manthax
asked on
Cannot connect to Terminal Services with Cisco 1721 Router
Hello experts!
I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.
I do have the passwords and I can login, after some research I figured out how to show the router configuration. The router was installed and configured by our ISP. I have not made any changes to the configuration. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!
Thanks,
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ +++++
frame-relay interface-dlci 16
!
ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248
ip nat inside source list 1 pool overload
ip nat inside source static 172.16.1.3 a.b.c.d extendable
ip nat inside source static 172.16.1.7 a.b.c.d extendable
ip nat inside source static 172.16.1.11 a.b.c.d extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.d
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit tcp any any eq 8025
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139
access-list 102 deny tcp any any eq finger
access-list 102 remark block all netbios to the internet
access-list 102 permit ip any any
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ +++++
I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.
I do have the passwords and I can login, after some research I figured out how to show the router configuration. The router was installed and configured by our ISP. I have not made any changes to the configuration. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!
Thanks,
++++++++++++++++++++++++++
frame-relay interface-dlci 16
!
ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248
ip nat inside source list 1 pool overload
ip nat inside source static 172.16.1.3 a.b.c.d extendable
ip nat inside source static 172.16.1.7 a.b.c.d extendable
ip nat inside source static 172.16.1.11 a.b.c.d extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.d
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit tcp any any eq 8025
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139
access-list 102 deny tcp any any eq finger
access-list 102 remark block all netbios to the internet
access-list 102 permit ip any any
++++++++++++++++++++++++++
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It depends on what terminal program you are using to do this with. If you are connected with a serial port cable, you are probably using hyper terminal and you can just hightlitht the above, click edit and copy, then click edit and paste in hyper term. If you are using a terminal command though a dos window, copy the above like before then just right click in the terminal window. You may want to look into getting a better program though, like putty (for telnet) or teraterm (telnet and serial port)
Good luck
Good luck
ASKER
Hi:
So far I have tried the first two options:
access-list 100 permit tcp any host 172.16.1.3 eq 3389, and access-list 100 permit tcp any any eq 3389, but I still cannot connect...
I noticed under IP Nat Pool that there are two external IPs. However, none of them are mapped to either Terminal servers. for example:
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
Could that be the problem?
Also, I was using telnet and tried to copy and paste (3rd option) like you suggested, and I lost the connection to the router, that's why I asked if there was a proper way of copy-paste. I don't know what I am doing!
So I drove down to the office (15 minutes from home) and check it out. Everything seems to be alright ( I am writing this post from work!)...But, I cannot connect to any TS :-(
Anything else I should try?
Thanks for all your help and time! I apprecciated..
JC
So far I have tried the first two options:
access-list 100 permit tcp any host 172.16.1.3 eq 3389, and access-list 100 permit tcp any any eq 3389, but I still cannot connect...
I noticed under IP Nat Pool that there are two external IPs. However, none of them are mapped to either Terminal servers. for example:
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
Could that be the problem?
Also, I was using telnet and tried to copy and paste (3rd option) like you suggested, and I lost the connection to the router, that's why I asked if there was a proper way of copy-paste. I don't know what I am doing!
So I drove down to the office (15 minutes from home) and check it out. Everything seems to be alright ( I am writing this post from work!)...But, I cannot connect to any TS :-(
Anything else I should try?
Thanks for all your help and time! I apprecciated..
JC
Hello,
For starters you already have the terminal services entries in your confiugration. Are you able to terminal services to the servers locally? I do not see any reason to believe the router is causing the problem from the little bit of information provided.
Please post the access-group line and the interfaces they are applied to.
Thanks,
Dan
For starters you already have the terminal services entries in your confiugration. Are you able to terminal services to the servers locally? I do not see any reason to believe the router is causing the problem from the little bit of information provided.
Please post the access-group line and the interfaces they are applied to.
Thanks,
Dan
ASKER
Hi Dan,
I am able to connect to the terminal servers from within the LAN. I was able to connect to them before we switched to the Cisco router.
Is information missing from the access-list I posted in my original post?
Please advise.
Thanks,
JC
I am able to connect to the terminal servers from within the LAN. I was able to connect to them before we switched to the Cisco router.
Is information missing from the access-list I posted in my original post?
Please advise.
Thanks,
JC
What are the internal IP addresses of your servers.
If they are not
172.16.1.3
172.16.1.7
or 172.16.1.11
then yes you are right about the external ip address mapping. Since it was not listed, I kind of assummed that those were there internal servers.
Let me know...
Thanks,
Daniel
If they are not
172.16.1.3
172.16.1.7
or 172.16.1.11
then yes you are right about the external ip address mapping. Since it was not listed, I kind of assummed that those were there internal servers.
