How do I set up an incoming static connection to a server on a different subnet?

If you can ping 192.168.5.26 from the PIX, then the static/acl as you have it should work just like it does with a local server. Client that is trying to connect to this server is outside the pix, host xx.xx.61.2, right?
You're not trying to test it first from an inside host?

Trace the default gateways from the 5.26 server. It points to its local router, that router points over the wan to your 2600, which has a default pointing to the PIX, PIX points out to Internet router outside...

Have you thought about enabling OSPF between your PIX and the 2600 WAN router?

Did you do a "clear xlate" after putting in your static?

-Eric

I can ping 5.26 from the Pix, I can also ping 1.1 from 5.26.
Yes, the remote client 61.2 is outside the Pix.
No, I am testing it from outside, through the Internet. If I use 192.168.1.25 as the target server, I have no problem connecting.

Coming from the server 5.26, it goes to the router at 5.1. This connects by T1 to the router at 192.168.1.2 which goes to the Pix at 1.1.

OSPF, no.


Yes, I did do clear xlate after entering the static command.

And you have verified that Terminal Services is running on 5.26?
Can you connect a term serv session from 1.x  to that server?

Yes, I do have term services running. I also have site to site VPN's working to the Pix and I can connect to the 5.26 server with Terminal Services through the VPN. I can also connect from my laptop to the server when I am in the 1.x location. Everything works fine on the inside and works through VPN's. Its just not working with opening the port.

Still looking for answers on this question. Does anyone have any comments?

The problem is 5.26 does not know how to reach the internet source Ip from where you are testing.

I assume that the other subnets are also terminated on this router( 192.168.1.2). In that case ensure that the default route for the other subnet routers is pointing to this router and 1.2 has a default route pointing to the pix.

Check the default gateway on the 5.26 box
Do a trace to the internet source IP from  5.26. It should hit your pix.

If your are using terminal services are you sure you opened up the right TCP port for the 5.26 NAT IP? (3389)

Thanks for replying, I was beginning to think no one was on-line anymore.  :-)
Here is a traceroute from the server at 5.26 to the Pix. The 255.9 is the serial IF of the router

Tracing route to 192.168.1.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.5.1
  2     4 ms     5 ms     4 ms  192.168.255.9
  3     4 ms     4 ms     4 ms  192.168.1.1

Trace complete.

The default gateway on 5.26 is 192.168.5.1

Yes, the acl shown above is cut and pasted right from the Pix. It is using 3389.

Yes, the other subnets are terminated on the router at 192.168.1.2

I am using EIGRP on all routers, so they all have the same route information.

Man, all I can tell you is that it works, as long as the routing is fine. If the pix can ping the host, it can create a static translation and port forward to it. It does not have to be a local host. I'd have to see your complete PIX config to make any more guesses as to why this does not work..

Thank you for replying. I do appreciate all assistance you and the others have given.
Here is the Pix config below. Please note the ip address of the static and the access-list name has changed since what I posted above. The static at xx.xx.232.204 works going to 192.168.1.25 using ssh. The other static for port 3389 has been changed to the 203 address and the acl is changed to bluebird, and it still times out

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password Ww0YZPh.iCQFGluP encrypted
passwd Ww0YZPh.iCQFGluP encrypted
hostname pix.133154-01
domain-name ewaldauto.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20
names
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.50.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.60.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.5.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.10.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list emiller permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.5.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.10.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.6.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.50.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list emiller permit ip 192.168.60.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list airport permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list airport permit ip 192.168.5.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list airport permit ip 192.168.10.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list racine permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list racine permit ip 192.168.5.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list racine permit ip 192.168.10.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list browndeer permit ip 192.168.1.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list browndeer permit ip 192.168.5.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list browndeer permit ip 192.168.10.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list bluebird permit tcp host xx.xx.255.8 host xx.xx.232.204 eq ssh
access-list bluebird permit tcp host xx.xx.61.2 host xx.xx.232.203 eq 3389
 
pager lines 24
interface ethernet0 100full
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside xx.xx.232.201 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool clients 192.168.200.100-192.168.200.119
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.232.202
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.232.204 192.168.1.25 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.232.203 192.168.5.26 netmask 255.255.255.255 0 0
access-group bluebird in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 xx.xx.232.193 1
route inside 10.138.88.0 255.255.255.0 192.168.1.2 1
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.50.0 255.255.255.0 192.168.1.2 1
route inside 192.168.60.0 255.255.255.0 192.168.1.2 1
route inside 192.168.100.0 255.255.255.0 192.168.1.10 1
route inside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media

