RDP help on a cisco 870 router

[sjjustina]

I'm trying to allow remote desktop connections from the internet on a cisco 870 router without success. I set the access control list to wide open for udp just to see if that's the problem and I know I should secure it better but that was just for testing. I've natted port 3389 to the server's port but it won't connect. Someone please help!

Thanks

show startup-config
Using 4299 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ciscorouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$SZvq$r9Lzo7zc..tUztxnXyYNT1
enable password 7 12090404011C03162E
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
--More--  !
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.3.1 192.168.3.99
!
ip dhcp pool Internal-net
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 216.115.6.*** 216.83.236.***
domain-name ciscor.com
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 216.115.6.*** 216.83.236.***
domain-name ciscor.com
--More--   lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name ciscor.com
!
!
crypto pki trustpoint TP-self-signed-784456476
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-784456476
revocation-check none
rsakeypair TP-self-signed-784456476
!
!
crypto pki certificate chain TP-self-signed-784456476
certificate self-signed 01 nvram:IOS-Self-Sig#3616.cer
username neworleansevent privilege 15 password 7 110A1706100012
!
!
!
bridge irb
--More--  !
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address 208.115.6.*** 255.255.255.252
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
--More--   no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid GuestWLAN
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 12485744465E5A53727274
!
ssid event rental
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 03550958525A771B165049
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
--More--   channel 2412
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.3.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
--More--   no snmp trap link-status
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.115.6.169
!
ip http server
ip http secure-server
ip nat source static tcp 208.115.6.*** 3389 interface BVI1 3389
ip nat inside source list 1 interface FastEthernet4 overload
--More--  ip nat inside source static tcp 192.168.2.106 3389 208.115.6.*** 3389 extendable
ip nat inside source static udp 192.168.2.106 3389 208.115.6.*** 3389 extendable
!
ip access-list extended Guest-ACL
deny ip any 192.168.2.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit icmp any any echo
permit udp any any log
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
ip access-list extended internet-inbound-acl
permit tcp any any eq 3389
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
!
co

 

[brianinms]

You mistyped your ACL hence it isn't applied ...

ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit icmp any any echo
permit udp any any log
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
ip access-list extended internet-inbound-acl
permit tcp any any eq 3389

 

[sjjustina]

Thanks, I've added them to the correct ACL list but it's still not working. Any other ideas?

ip access-list extended Internet-inbound-ACL
remark SDM_ACL Category=17
permit icmp any any echo
permit tcp any eq ftp any log
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
remark 3389
permit udp any eq 3389 any log
permit esp any any

 

[Alterac]

RDP is TCP not UDP.

 

[Alterac]

ip access-list extended Internet-inbound-ACL
permit icmp any any echo
permit icmp any host 208.115.6.*** echo-reply
permit icmp any any traceroute

remark VPN Traffic
permit esp any any
permit gre any any

REMARK Ftp and RDP Allow
permit tcp any any eq ftp log
permit tcp any any eq 3389 log