Let me know...
Thanks,
Daniel
ASKER
Daniel,
You are right, those are the IP's of the terminal servers. I am sorry for the confusion.
Thank you for your patience!
You are right, those are the IP's of the terminal servers. I am sorry for the confusion.
Thank you for your patience!
The earlier suggestion to remove specific lines from your access list was incorrect. With a numbered access list, if you say no access-list 100 blah blah, then the router removes the ENTIRE access list. Then when you added the new lines, your access list consisted of ONLY the new lines, with an implicit deny all at the end. So as soon as you added the first line, you automatically denied telnet in and you lost your connection.
You need to do the following:
1. copy your entire access list into notepad and edit it how you want it.
2. On the interface, type
no ip access-group 100 in
This will make sure it isn't being used.
3. now type
no access-list 100
4. now paste in the new access list
5. Now go back to the interface and type
ip access-group 100 in
I would suggest that if you didn't save the changes you made, that you reboot the router to put it back how it was originally. You probably have people complaining about their internet access.
Now that said, the lines
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
are useless because this is an inbound list (I think- as earlier stated, you need to show us your interface config so we can see how it was applied). Those lines are allowing OUTSIDE servers with those private addresses into your network. This line
access-list 100 permit tcp any any eq 3389
should be all you need.
You need to do the following:
1. copy your entire access list into notepad and edit it how you want it.
2. On the interface, type
no ip access-group 100 in
This will make sure it isn't being used.
3. now type
no access-list 100
4. now paste in the new access list
5. Now go back to the interface and type
ip access-group 100 in
I would suggest that if you didn't save the changes you made, that you reboot the router to put it back how it was originally. You probably have people complaining about their internet access.
Now that said, the lines
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
are useless because this is an inbound list (I think- as earlier stated, you need to show us your interface config so we can see how it was applied). Those lines are allowing OUTSIDE servers with those private addresses into your network. This line
access-list 100 permit tcp any any eq 3389
should be all you need.
The above last comment is incorrect. You did not delete your entire access list. If you type:
no access-list 100 - It will erase all of the entries, but if you type:
no access-list 100 permit tcp host 172.16.1.3 eq 3389 any - It will only delete that line of the access list.
I wanted to make sure you understand that if you are going to learn anything about cisco, becouse that becomes very important. If it was not that way, ever time you needed to change a access-list then you would have to recreate the whole thing, and you don't have to recreat the whole thing all the time.
I agree with mikebernhardt that all I would use is the access-list 100 permit tcp any any eq 3389. Can you post the rest of your config for us like he said?
Looking it over further, you need to change the inside commands to outside. It should read:
ip nat outside source static a.b.c.100 172.16.1.3
That command tells it to translate anything hitting that external IP address to the internal ip address stated. The way you have it now, whenever those servers send information to the internet, the router masks their IP address as the specified IP address in the nat... So 1.3 allways goes to the internet as c.100....
Good luck
no access-list 100 - It will erase all of the entries, but if you type:
no access-list 100 permit tcp host 172.16.1.3 eq 3389 any - It will only delete that line of the access list.
I wanted to make sure you understand that if you are going to learn anything about cisco, becouse that becomes very important. If it was not that way, ever time you needed to change a access-list then you would have to recreate the whole thing, and you don't have to recreat the whole thing all the time.
I agree with mikebernhardt that all I would use is the access-list 100 permit tcp any any eq 3389. Can you post the rest of your config for us like he said?
Looking it over further, you need to change the inside commands to outside. It should read:
ip nat outside source static a.b.c.100 172.16.1.3
That command tells it to translate anything hitting that external IP address to the internal ip address stated. The way you have it now, whenever those servers send information to the internet, the router masks their IP address as the specified IP address in the nat... So 1.3 allways goes to the internet as c.100....
Good luck
ASKER
Guys,
Thank you so much for all your help in this matter. When you asked to post the rest of the configuration. How do I do that? I thought that "sh run" was all I needed? I am sorry for the dumb question, but I just want to make sure I sent you the right information the first time, so that I don't waste your time.
Thanks,
John C
Thank you so much for all your help in this matter. When you asked to post the rest of the configuration. How do I do that? I thought that "sh run" was all I needed? I am sorry for the dumb question, but I just want to make sure I sent you the right information the first time, so that I don't waste your time.
Thanks,
John C
No problem.
Show run is what you need, but we want to get some other parts that do not seem to be listed. Are you saying that the config you listed is everything? Try what I told you about the changing of the nat command.
