connecting to this router.
I created a service called RDP Port 3389
Firewall:
Status
From Zone
To Zone
Service
Action
Source Hosts
Destination Hosts
Local Server
Internet Destination
Log
Enabled
WAN
LAN
RDP
ALLOW always
Any
(blank) 192.168.1.102
WAN1
Never
On the router I have this VLANs:
VLAN1 192.168.10.100 (this is the device IP)
VLAN10 192.168.1.1 (this is the gateway of my LAN including Servers, Printers,Desktop etc)
VLAN20 192.168.2.1 (this is the gateway of our guess devices.)
At home, I kick RDP and input our WAN IP and no luck.
Any help will highly be appreciated.
Many Thanks.
AC
AC,
Yeah you can forward any port internal to any private address. First thing i would make sure you have the SA500 series router on the latest Firmware ( PLEASE MAKE SURE YOU READ THE RELEASES NOTES BEFORE UPGRADING IF DEVICE ISN'T ON 2.1.18)
The rule you have above should allow 3389 in bound traffic forwarded to 192.168.1.102
If you are on the latest firmware and this is still a problem, give the Cisco SBSC @ 1-866-606-1866 and open a support case
Thanks,
Jasbryan
Cisco Support Engineer
.:|:.:|:.
Similar Messages
-
Configure RDP on SR520 using CCA
I need instruction to configure RDP on
this router. I had it setup on the old linksys, but I can't
seem to get it to work on this new SR520 Router.
I know this is not a difficult task on other routers but the CCA is rather
difficult to work with as I see it.
Thanks in advance....this is the first time I have ever worked with the CCA or a Cisco router for that matter. So I am very green.thanks for all the help....I have it done
-
Cisco Router Memory Utilization
Hi,
We have a Cisco SA520 Router (Firmware 2.1.18)
We are only using this for about 1 month now. Router seems ok its just
I am worried about the Memory utilization which reach to 62% (144/234 MB)
Is this something to worry about?
How can I utilize this by lowering down the usage?
Pardon me I am just to new Cisco devices.
Many Thanks.
ACAC,
Please go ahead and upgrade to the latest firmware 2.1.51 Memory utilization shouldn't be a problem. After the upgrade please keep an eye on the memory and report back.
Thanks,
Jasbryan
Cisco Support Engineer
.:|:.:|:. -
ACE: RDP loadbalancing connection problem
I have a problem setting up RDP loadbalancing.
My setup is a WS-C6509-E with IOS 12.2(33)SXI5 and a ACE20-MOD-K9 running
A2(3.3).
I have the ACE in two-arm-mode, I can connect to the real servers via RDP. The
real servers use a MS Terminal Server Session Broker with routing tokens.
The serverfarm is operational:
# show serverfarm FARM-TSFARM1 det
serverfarm : FARM-TSFARM1, type: HOST
total rservers : 4
active rservers: 4
description : srv-f1-tsX.mydomain.de
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: RS-SRV-F1-TS1
10.7.43.201:0 8 OPERATIONAL 0 1 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS2
10.7.43.202:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS3
10.7.43.203:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS4
10.7.43.204:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
The service policy is active, it shows an increasing hit count for the VIP
connections (47 as shown below), no drop-count, no dropped connections, but
zero bytes server packets and no hit counts for the L7 policy:
# show service-policy VIP-TSFARM1 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 44
service-policy: VIP-TSFARM1
class: VIP-TSFARM1-RDP
VIP Address: Protocol: Port:
10.7.44.106 tcp eq 3389
loadbalance:
L7 loadbalance policy: VIP-TSFARM1-RDP-l7slb
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 47
dropped conns : 0
client pkt count : 221 , client byte count: 10996
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-TSFARM1-RDP-l7slb
class/match : class-default
LB action: :
primary serverfarm: FARM-TSFARM1
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
I never get a "Built TCP connection" syslog message.
When I make a VIP with "policy-map type loadbalance generic" instead of
"policy-map type loadbalance rdp" everything works as expected, apart from the
fact that users cannot be redirected to the correct server if they have an
active session on one of them.