0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community black-hole
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map EAG 21 ipsec-isakmp
crypto map EAG 21 match address emiller
crypto map EAG 21 set peer xx.xx.255.8
crypto map EAG 21 set transform-set strong
crypto map EAG 22 ipsec-isakmp
crypto map EAG 22 match address racine
crypto map EAG 22 set peer xx.xx.116.70
crypto map EAG 22 set transform-set strong
crypto map EAG 23 ipsec-isakmp
crypto map EAG 23 match address airport
crypto map EAG 23 set peer xx.xx.116.154
crypto map EAG 23 set transform-set strong
crypto map EAG 24 ipsec-isakmp
crypto map EAG 24 match address browndeer
crypto map EAG 24 set peer xx.xx.116.176
crypto map EAG 24 set transform-set strong
crypto map EAG interface outside
isakmp enable outside
isakmp key ******** address xx.xx.255.8 netmask 255.255.255.255
isakmp key ******** address xx.xx.116.154 netmask 255.255.255.255
isakmp key ******** address xx.xx.116.70 netmask 255.255.255.255
isakmp key ******** address xx.xx.116.176 netmask 255.255.255.255
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh xx.xx.255.8 255.255.255.255 outside
ssh timeout 30
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto required
vpdn group 1 client configuration address local clients
vpdn group 1 client configuration dns 192.168.1.25
vpdn group 1 client configuration wins 192.168.1.25
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxxx password *********
vpdn username xxxxx password *********
vpdn enable outside
terminal width 80
Cryptochecksum:8a3aedba3712486570ff380bd171aa8e
: end

for lrmoore:
If this config looks vaguely familiar to you, its because you helped me with a VPN problem a couple of weeks ago. All of those crypto maps and VPN acl's are because of the assistance you gave me.

Thank You!

You need to have the following to allow inbound access from the internet

1. Route on your internet router for your public IPs pointing to the PIX outside interface.  -- To be confirmed. Check the subnet mask :-)

2. A static(inside,outside) for the inside IP of the resource being accessed.  -- Okay. Do a show local-h to confirm if it is being natted.

3. An acl outside to permit the inbound connection -- Okay
4. Route inside on the pix for the internal IP -- okay
5. Route outside on the pix for the internet IP -- Okay (Default route)

6. A route on the internal network for the internet IP pointing to the firewall. -- Do a trace from the 5.26 box to the internet IP, not the 192.168.1.1 IP. Check whether the default route is being distributed in your eigrp cloud.

Verify whether you are trying for the correct internet IP when testing. We have had situations where the nat ip was different from the IP we were testing from the internet. :-)

Thank you for your reply. I will have to check this out later this afternoon and get back to you. Got a busy day today.

One other issue to look at is that you have both conduit and acl
You can't have both. Suggest removing the conduit completely

     >access-group bluebird in interface outside
     >conduit permit icmp any any

> 1. Route on your internet router for your public IPs pointing to the PIX outside interface.  -- To be confirmed. Check the subnet mask :-)
Still attempting to confirm this.

2. A static(inside,outside) for the inside IP of the resource being accessed.  -- Okay. Do a show local-h to confirm if it is being natted.

local host: <192.168.5.26>, conn(s)/limit = 0/0, embryonic(s)/limit = 0/0
  AAA:
  Xlate(s):
    Global 69.11.232.203 Local 192.168.5.26
  Conn(s):

This appears to confirm the translation.

6. A route on the internal network for the internet IP pointing to the firewall. -- Do a trace from the 5.26 box to the internet IP, not the 192.168.1.1 IP. Check whether the default route is being distributed in your eigrp cloud.

By internet IP, do you mean the xx.xx.232.203 address? I'm not sure I understand this statement. Here is the result of:
sh ip route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

D EX 206.120.32.0/24 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
     xx.0.0.0/32 is subnetted, 1 subnets
S       xx.xx.232.203 [1/0] via 192.168.1.1
D    192.168.30.0/24 [90/2174976] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.60.0/24 [90/1766912] via 192.168.255.14, 5w2d, Serial1/1
S    192.168.8.0/24 [1/0] via 192.168.1.1
S    192.168.10.0/24 [1/0] via 192.168.1.10
     205.239.188.0/32 is subnetted, 1 subnets
D EX    205.239.188.11 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.4.0/24 [90/2172416] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.20.0/24 [90/1764352] via 192.168.255.2, 5w6d, Serial1/0
D    192.168.5.0/24 [90/2172416] via 192.168.255.10, 5w6d, Serial0/0
     198.208.187.0/32 is subnetted, 1 subnets
D EX    198.208.187.154 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
     10.0.0.0/24 is subnetted, 1 subnets
D       10.138.88.0 [90/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.6.0/24 [90/1764352] via 192.168.255.14, 5w2d, Serial1/1
     192.168.255.0/24 is variably subnetted, 5 subnets, 2 masks
C       192.168.255.4/30 is directly connected, Serial0/1.16
D       192.168.255.0/24
           [90/1766912] via 192.168.1.10, 04:37:56, FastEthernet0/0
C       192.168.255.0/30 is directly connected, Serial1/0
C       192.168.255.12/30 is directly connected, Serial1/1
C       192.168.255.8/30 is directly connected, Serial0/0
D    192.168.50.0/24 [90/2174976] via 192.168.255.10, 5w6d, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
D    192.168.2.0/24 [90/1764352] via 192.168.255.2, 5w6d, Serial1/0
     207.37.182.0/32 is subnetted, 4 subnets
D EX    207.37.182.30 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D EX    207.37.182.12 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D EX    207.37.182.11 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D EX    207.37.182.36 [170/2198016] via 192.168.255.6, 5w6d, Serial0/1.16
D    192.168.100.0/24 [90/2174976] via 192.168.1.10, 04:37:51, FastEthernet0
D    192.168.3.0/24 [90/2172416] via 192.168.255.6, 5w6d, Serial0/1.16
S*   0.0.0.0/0 [1/0] via 192.168.1.1