Show run is what you need, but we want to get some other parts that do not seem to be listed. Are you saying that the config you listed is everything? Try what I told you about the changing of the nat command.
ASKER
The config that I've listed is everything (as far as "sh run" goes!), but if there are any other commands that I should use, please let me know.
I will try to change the nat command as you suggested. Do you think it would be easier if I post the real
IP addresses?
Thanks Again,
I will try to change the nat command as you suggested. Do you think it would be easier if I post the real
IP addresses?
Thanks Again,
What we need is the configuration before
frame-relay interface-dlci 16
frame-relay interface-dlci 16
ASKER
OK. Here it is. Thanks!
++++++++++++++++++++++++++ ++++++++++ +++++++++
Building configuration...
Current configuration : 4281 bytes
!
! Last configuration change at 22:15:15 UTC Sat Oct 2 2004
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password 7 05180B0C1E4940081B0912
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect dns-timeout 30
ip inspect name myfw cuseeme
ip inspect name myfw rcmd
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw tftp
ip inspect name myfw smtp
ip inspect name myfw realaudio
ip inspect name myfw h323
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
!
ip audit notify log
ip audit po max-events 100
ip name-server a.b.c.179
ip name-server a.b.c.198
no ftp-server write-enable
!
!
!
interface FastEthernet0
description << Local Lan Network >>
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
speed auto
no cdp enable
!
interface Serial0
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description << Link to SBCIS ckt HCGM 003125 T1 >>
ip address a.b.c.50 255.255.255.252
ip access-group 100 in
ip nat outside
ip inspect myfw out
frame-relay interface-dlci 16
!
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.49
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp a.b.c.0 0.0.0.255 any eq telnet
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit tcp any any eq 8025
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 100 permit tcp any host 172.16.1.3 eq 3389
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139
access-list 102 deny tcp any any eq finger
access-list 102 remark block all netbios to the internet
access-list 102 permit ip any any
!
line con 0
line aux 0
line vty 0 4
password 7 0832414D360D001B1C0E18
login
!
ntp clock-period 17179844
ntp server 207.55.146.54
ntp server 128.10.252.10
!
end
++++++++++++++++++++++++++ ++++++++++ +++++++++
++++++++++++++++++++++++++
Building configuration...
Current configuration : 4281 bytes
!
! Last configuration change at 22:15:15 UTC Sat Oct 2 2004
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password 7 05180B0C1E4940081B0912
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect dns-timeout 30
ip inspect name myfw cuseeme
ip inspect name myfw rcmd
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw tftp
ip inspect name myfw smtp
ip inspect name myfw realaudio
ip inspect name myfw h323
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
!
ip audit notify log
ip audit po max-events 100
ip name-server a.b.c.179
ip name-server a.b.c.198
no ftp-server write-enable
!
!
!
interface FastEthernet0
description << Local Lan Network >>
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
speed auto
no cdp enable
!
interface Serial0
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description << Link to SBCIS ckt HCGM 003125 T1 >>
ip address a.b.c.50 255.255.255.252
ip access-group 100 in
ip nat outside
ip inspect myfw out
frame-relay interface-dlci 16
!
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.49
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp a.b.c.0 0.0.0.255 any eq telnet
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit tcp any any eq 8025
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 100 permit tcp any host 172.16.1.3 eq 3389
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139
access-list 102 deny tcp any any eq finger
access-list 102 remark block all netbios to the internet
access-list 102 permit ip any any
!
line con 0
line aux 0
line vty 0 4
password 7 0832414D360D001B1C0E18
login
!
ntp clock-period 17179844
ntp server 207.55.146.54
ntp server 128.10.252.10
!
end
++++++++++++++++++++++++++
Just checking: Your config has this
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
This means that to get to terminal services, you have to go to a.b.c.100, a.b.c.99 or a.b.c.101. Is that what you're trying to do? If you go to a.b.c.50 it won't work.
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
This means that to get to terminal services, you have to go to a.b.c.100, a.b.c.99 or a.b.c.101. Is that what you're trying to do? If you go to a.b.c.50 it won't work.
ASKER
GreatWhiteOne,
Config t
ip nat outside source static a.b.c.100 172.16.1.3. As soon as I did this, I received the following error message in my workstation "The system detected and address conflict for IP address 172.16.1.3 with the system having network hardware address 00.0E:84B7:48:F8. Network operations on this system may be disrupted as a result" The Mac address (00.0E:84B7:48:F8) is the MAc address of the Cisco router!.
I went back to the Cisco config t and reloaded without saving any changes. I don't understand. It must be something I did wrong!
