Paweł
Ufnalewski
Infrastructure
Architect
Krzysztof
Kania
Inżynier systemowy
Cisco (CCNA R&S,
Voice, Security)
Paweł Ufnalewski:
Jednak nie mogę podpiąć się z komputera w 2.x do serwera w 1.x po RDP. Czy ktoś spotkał się z takim problemem i wie jak go rozwiązać?
Adam W. Technical Consultant
Paweł
Ufnalewski
Infrastructure
Architect
Building configuration...
Current configuration : 9853 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
no aaa new-model
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.151 192.168.1.254
ip dhcp pool dhcpool
import all
network 192.168.1.0 255.255.255.0
dns-server 194.204.159.1 194.204.152.34
default-router 192.168.1.1
ip cef
ip name-server 194.204.159.1
ip name-server 194.204.152.34
no ipv6 cef
multilink bundle-name authenticated
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <KEY> address <IP_REMOTE>
crypto isakmp key <KEY> address <IP_REMOTE>
crypto isakmp key <KEY> address <IP_REMOTE>
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer <IP_REMOTE>
set transform-set ESP-3DES-SHA1
match address 105
crypto map SDM_CMAP_1 3 ipsec-isakmp
set peer <IP_REMOTE>
set transform-set ESP-3DES-SHA2
match address 106
crypto map SDM_CMAP_1 4 ipsec-isakmp
set peer <IP_REMOTE>
set transform-set ESP-3DES-SHA3
match address 107
archive
log config
hidekeys
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0
description $ETH-WAN$
ip address <IP_ZEW_ROUTERA> 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface FastEthernet9
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <GATEWAY>
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.70 3389 <IP_ZEW_ROUTERA> 3389 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit <IP>
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit <IP> 0.0.0.31
access-list 2 permit <IP> 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host <IP_REMOTE> host <IP_ZEW_ROUTERA> eq non500-isakmp
access-list 100 permit udp host <IP_REMOTE> host <IP_ZEW_ROUTERA> eq isakmp
access-list 100 permit esp host <IP_REMOTE> host <IP_ZEW_ROUTERA>
access-list 100 permit ahp host <IP_REMOTE> host <IP_ZEW_ROUTERA>
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host <IP_REMOTE> host <IP_ZEW_ROUTERA> eq non500-isakmp
access-list 100 permit udp host <IP_REMOTE> host <IP_ZEW_ROUTERA> eq isakmp
access-list 100 permit esp host <IP_REMOTE> host <IP_ZEW_ROUTERA>
access-list 100 permit ahp host <IP_REMOTE> host <IP_ZEW_ROUTERA>
access-list 100 permit udp host <IP_REMOTE> host <IP_ZEW_ROUTERA> eq non500-isakmp
access-list 100 permit udp host <IP_REMOTE> host <IP_ZEW_ROUTERA> eq isakmp
access-list 100 permit esp host <IP_REMOTE> host <IP_ZEW_ROUTERA>
access-list 100 permit ahp host <IP_REMOTE> host <IP_ZEW_ROUTERA>
access-list 100 remark Auto generated by SDM for NTP (123) ntp.icm.edu.pl
access-list 100 permit udp host 193.0.71.133 eq ntp host <IP_ZEW_ROUTERA> eq ntp
access-list 100 remark RDP to server
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp host <IP> host <IP_ZEW_ROUTERA> eq 22
access-list 100 permit tcp <IP> 0.0.0.31 host <IP_ZEW_ROUTERA> eq 22
access-list 100 permit tcp <IP> 0.0.0.255 host <IP_ZEW_ROUTERA> eq 22
access-list 100 permit tcp host <IP> host <IP_ZEW_ROUTERA> eq www
access-list 100 permit tcp <IP> 0.0.0.31 host <IP_ZEW_ROUTERA> eq www
access-list 100 permit tcp <IP> 0.0.0.255 host <IP_ZEW_ROUTERA> eq www
access-list 100 permit tcp host <IP> host <IP_ZEW_ROUTERA> eq 443
access-list 100 permit tcp <IP> 0.0.0.31 host <IP_ZEW_ROUTERA> eq 443
access-list 100 permit tcp <IP> 0.0.0.255 host <IP_ZEW_ROUTERA> eq 443
access-list 100 permit tcp host <IP> host <IP_ZEW_ROUTERA> eq cmd
access-list 100 permit tcp <IP> 0.0.0.31 host <IP_ZEW_ROUTERA> eq cmd
access-list 100 permit tcp <IP> 0.0.0.255 host <IP_ZEW_ROUTERA> eq cmd
access-list 100 deny tcp any host <IP_ZEW_ROUTERA> eq telnet