If I understand this process correctly, when a packet comes into the Pix outside interface (source xx.xx.255.8, dst xx.xx.232.203) the pix strips off the destination address and replaces it with the translated internal address, 192.168.5.26 and sends it to the internal router at 1.2. This router knows to send it to the network at 5.0. When the packet is sent back by 5.26 to xx.xx.255.8, is it again translated, or does it even matter if dst is xx.xx.255.8 and src is 192.168.5.26? Or is it translated to the outside interface xx.xx.232.201?

This stuff gives me a headache   :-)

lrmoore:

I removed the conduit statement, but it hasn't made any difference. It was put in there by the original vendor, I have no idea why it was included. I have notice it, but it didn't seem to be doing any harm, so I left it alone.

to fullerms:

I forgot to mention I tried to put in a static route for the 232.203 address. It didn't make any difference, so I removed it. But you will see it above in the ip route table.

>D    192.168.5.0/24 [90/2172416] via 192.168.255.10, 5w6d, Serial0/0

Can you provide sho ip route from that router that connects directly to the server in question
Can you provide C:\>route print  from the server itself?

This is from the router at 192.168.5.1:

Gateway of last resort is 192.168.255.9 to network 0.0.0.0

D EX 206.120.32.0/24 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.30.0/24 [90/2686976] via 192.168.255.9, 5w6d, Serial0
D    192.168.60.0/24 [90/2686976] via 192.168.255.9, 5w2d, Serial0
D EX 192.168.8.0/24 [170/2172416] via 192.168.255.9, 3w4d, Serial0
D EX 192.168.10.0/24 [170/2172416] via 192.168.255.9, 5w6d, Serial0
     205.239.188.0/32 is subnetted, 1 subnets
D EX    205.239.188.11 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.4.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
D    192.168.20.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
C    192.168.5.0/24 is directly connected, FastEthernet0
     198.208.187.0/32 is subnetted, 1 subnets
D EX    198.208.187.154 [170/2710016] via 192.168.255.9, 5w6d, Serial0
     10.0.0.0/24 is subnetted, 1 subnets
D       10.138.88.0 [90/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.6.0/24 [90/2684416] via 192.168.255.9, 5w2d, Serial0
     192.168.255.0/24 is variably subnetted, 5 subnets, 2 masks
D       192.168.255.4/30 [90/2681856] via 192.168.255.9, 5w6d, Serial0
D       192.168.255.0/24 [90/2686976] via 192.168.255.9, 13:44:38, Serial0
D       192.168.255.0/30 [90/2681856] via 192.168.255.9, 5w6d, Serial0
D       192.168.255.12/30 [90/2681856] via 192.168.255.9, 5w2d, Serial0
C       192.168.255.8/30 is directly connected, Serial0
D    192.168.50.0/24 [90/30720] via 192.168.5.10, 7w0d, FastEthernet0
D    192.168.1.0/24 [90/2172416] via 192.168.255.9, 5w6d, Serial0
D    192.168.2.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
     207.37.182.0/32 is subnetted, 4 subnets
D EX    207.37.182.30 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D EX    207.37.182.12 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D EX    207.37.182.11 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D EX    207.37.182.36 [170/2710016] via 192.168.255.9, 5w6d, Serial0
D    192.168.100.0/24 [90/2686976] via 192.168.255.9, 13:44:33, Serial0
D    192.168.3.0/24 [90/2684416] via 192.168.255.9, 5w6d, Serial0
S*   0.0.0.0/0 [1/0] via 192.168.255.9

And here is route print from the server at 192.168.5.26:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 02 b3 ea 6b 17 ...... Intel(R) PRO/1000 MT Network Connection
0x10004 ...00 02 b3 ea 6a d0 ...... Intel(R) PRO/100 Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.5.1     192.168.5.26     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.5.0    255.255.255.0     192.168.5.26     192.168.5.26     20
     192.168.5.26  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.5.255  255.255.255.255     192.168.5.26     192.168.5.26     20
        224.0.0.0        240.0.0.0     192.168.5.26     192.168.5.26     20
  255.255.255.255  255.255.255.255     192.168.5.26            10003      1
  255.255.255.255  255.255.255.255     192.168.5.26     192.168.5.26      1
Default Gateway:       192.168.5.1
===========================================================================
Persistent Routes:
  None

Dagnabbit....
Looks like all the pieces of the puzzle are in place.