Config t
ip nat outside source static a.b.c.100 172.16.1.3. As soon as I did this, I received the following error message in my workstation "The system detected and address conflict for IP address 172.16.1.3 with the system having network hardware address 00.0E:84B7:48:F8. Network operations on this system may be disrupted as a result" The Mac address (00.0E:84B7:48:F8) is the MAc address of the Cisco router!.
I went back to the Cisco config t and reloaded without saving any changes. I don't understand. It must be something I did wrong!
It's because that IP address is "used" by the NAT translation entry in my last post.
ASKER
mikebernhardt,
Yes, that is exactly what I am tryiing to do. I have tried .100 .99 .101. I had the feeling that using .50 would not work, but I tried it anyway. If I ping those addresses, I get a reply. However. no cigar!
Thank you for your time.
JC
Yes, that is exactly what I am tryiing to do. I have tried .100 .99 .101. I had the feeling that using .50 would not work, but I tried it anyway. If I ping those addresses, I get a reply. However. no cigar!
Thank you for your time.
JC
Static translation works both ways. What you had initially was correct. You are translating your inside private address to an outside public address, not the other way. And I'm sorry, but GreatWhiteOne is wrong about access lists. A NAMED access list works as he said. A NUMBERED access list, which you are using, works as I said.
A correction to my last post. The reason it is used is because although you changed your translation statement, the router still cached the old one. You need to "clear ip nat translation" after the change.
A correction to my last post. The reason it is used is because although you changed your translation statement, the router still cached the old one. You need to "clear ip nat translation" after the change.
Try the following as an expriment:
interface Serial0.1 point-to-point
no ip inspect myfw out
Then see if it works. Also, add the following line
access-list 100 permit tcp any any established
interface Serial0.1 point-to-point
no ip inspect myfw out
Then see if it works. Also, add the following line
access-list 100 permit tcp any any established
ASKER
Hi mikebernhardt,
The first statement
"interface Serial0.1 point-to-point
no ip inspect myfw out"
I have to do this at the interface level? config t > interface Serial0.1 point-to-point? Is that correct?
Thanks,
The first statement
"interface Serial0.1 point-to-point
no ip inspect myfw out"
I have to do this at the interface level? config t > interface Serial0.1 point-to-point? Is that correct?
Thanks,
Yes. I'm wondering if the ip inspect is causing your problem. You stated that you can ping the outside address of your server. This indicates that NAT is working, so something must be blocking the terminal services traffic.
Actually, you don't need to type
interface Serial0.1 point-to-point
no ip inspect myfw out
You can type
interface Serial0.1
no ip inspect myfw out
I'm pretty convinced at this point that this is your problem. Let me know. I think you would need to make it " ip inspect myfw in."
interface Serial0.1 point-to-point
no ip inspect myfw out
You can type
interface Serial0.1
no ip inspect myfw out
I'm pretty convinced at this point that this is your problem. Let me know. I think you would need to make it " ip inspect myfw in."
ASKER
Hi:
This is what I did:
config t
interface Serial0.1
no ip inspect myfw out
^Z
All the worksations and servers on the Lan lost Internet connection. I had to reload once again, without saving changes. Internet connection is back to normal. We do have a software proxy (this is a product that we are testing) on the network with an IP address of 172.16.1.2. There are 36 workstations that receive their IP address from a W2K DHCP server that assigns the default gateways in the following order: 172.16.1.2 (Proxy), and 172.16.1.1 (Cisco Router).
The terminal servers have static IPs and their default gateway is the Cisco Router. Which I prefer, over the software proxy. Do you think this setup may be the problem?
Thanks,
JC
This is what I did:
config t
interface Serial0.1
no ip inspect myfw out
^Z
All the worksations and servers on the Lan lost Internet connection. I had to reload once again, without saving changes. Internet connection is back to normal. We do have a software proxy (this is a product that we are testing) on the network with an IP address of 172.16.1.2. There are 36 workstations that receive their IP address from a W2K DHCP server that assigns the default gateways in the following order: 172.16.1.2 (Proxy), and 172.16.1.1 (Cisco Router).
The terminal servers have static IPs and their default gateway is the Cisco Router. Which I prefer, over the software proxy. Do you think this setup may be the problem?
Thanks,
JC
I read up more on CBAC (the IP inspect stuff) and I no longer think that's the problem.
Try changing this
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
to this
ip nat inside source static tcp 172.16.1.3 3389 a.b.c.100 3389
ip nat inside source static tcp 172.16.1.7 3389 a.b.c.99 3389
ip nat inside source static tcp 172.16.1.11 3389 a.b.c.101 3389
Then type "clear ip nat translation" after you've left config mode. Note that this will limit those servers NAT, so that only port 3389 will be available on those outside IP addresses. You won't be able to access them on other ports from the outside. This shouldn't help, but maybe it will. I can't see that anything else is wrong.