access-list 100 deny tcp any host <IP_ZEW_ROUTERA> eq 22
access-list 100 deny tcp any host <IP_ZEW_ROUTERA> eq www
access-list 100 deny tcp any host <IP_ZEW_ROUTERA> eq 443
access-list 100 deny tcp any host <IP_ZEW_ROUTERA> eq cmd
access-list 100 deny udp any host <IP_ZEW_ROUTERA> eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip host <IP> any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip <IP> 0.0.0.31 any
access-list 101 permit ip <IP> 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 102 deny tcp any host 192.168.1.1 eq telnet
access-list 102 deny tcp any host 192.168.1.1 eq 22
access-list 102 deny tcp any host 192.168.1.1 eq www
access-list 102 deny tcp any host 192.168.1.1 eq 443
access-list 102 deny tcp any host 192.168.1.1 eq cmd
access-list 102 deny udp any host 192.168.1.1 eq snmp
access-list 102 permit ip any any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
match ip address 104
control-plane
line con 0
line aux 0
line vty 0 4
access-class 101 in
login local
transport input ssh
end
Paweł
Ufnalewski
Infrastructure
Architect
Adam W.:
jezeli usuga RDP jest uruchomiona na ww. maszynie, sprobuj przekierowac port RDP na brame routera (1.x), gdzie znajduje sie komp, do ktorego chcesz sie dostac. Ja mialem podobny problem, ale wlasnie przekierowanie portu na brame pomoglo
ps. o ile masz firewall'a, ACL'e na ww. routerach ;-)Adam W. edytował(a) ten post dnia 24.05.10 o godzinie 18:08
Adam W. Technical Consultant
Marcin
F.
Turn on, tune in,
drop out
Paweł Ufnalewski:
ip nat inside source static tcp 192.168.1.70 3389 <IP_ZEW_ROUTERA> 3389 extendable
ip nat inside source static tcp 192.168.1.70 3389 <IP_ZEW_ROUTERA> 52135 extendable
Adam W. Technical Consultant
Marcin F.:Moim skromnym zdaniem nie jest to dobre rozwiazanie (dotyczy przekierowania portu na zewnatrz). Skoro kolega laczy sie po vpn (konkretnie lacza sie ze soba routery) i biorac pod uwage fakt, ze kolega chce sie laczyc z RDP za posrednictwem tylko i wylacznie tego site'u, tyle z z innej podsieci i tak bedzie widzial siec lokalna. Wiec po co przekierowywac port na zewnatrz? Trasa dla pakietow RDP bedzie i tak przezroczysta wewnatrz tego site'u.
Paweł Ufnalewski:
Powodem tego problemu jest następujący wpis i statyczny NAT:
ip nat inside source static tcp 192.168.1.70 3389 <IP_ZEW_ROUTERA> 3389 extendable
I jak już musisz wystawić 3389 na świat to może zrób tak:
ip nat inside source static tcp 192.168.1.70 3389 <IP_ZEW_ROUTERA> 52135 extendable
lub jakiś inny i potem łącz się w taki sposób: mstsc /v:IP_ZEW_ROUTERA>:52135
3389 jest często skanowany.Marcin F. edytował(a) ten post dnia 24.05.10 o godzinie 20:12
Marcin
F.
Turn on, tune in,
drop out
Adam W.:
Moim skromnym zdaniem nie jest to dobre rozwiazanie (dotyczy przekierowania portu na zewnatrz). Skoro kolega laczy sie po vpn (konkretnie lacza sie ze soba routery) i biorac pod uwage fakt, ze kolega chce sie laczyc z RDP za posrednictwem tylko i wylacznie tego site'u, tyle z z innej podsieci i tak bedzie widzial siec lokalna. Wiec po co przekierowywac port na zewnatrz? Trasa dla pakietow RDP bedzie i tak przezroczysta wewnatrz tego site'u.
Moze cos zle rozumuje,ale tak to chyba dziala ;-)
Paweł
Ufnalewski
Infrastructure
Architect
Marcin
F.
Turn on, tune in,
drop out
Paweł Ufnalewski:
RDP na 3389 na zewnatrz jest wystawione na razie zebym mial dostep do serwera poki ruch nie bedzie lecial przez vpn. Klopot polega na tym ze fizycznie nie ma mnie w zadnym z sajtow, wiec musze kombinowac...
Zaraz sprobuje aclkami jak napisaliscie.
Adam W. Technical Consultant
Paweł Ufnalewski:cześć,
RDP na 3389 na zewnatrz jest wystawione na razie zebym mial dostep do serwera poki ruch nie bedzie lecial przez vpn. Klopot polega na tym ze fizycznie nie ma mnie w zadnym z sajtow, wiec musze kombinowac...
Zaraz sprobuje aclkami jak napisaliscie.
Następna dyskusja:
пропозиції роботи
