Bit of a problem with a Cisco 800 router, I need to turn off INSPECT on TCP 3389 or if doing it for a port isn't possible then turn off INSPECT on all TCP,
I tried
router(config)# No ip inspect name DEAFAULT100 tcp
And it seemed to not allow any tcp traffic at all then, quite the opposite of what I was hoping, this is a production router and down time isn't an option as it takes 2-3 mins to reboot and reconnect. Any advise on how to do this?
ip inspect name DEFAULT100 tcp is the IOS Firewall Context Based Access Control (CBAC) command for general TCP traffic -- there is likely one for UDP in your configuration as well, along with other protocols that aren't NAT and firewall friendly.
When a connection is initiated from the inside to the outside it is allowed if you have the necessary ACE's on your inside interface. However, on the outside interface -- a firewall is generally configured to drop all traffic not explicitly permitted -- generally with a deny ip any any on the end of the ACL.
TCP and UDP is firewall friendly, so the CBAC entries for TCP and UDP are instead present so that return traffic from inside to outside initiated connections doesn't get dropped on the outside interface as it is not explicitly permitted. CBAC allows those TCP (and UDP and other protocols defined) session's return traffic to get through without explicitly permitting it in an ACL on the return interface.
It sounds as if you are trying to remove some access pertaining to RDP on TCP/3389, not remove the ability to send any TCP based traffic through the firewall.
Restricting TCP/3389 will generally be performed on an interface access-list. Whether you are trying to restrict inside users outbound, or outside users inbound will determine where you add the access control entry. The relevant ip nat entry can also be removed if static NAT or static PAT is involved.