If that doesn't help, I have to wonder if you've hit a software bug or something. Please give us the output of "show version" so we can see what version of software the router is running. Also, try the following:
1. Try to access TS from wherever you usually do it.
2. Immediately after it fails, type "show access-list 100" on the router and post the output here.
By the way, your access list 100 is permitting a lot of traffic to come into your network that you probably don't want. For example, anyone can telnet to your router and into your network. Anyone can access any web servers you may have. And anyone using a source address of 172.16.1.x can get in- and those could only be spoofed addresses if they're coming from outside. Several lines are redundant and unnecessary. You may want to tighten that up for security's sake, though it has nothing to do with your TS problem. But that's a whole other question.
Try changing this
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
to this
ip nat inside source static tcp 172.16.1.3 3389 a.b.c.100 3389
ip nat inside source static tcp 172.16.1.7 3389 a.b.c.99 3389
ip nat inside source static tcp 172.16.1.11 3389 a.b.c.101 3389
Then type "clear ip nat translation" after you've left config mode. Note that this will limit those servers NAT, so that only port 3389 will be available on those outside IP addresses. You won't be able to access them on other ports from the outside. This shouldn't help, but maybe it will. I can't see that anything else is wrong.
If that doesn't help, I have to wonder if you've hit a software bug or something. Please give us the output of "show version" so we can see what version of software the router is running. Also, try the following:
1. Try to access TS from wherever you usually do it.
2. Immediately after it fails, type "show access-list 100" on the router and post the output here.
By the way, your access list 100 is permitting a lot of traffic to come into your network that you probably don't want. For example, anyone can telnet to your router and into your network. Anyone can access any web servers you may have. And anyone using a source address of 172.16.1.x can get in- and those could only be spoofed addresses if they're coming from outside. Several lines are redundant and unnecessary. You may want to tighten that up for security's sake, though it has nothing to do with your TS problem. But that's a whole other question.
ASKER
Hi mikebernhardt,
I added the statements as you suggested. I noticed that the new statements were appended to the bottom of the list. Is that how is suppossed to be?
After I left config mode (back to (#) I typed "clear ip nat translation" and received and "Incomplete command" I know it must something I did!...
I would like to tighten the security on the router. We are a small shop, and do not have any web or email servers in our LAN (evertyhing is hosted by third party providers) However, I find it very scary that anyone using a source address of 172.16.1 can get in, but like you said "that's a whole other question. I am going to try and connect to TS, and I will let you know the results.
I am also pasting the Router version for your review ( I sound like a Cisco expert ;-)). Thanks a million for all your help!.
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 11:18 by kellythw
Image text-base: 0x80008120, data-base: 0x80F7CAF4
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
Router uptime is 19 hours, 53 minutes
System returned to ROM by reload at 21:45:44 UTC Mon Oct 4 2004
System restarted at 21:47:39 UTC Mon Oct 4 2004
System image file is "flash:c1700-advsecurityk9 -mz.123-5a .bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 1721 (MPC860P) processor (revision 0x300) with 56945K/8591K bytes of memory.
Processor board ID FOC08021416 (2859757696), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++
I added the statements as you suggested. I noticed that the new statements were appended to the bottom of the list. Is that how is suppossed to be?
After I left config mode (back to (#) I typed "clear ip nat translation" and received and "Incomplete command" I know it must something I did!...
I would like to tighten the security on the router. We are a small shop, and do not have any web or email servers in our LAN (evertyhing is hosted by third party providers) However, I find it very scary that anyone using a source address of 172.16.1 can get in, but like you said "that's a whole other question. I am going to try and connect to TS, and I will let you know the results.
I am also pasting the Router version for your review ( I sound like a Cisco expert ;-)). Thanks a million for all your help!.
++++++++++++++++++++++++++
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 11:18 by kellythw
Image text-base: 0x80008120, data-base: 0x80F7CAF4
ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
Router uptime is 19 hours, 53 minutes
System returned to ROM by reload at 21:45:44 UTC Mon Oct 4 2004
System restarted at 21:47:39 UTC Mon Oct 4 2004
System image file is "flash:c1700-advsecurityk9
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 1721 (MPC860P) processor (revision 0x300) with 56945K/8591K bytes of memory.
