- Translate connections outside on TCP port 3392 to port 3389 (RDP) on one of the inside hosts
- Configure Access List on the WAN interface to only allow this connection from our office
Seemed simple enough, I did something similar a week back for a different client and had no issues; but this time..I broke something..
I went to paste the Access List Entries (ACE) I had prepared into Notepad, each entry contained "line" then a number, but I realized the "line" command was unrecognized on this device. So I figured since I'm not able to use the line command, I'll have to modify the ACL the old fashion way, by removing the whole ACL with the "no access-list" command and pasting my new ACL without the 'line' command. This did not go as planned at all. When I pasted the ACL into the config terminal, it stopped right at the beginning. I thought "ooh...fudge.", my PuTTY session just hung there and I could no longer PING or access the router.
I knew exactly what had happened, the ACL was still applied to the WAN interface, the router immediately started denying any traffic that did not match the few lines which I pasted. I tried not to look panicked but I was freaking out inside. I told my manager that I lost connection with the site, and he gave me the O.K to run like the wind and go onsite to fix the mess I caused. I arrived to the site relieved to find that nobody noticed the impact, they could still access resources on the LAN and internet; however, anyone connected remotely by VPN or Terminal Services definitely noticed it. So even though the impact was minimal, we still had to restore the router to the original configuration before the changes, so that meant rebooting it and causing a temporary outage.
I knew exactly what had happened, the ACL was still applied to the WAN interface, the router immediately started denying any traffic that did not match the few lines which I pasted. I tried not to look panicked but I was freaking out inside. I told my manager that I lost connection with the site, and he gave me the O.K to run like the wind and go onsite to fix the mess I caused. I arrived to the site relieved to find that nobody noticed the impact, they could still access resources on the LAN and internet; however, anyone connected remotely by VPN or Terminal Services definitely noticed it. So even though the impact was minimal, we still had to restore the router to the original configuration before the changes, so that meant rebooting it and causing a temporary outage.
We were provided an outage window in the afternoon to re-do the change onsite, while everybody was on lunch. Before then, I spoke to one of our senior consultants and he told me what I did wrong. Apparently the IOS does support the line numbering but not the same way as on the ASAs.
On the Cisco IOS software, the entries look like this
1 permit 192.168.1.0, wildcard bits 0.0.0.255
2 permit 192.168.2.0, wildcard bits 0.0.0.255
3 permit 192.168.3.0, wildcard bits 0.0.0.255
4 permit 192.168.4.0, wildcard bits 0.0.0.255
On the Cisco ASA software it looks like this:
access-list mylist line 1 extended permit tcp any any eq http
access-list mylist line 2 extended permit tcp any any eq ftp
access-list mylist line 3 extended permit tcp any any eq telnet
Using this newly acquired knowledge, I performed another ACL change for a client and they remained up and running smoothly.
No comments:
Post a Comment