>access-list bluebird permit tcp host xx.xx.61.2 host xx.xx.232.203 eq 3389
You have validated again the source IP in this ACL?

Hav you tried:
access-list bluebird permit tcp any host xx.xx.232.203 eq 3389
Then re-apply the acl
  access-group bluebird in interface outside

Hav you tried:
access-list bluebird permit tcp any host xx.xx.232.203 eq 3389
Then re-apply the acl
  access-group bluebird in interface outside

Just tried that, still get the same result. I removed the entire ACL and just used your example.


You have validated again the source IP in this ACL?
The vendor has assured me this is the correct ip. However, that is not an issue yet. I am testing this from my home network, so substitute xx.xx.255.8 for the other ip. I also set up the other static from 255.8 to a different server at 1.25 using ssh. This one works, so I know the statements are right.

access-list bluebird permit tcp host xx.xx.255.8 host xx.xx.232.204 eq ssh
access-list bluebird permit tcp host xx.xx.255.8 host xx.xx.232.203 eq 3389

I've been coming to the same conclusions myself. I suggested to the vendor we do a site to site VPN (I've got the hang of those things now!). If they are still reluctant to do that, I may have to consider upgrading the Pix. This is not something I am going to be able to do right away. I will have to wait until Monday to try the hard reboot, I will post the results of that and then close the question.

Thank you and fullerms for all of your assistance, it is appreciated.

I will try that later this afternoon and post the results.

Thanks

I've seem to have found a new problem.I am not able to ping an outside IP address from 5.26 or any other internal address. That did work last week. I shouldn't have to have anything in place to allow outgoing pings, but they don't seem to be getting out of the Pix.

Here is the trace to the 232.203 address. I added an icmp statement to the acl to allow this.

C:\>tracert xx.xx.232.203

Tracing route to 203.xxxxxxx.com [xx.xx.232.203]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.8.1
  2    11 ms    10 ms    11 ms  10.50.192.1
  3    10 ms     9 ms     9 ms  pos0-0.milwwignfl-rtr1.wi.rr.com [24.160.225.101]
  4    12 ms    11 ms    11 ms  so0-1-0.chcgilL3-rtr1.kc.rr.com [24.94.160.21]
  5    10 ms     9 ms    17 ms  pop1-chi-P7-0.atdn.net [66.185.136.109]
  6    12 ms    20 ms    11 ms  Sprint.atdn.net [66.185.150.218]
  7    12 ms    12 ms    11 ms  sl-bb22-chi-5-0.sprintlink.net [144.232.20.90]
  8    12 ms    28 ms    13 ms  sl-gw33-chi-9-0.sprintlink.net [144.232.26.22]
  9    15 ms    15 ms    15 ms  sl-tdste-3-0.sprintlink.net [160.81.225.142]
 10    69 ms    66 ms    75 ms  mdtnwialcor52-gi4-7.network.tds.net [64.50.226.221]
 11    64 ms    66 ms    66 ms  mdtnwialhed54-gi0-1.network.tds.net [64.50.226.206]
 12    66 ms    66 ms    69 ms  nwblwiedg02-a1-0-70090.network.tds.net [204.246.0.34]
 13    76 ms    70 ms    68 ms  nwblwiedg01-fa4-0.network.tds.net [xx.xx.239.4]
 14    86 ms    72 ms    71 ms  h69-11-233-18.69-11.unk.tds.net [xx.xx.233.18]
 15    77 ms    72 ms    72 ms  q.gmtcom.com [xx.xx.232.29]
 16   107 ms   113 ms    96 ms  gw.xxxxx.com [xx.xx.232.146]
 17    84 ms    76 ms    76 ms  203.xxxxx.com [xx.xx.232.203]
 18    82 ms    86 ms    81 ms  203.xxxxx.com [xx.xx.232.203]
 19    94 ms    82 ms    92 ms  203.xxxxx.com [xx.xx.232.203]

Trace complete.

Even though I can now ping the 203 address, Remote Desktop still does not work.

Fixed ping problem. Since adding the acl to support these static translations, icmp stopped working. I added appropriate statements to the acl to allow ping.

I can successfully ping and traceroute to any internet address from the 5.26 server

The vendor and I have decided to give up on resolving this issue. We set up a site to site VPN this morning and everything is working fine. Thanks to both of you for your assistance. I decided to split the points equally between you for all of the responses you provided me.