Processor board ID FOC08021416 (2859757696), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
++++++++++++++++++++++++++
ASKER
mikebernhardt,
I just tried it. and it did not work. Do you think it would be easier if I sent you the access-list 100 to your email? I am not sure if I should post the real outside IPs on this forum. Please let me know.
Thanks,
JC
I just tried it. and it did not work. Do you think it would be easier if I sent you the access-list 100 to your email? I am not sure if I should post the real outside IPs on this forum. Please let me know.
Thanks,
JC
Sorry, my bad. Type "clear ip nat translation *" and then try again.
So here's what I'm looking for in the access list... If you compare the configured access list 100 with the output of "show access-list 100" you should see a lot of extra stuff in the latter after the last configured line. This is placed there dynamically by the ip inspect function. What I want to see specifically is anything placed there that relates to your terminal services. So anything that has "3389" in it, after the configured stuff. You may have a lot to sort through, I don't know. You can mask the outside IPs for the lines you post here.
So here's what I'm looking for in the access list... If you compare the configured access list 100 with the output of "show access-list 100" you should see a lot of extra stuff in the latter after the last configured line. This is placed there dynamically by the ip inspect function. What I want to see specifically is anything placed there that relates to your terminal services. So anything that has "3389" in it, after the configured stuff. You may have a lot to sort through, I don't know. You can mask the outside IPs for the lines you post here.
ASKER
I just tried that command "clear ip nat translation *", and received this message:
Router>clear ip nat translation *
^
% Invalid input detected at '^' marker.?? It mus be me!...
Also this is the Access-list 100. I've decided to go ahead and give you the whole list. I did not see a lot references to "3389" except for the part at the bottom that reads"
"250 permit tcp any any eq 3389 (51 matches)"
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++
Extended IP access list 100
permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1830 (50 matches)
permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1829 (41 matches)
permit udp host a.b.c.179 eq domain host a.b.c.100 eq 1101 (21 matches)
permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2163 (64 matches)
permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2162 (79 matches)
permit tcp host a.b.c.51 eq 1863 host a.b.c.98 eq 1313 (18 matches)
permit tcp host a.b.c.94 eq www host a.b.c.98 eq 1323 (8 matches)
permit tcp host a.b.c.39 eq 1863 host a.b.c.98 eq 3998 (141 matches)
permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1899 (117 matches)
permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1898 (121 matches)
permit tcp host a.b.c.139 eq 1494 host a.b.c.98 eq 2643 (16892 matches)
permit tcp host a.b.c.118 eq www host a.b.c.98 eq 1322 (6 matches)
permit tcp host a.b.c.45 eq www host a.b.c.98 eq 2099 (21 matches)
permit tcp host a.b.c.54 eq www host a.b.c.98 eq 1321 (5 matches)
permit tcp host a.b.c.178 eq www host a.b.c.98 eq 1343 (4 matches)
permit tcp host a.b.c.175 eq www host a.b.c.98 eq 1901 (5 matches)
permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1331 (10 matches)
permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1327 (78 matches)
permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1347 (31 matches)
permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1337 (81 matches)
permit tcp host a.b.c.98 eq 443 host a.b.c.98 eq 4008 (12 matches)
permit tcp host a.b.c.32 eq 6350 host a.b.c.98 eq 1839 (10121 matches)
10 permit ipinip any any
20 permit icmp any any echo (31878 matches)
30 permit icmp any any echo-reply
40 permit icmp any any packet-too-big
50 permit icmp any any time-exceeded (9616 matches)
60 permit icmp any any traceroute
70 permit icmp any any unreachable
80 permit udp any any eq ntp (1578 matches)
90 permit tcp any any eq www (2348 matches)
100 permit udp any any eq domain (63 matches)
110 permit tcp any any eq smtp (20538 matches)
120 permit tcp any any eq pop3
130 permit tcp any any eq 7070
140 permit tcp any any eq 443 (8446 matches)
150 permit tcp any any eq telnet (2538 matches)
160 permit gre any any
170 permit ip 172.16.1.0 0.0.0.255 any
180 permit tcp a.b.c.0 0.0.0.255 any eq telnet
190 permit tcp host 172.16.1.3 eq 3389 any
200 permit tcp host 172.16.1.7 eq 3389 any
210 permit tcp host 172.16.1.9 eq 3389 any
220 permit tcp any any eq 8025
230 permit udp any any eq 3389
240 permit udp any any eq 25
250 permit tcp any any eq 3389 (51 matches)
260 permit udp any any eq 80
270 permit tcp any any established (40630 matches)
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++
Thank you!
Router>clear ip nat translation *
^
% Invalid input detected at '^' marker.?? It mus be me!...