Here is the config of the rdp setup:
rserver host RS-SRV-F1-TS1
description srv-f1-ts1.mydomain.de
ip address 10.7.43.201
conn-limit max 500 min 500
rate-limit connection 10000
rate-limit bandwidth 12500000
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS2
description srv-f1-ts2.mydomain.de
ip address 10.7.43.202
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS3
description srv-f1-ts3.mydomain.de
ip address 10.7.43.203
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS4
description srv-f1-ts4.mydomain.de
ip address 10.7.43.204
conn-limit max 500 min 500
probe PING_PROBE
inservice
serverfarm host FARM-TSFARM1
description srv-f1-tsX.mydomain.de
rserver RS-SRV-F1-TS1
inservice
rserver RS-SRV-F1-TS2
inservice
rserver RS-SRV-F1-TS3
inservice
rserver RS-SRV-F1-TS4
inservice
class-map match-all VIP-TSFARM1-RDP
2 match virtual-address 10.7.44.106 tcp eq 3389
policy-map type loadbalance rdp first-match VIP-TSFARM1-RDP-l7slb
class class-default
serverfarm FARM-TSFARM1
policy-map multi-match VIP-TSFARM1
class VIP-TSFARM1-RDP
loadbalance vip inservice
loadbalance policy VIP-TSFARM1-RDP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 44
service-policy input VIP-TSFARM1
Any ideas?Ralf,
You are running into the following defect:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl63354
Workaround:
use a layer 4 loadbalance policy and configure source ip sticky.
Joel Lamousnery
Cisco TAC -
Remote Desktop 'Connection Refused'
Modem/Router Model: GT704-WG-B
Firmware Version: 30.17.0 (Red background)
Operating System: Windows 7 Enterprise
Here is what I have set up to allow me access from outside my network via RDP.
Router config: Security > Applications "RDP" Rule Applied | Port 3389 Start/End/Port Map Start
UPnP is on
Modem/Router Firewall is OFF
Windows Firewall is ON with TCP 3389 allowed In/Out
Local PC has static IP address outside of DHCP range
Remote desktop (any version of RDP) allowed in Computer > Properties > Remote
I use Jaadu RDP iPhone application and have used it successfully for quite some time. When I first got Verizon service I set up RDP on the router and everything worked fine. I ran into an issue that caused a verizon tech to tell me to reset my modem/router to the factory defaults. Ever since, I have not been able to access my local PC via RDP. Every time I attempt to connect I get a connection refused message. I receive the same type of message when attempting to RDP in from another PC. I am able to RDP from within my LAN from both my iPhone and my other PC.
I have crossed my Ts and dotted my Is and am at a loss at this point. If anyone has experienced this issue and found a fix, I would appreciate some help.
Thanks#1 If the router turn off UPnP, since you will not be needing it.
#2 If that does not resolve it / or it happen again, please post...
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
Unable to log into SA540 as any user
This is the 2nd time that this has happened. I am unable to log in my SA540 as any user including the Admin either through the SSL VPN portal or directly connected to the box. The fix is to reboot the device and it starts working but I as I am not on-site all the time, this is a problem. I recently upgraded the firmware to 1.1.65.
Has anyone else experienced this issue and if so, how can it be resolved?
ThanksHI Mark,
Could you please collect the log when this happens again.
To collect logs from the SA520 router. Please log in to the SA520 router and
in the URL type with IP address https://IP_address_of_SA520/scgi-bin/dbglog.cgi
thanks
wei -
I purchased this router after a lot of research. I need to be able to log into this router from another location using RDP. RDP normally uses port 3389. Since my location blocks 3389 i have been using port 443 when signing in. My current router translates 443 to 3389 with no problems.
I put this new router in and thought it was going to be that easy. Just put in a route for 443 to 3389 and the IP of the computer to RDP to.. It does not work. I need help with this configuration. Is there a problem with RDP on this router? I can't even get to my computer within my own network. As soon as I plug in my old router everything works perfectly.
I am completely lost on this one.Hi! Are you trying to access the router settings only or are you trying to access a device that connected behind the router? If you just want to access the router settings, you just have to enable Remote Management via the Administration tab on the router.
Btw, are you using the Cloud firmware or the Classic? -
Hi Guys, Please help. I am trying to run remote desktop from internet. I have just been given a static IP address from my ISP and when I type it into browser I get router login page. I want to be able to use Remote Desktop. I can
use RDP on the LAN and works great but not from external (internet). I don't know how to get static IP address to open windows login page or RDP to connect when I put IP address into RDP.. I have Windows 2003 server running.Check your router for free ports. You may use http port number "80" to port forward the request to your server. In your firewall settings, create a new rule to allow incoming http request. Before that enable NAT in your router for LAN and assign
a static IP address for the server machine. It would make port forwarding easier. -
How to do nating in isa570 and is routing to be enabled for that . I have static ip configured and pining at my office and i want to acess rdp from my home
HHow did you export? Did you use H.264? Hour and a half is going to be a big file. For your customers sake you might consider breaking it down into segments.