Also this is the Access-list 100. I've decided to go ahead and give you the whole list. I did not see a lot references to "3389" except for the part at the bottom that reads"
"250 permit tcp any any eq 3389 (51 matches)"
++++++++++++++++++++++++++
Extended IP access list 100
permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1830 (50 matches)
permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1829 (41 matches)
permit udp host a.b.c.179 eq domain host a.b.c.100 eq 1101 (21 matches)
permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2163 (64 matches)
permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2162 (79 matches)
permit tcp host a.b.c.51 eq 1863 host a.b.c.98 eq 1313 (18 matches)
permit tcp host a.b.c.94 eq www host a.b.c.98 eq 1323 (8 matches)
permit tcp host a.b.c.39 eq 1863 host a.b.c.98 eq 3998 (141 matches)
permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1899 (117 matches)
permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1898 (121 matches)
permit tcp host a.b.c.139 eq 1494 host a.b.c.98 eq 2643 (16892 matches)
permit tcp host a.b.c.118 eq www host a.b.c.98 eq 1322 (6 matches)
permit tcp host a.b.c.45 eq www host a.b.c.98 eq 2099 (21 matches)
permit tcp host a.b.c.54 eq www host a.b.c.98 eq 1321 (5 matches)
permit tcp host a.b.c.178 eq www host a.b.c.98 eq 1343 (4 matches)
permit tcp host a.b.c.175 eq www host a.b.c.98 eq 1901 (5 matches)
permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1331 (10 matches)
permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1327 (78 matches)
permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1347 (31 matches)
permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1337 (81 matches)
permit tcp host a.b.c.98 eq 443 host a.b.c.98 eq 4008 (12 matches)
permit tcp host a.b.c.32 eq 6350 host a.b.c.98 eq 1839 (10121 matches)
10 permit ipinip any any
20 permit icmp any any echo (31878 matches)
30 permit icmp any any echo-reply
40 permit icmp any any packet-too-big
50 permit icmp any any time-exceeded (9616 matches)
60 permit icmp any any traceroute
70 permit icmp any any unreachable
80 permit udp any any eq ntp (1578 matches)
90 permit tcp any any eq www (2348 matches)
100 permit udp any any eq domain (63 matches)
110 permit tcp any any eq smtp (20538 matches)
120 permit tcp any any eq pop3
130 permit tcp any any eq 7070
140 permit tcp any any eq 443 (8446 matches)
150 permit tcp any any eq telnet (2538 matches)
160 permit gre any any
170 permit ip 172.16.1.0 0.0.0.255 any
180 permit tcp a.b.c.0 0.0.0.255 any eq telnet
190 permit tcp host 172.16.1.3 eq 3389 any
200 permit tcp host 172.16.1.7 eq 3389 any
210 permit tcp host 172.16.1.9 eq 3389 any
220 permit tcp any any eq 8025
230 permit udp any any eq 3389
240 permit udp any any eq 25
250 permit tcp any any eq 3389 (51 matches)
260 permit udp any any eq 80
270 permit tcp any any established (40630 matches)
++++++++++++++++++++++++++
Thank you!
You can't clear the translations because you're not in enable mode. Did you try using Terminal Services just before typing "show access-list 100?"
ASKER
That's what I tought!..Yes I did try using Terminal Services before typing shows access-list.
ASKER
FYI:
I went to the router and executed the command "clear ip nat translation *", and this time the router did not bark at me with an error message.
I've also tried again to TS, but no luck yet...
I went to the router and executed the command "clear ip nat translation *", and this time the router did not bark at me with an error message.
I've also tried again to TS, but no luck yet...
I have two silly questions for you, but I am stretching becouse I can not think of much else...
Where are you trying to connect to the terminal servers from?
Can you verify that your TS have the router as their default Gateway, and that there are NO other gateways configured. Use the command prompt...
ipconfig /all
Please post the output.
Where are you trying to connect to the terminal servers from?
Can you verify that your TS have the router as their default Gateway, and that there are NO other gateways configured. Use the command prompt...
ipconfig /all
Please post the output.
ASKER
I am trying to connect to those servers from my home. I am connected to a cable modem, and I am using a Cisco Soho 91 router. I have a terminal server at home and I can connect to it from this office!.
At the office we have a T1 and we also have a DSL line that is not being used for anything right now, except for me to troubleshoot this problem!
All the servers are hard coded; their IPs are:
172.16.1.3, 172.16.1.7, 172.16.1.11 subnet mask 255.255.255.0, and their defaul gateway is the Cisco router 172.16.1.1.