-
Question about setting up rdp using a cisco 800 series router
HI there,
I am currently in school for networking. One co-op placement I went too handed me a cisco 800 series router to practice my routing skills on. I am trying to setup RDP so I can access my server from outside my internal network. I ran this following acl command to do it.
ip nat inside source static tcp server IP address port# cable modem IP port # extendable.
My question here is, my cable modem will occasionally hand out a different IP since it has DCHP. I cannot turn DHCP off in my cable modem. So is there a way I can set this up to use a dynamic IP from my modem so I alwasy have access to it or every time my modem changes the IP address do I have to go in and modify this acl?Configure DDNS ( Dynamic DNS ) on the router. For this you need to register with a DDNS provider. Go to
http://www.no-ip.com/ . they provide free reliable service.
With DDNS, Once your router gets a DHCP address from your ISP , it will dynamically update the DNS name record. For example if you register you routers name as, "myrouter.no-ip.org", from there onwards whatever the IP your router gets, you can refer to that by this name.
So do as what Paolo said regarding using interface instead of ip, and register with the DDNS and you are good to go..
Hope this helps
Please rate this post if helpful..
Thanks
Shamal -
Setting up static routing in sa520. Im stuck.
Hello,
I finally got my cisco router and all excited about it i tried to set it up. Everything went fine until i wanted a local machine to get its own IP adress that is reachable from the outside.
Basicly i used static IP setting in the wan/ip4v menu. This worked great and with the router assigning dhcp too all computers.
Now all the local computers has internet connection and they share one ip adress on the outside.
As for where im stuck. I have a xserve with 2 networkcards. It runs a FTP server which we use local but we also have customers needing to reach it from the outside. The local FTP works but im having difficulties assigning a outside IP too it. Our ISP has provided 5 different ipadresses.
I have tried to do this in 2 different ways where the second way is preferable.
first try:
Use the optional port as a second wan. give it the same settings as the first wan got but another ip-adress.
Then connect the xserves outside network card directly too that wan port and use dhcp. This did not work.
second try:
Assign a static routing from the wan2(optional port) too the local ipadress for the xserve.
Can someone elaborate on how this should be done?
Thank you.
Edit:
Later today i will try this firewall rule.
http://bildr.no/view/580301
Basicly i want to forward any connections from wan2 too 192.168.1.33 which is my server. Does that look correct?Thank you for your quick reply.
Im using version 1.1.21.
Im actully quite sure that its a user problem rather then firmware error. It´s the first time i evern touch a Cisco router and i havn´t done that much networking.
I can show you how i did it on my xserve. Maybe you can elaborate on how i can do it the same way.
redirect_port
proto
tcp
targetIP
192.168.1.50
targetPortRange
80
aliasIP
77.40.XXX.220
aliasPortRange
8888
Basicly it says push whatever trafic from ip 77.40.xxx.220 too 192.168.1.50 on the local network.
How can i do the same thing on my cisco router? It´s a NAT ip-forward rule.
Edit:
Screenshot shows what i have been trying.
I have chosen optional wan which is set to use another external IP adress but this does not work. It would be so much easier if i could just type in the external IP adress there and use the same gateway, dns as the main WAN.
Added config aswell.
Thank you. -
SA520: problem when trying to access HTTPS over custom port in a site-to-site vpn
We've set up a site-to-site VPN between our SA520 and our SmoothWall running at our data center. The tunnel is always connected, so that part runs fine
What works fine:
- Client 192.168.11.1 is able to start an RDP session (on it's default port 3389) to server 192.168.3.5
- Client 192.168.11.1 can open a webpage which is hosted on server 192.168.3.5 (hosted on the default HTTP port 80)
What doesn't work:
- Client cannot open web page which is hosted on server 192.168.3.1 at the following url: https://192.168.3.1:441
- or, for that matter, any https service in the 192.168.3.x LAN which runs on a different port
To summarize:
from the 192.168.11.x subnet, accessing services running on default ports (i.e. 80, 3389, 21) in the 192.168.3.x subnet works fine. doing the same for services running on custom ports (i.e. https over port 441) the connection to the webserver times out.
Thanks in advance for any help you may provide.
Glenhi luis,
thank you for your reply. we've checked the smoothwall configuration, but couldn't discover anything which could cause this problem. we even tried replacing the sa520 with a draytek vigor router to set up an lan-to-lan vpn with the smoothwall. with the draytek in place we have no problems accessing the aforementioned servers, so it seems the issue is with the SA520.
what exactly do you mean by creating an ACL from the remote WAN to our LAN? i assumed you meant creating a firewall rule, allowing traffic from the remote device's public ip to our LAN. however, in that case i need to enter an ip address of a device in our LAN, or else i cannot save this rule. as a test i entered the ip address of my machine as the destination address, but am still unable to access the aforementioned servers.
here's how i set up the rule:
from zone: UNSECURE (WAN/optional WAN)
to zone: LAN
service: ANY
action: ALLOW always
schedule: (not set)
source hosts: Single address
from: public ip of one of the aforementioned servers
source NAT settings > external IP address: WAN interface address (cannot change this setting)
source NAT settings >WAN interface: dedicated WAN (cannot change this setting)
destination NAT settings > internal ip address: 192.168.11.123 (ip address of my machine)
enable port forwarding: unchecked
translate port number: empty
external IP address: dedicated WAN -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
I have inherited a network that was not put together so well...as it has 50 sites but 11 points of mulual redistribution between OSPF and BGP.
The result is not surprising some route paths that although stable are asymmetrical and they cause issues for certain applications....like Voice and RDP.
This evening I have a maintence window to try to fix this.
I need to validate with ping and traceroute from many points (Cisco Siwtches and Routers) in the to many points in the network.
Can anyone point me to a TCL Shell script that would serve as an example of how to accomplish this?
Please be advised that I am only nominally functional with TCL shell scripting language.
Respectfully,
Duane BodleThe first thing to do is:
regexp "match regexp = ([0-9]+)" $_cli_result match count
if $count eq 0
exit 0
end
The second is a bit more challenging. I think this will work:
cli command "show call active voice br"
foreach line $_cli_result "\n"
regexp "^([0-9a-zA-Z]+) : " $line match callid
if $_regexp_result eq 1
continue
end
regexp "^dur 1d" $line
if $_regexp_result eq 1
cli command "show call active voice br | section $callid"
syslog msg "$_cli_result"
end
end -
Unable to connect to VM's in new cloud service via express route
We have changed our express route setup, initially we had an express route via London, but we have added a second one via Amsterdam and removed the one via London. All existing and new vm's in the different vnet's have connection to our local datacenter,
but as soon as we create vm's in a new cloud service the published routes don't seem to be picked up and the machine are only reachable in their local vnet on azure.
Does anyone have an idea where to look, it looks like the route publishing does not seem to work correctly, but it is strange that new vm's in existing cloud service do work correctly. BGP peering and vnet have been provided access via the expressroute and
all have status provisioned.Hi Syed,
When I try to connect to a new vm via rdp or try to do a tracert to the machine (with firewall turned off on the vm) I don't get a response (traffic is routed via the express-route correctly). If I do a tracert to an ip on the on premise network
from the vm in question the trace is directed to internet instead of to the on premise network via the express route.
the new cloud services were created in the same region as the working cloud services and the vm's are also in the same vnet/subnet as the working vm's. If I delete a vm (keeping the disks) from a new cloud service and redeployed it in an existing cloud service
I can reach it again via the internal ip.
We have checked the route publishing and the correct routes are published to the express route/vnet.
When I check the provisioning of the vnet's via get-azurededicatedcircuitlink all the vnet's in question are listed as provisioned.
I'll try to remove the bpgrouting for the original expressroute this evening to see if that helps.
kind regards
Xander
Maybe you are looking for
-
Unsupported Image Format for DNG from GF1?
I am in the process of trying to switch from Lightroom 3 to Aperture 3 (in case you are wondering why the main reason is increasing integration between iOS and Aperture). Most of the images in my Lightroom catalog are from Nikon DSLRs which when I im
-
Verizon CS took away my unlimited data on GS3 that I preordered
There was a lot of talk regarding Verizon doing away with unlimited data plans during this past summer. So, when the Galaxy S3 was announced on Verizon and the preorder was possible before the elimination of unlimited data, I preordered five (5) Gala
-
Launch remote control via a command line?
Is is possible to launch a remote control session via a command line as well as the other "remote actions"? Thanks, Bryan
-
Some country native characters in AWT components
Hi All, I have problem with visualization some native characters on AWT components. For instance, when I put on the Frame some Labels components, then I can't see correct some special polish native characters, I can only see some boxes. It seems the
-
I need help with my I-Pad~Kawaii Kiss
Ok well i have forgotten my password on my ipad and yes i know RESTORE IT! well i have restored it 2 TIMES! so ithe screen still says "I-Pad is Disabled, Connect to I-Tunes" WHAT DO I DO?!?!?!?!?!?! ~Kawaii Kiss~~~~~~~~~~