I was able to TS to those servers before we switched to the Cisco router, the only difference is that now we are using a private block of IPs instead of public IPs....
CMD Output:
++++++++++++++++++++++++++ ++++++++
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : DC1
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . .
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-4D-F6-97
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :172.16.1.1
DNS Servers . . . . . . . . . . . : 172.16.1.5
172.16.1.3
++++++++++++++++++++++++++ ++++++++
Thanks,
JC
At the office we have a T1 and we also have a DSL line that is not being used for anything right now, except for me to troubleshoot this problem!
All the servers are hard coded; their IPs are:
172.16.1.3, 172.16.1.7, 172.16.1.11 subnet mask 255.255.255.0, and their defaul gateway is the Cisco router 172.16.1.1.
I was able to TS to those servers before we switched to the Cisco router, the only difference is that now we are using a private block of IPs instead of public IPs....
CMD Output:
++++++++++++++++++++++++++
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : DC1
Primary DNS Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . .
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-4D-F6-97
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :172.16.1.1
DNS Servers . . . . . . . . . . . : 172.16.1.5
172.16.1.3
++++++++++++++++++++++++++
Thanks,
JC
OK. In the access list you posted, we are seeing that traffic is coming in to port 3389. You can see that 51 packets came in in the line preceded by "250.". The next step is to see if NAT is workiing correctly. So in config mode mode, type
access-list 25 permit host [your host address]
access-list 25 permit host [the TS public address]
access-list 25 permit host [the TS private address]
debug ip nat 25 detailed
Also type
terminal monitor
If your terminal software supports it, dump the session to a text file. Now, try to TS into one of the servers. Then type "u all" to turn off debug. It will probably lag for a little bit. Now go through and look for every line that references either the inside or outside address of the TS server, and post the output here. I want to see if NAT is working correctly both ways.
Then, in config mode again, type
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any eq 3389 any
in enable mode, type
debug ip packet 111 detail
Again, capture the data to a text file and try to use TS. Post the output here. when this is all done you can just delete the access lists with
no access-list 25
no access-list 111
access-list 25 permit host [your host address]
access-list 25 permit host [the TS public address]
access-list 25 permit host [the TS private address]
debug ip nat 25 detailed
Also type
terminal monitor
If your terminal software supports it, dump the session to a text file. Now, try to TS into one of the servers. Then type "u all" to turn off debug. It will probably lag for a little bit. Now go through and look for every line that references either the inside or outside address of the TS server, and post the output here. I want to see if NAT is working correctly both ways.
Then, in config mode again, type
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any eq 3389 any
in enable mode, type
debug ip packet 111 detail
Again, capture the data to a text file and try to use TS. Post the output here. when this is all done you can just delete the access lists with
no access-list 25
no access-list 111
ASKER
Hi:
I am sorry, but I am confused about this:
access-list 25 permit host [your host address] I am not sure about what goes here?
access-list 25 permit host [the TS public address] a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3
May be the fact that I am on my first cup of coffee...
Please advise. Thanks
I am sorry, but I am confused about this:
access-list 25 permit host [your host address] I am not sure about what goes here?
access-list 25 permit host [the TS public address] a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3
May be the fact that I am on my first cup of coffee...
Please advise. Thanks
Ah, sorry. [your host address] should be the public address that you are using when you are trying to access the TS from outside.
ASKER
OK. So it should look like this?
access-list 25 permit host [the TS public address] a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3
Instead of:
access-list 25 permit host a.b.c.100
access-list 25 permit host [the TS public address] a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3
So, it should be two statements instead of three?
Pardon my ignorance.
access-list 25 permit host [the TS public address] a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3
Instead of:
access-list 25 permit host a.b.c.100
access-list 25 permit host [the TS public address] a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3
So, it should be two statements instead of three?
Pardon my ignorance.
No, it should be all three. I want to watch NAT traffic that is going to your outside address, going to the TS private address, and the TS public address.
ASKER
OK. I think I've got it. However, because I don't know what I am doing, I am afraid that if just look for ther references that point to the address of the TS, that I my delete information that you may need. Should I just post the whole thing?
Problem is, one of my servers just crashed due to hard drive failure. So I need to work on that server for the rest of the afternoon, and no it's not one of the terminal servers ;-)
Please let me know. I can't believe that you actually trust me to do these things!
Even if this thing does not work, I feel that I am learning a great deal.
Thanks again.
John C.
Problem is, one of my servers just crashed due to hard drive failure. So I need to work on that server for the rest of the afternoon, and no it's not one of the terminal servers ;-)
Please let me know. I can't believe that you actually trust me to do these things!
Even if this thing does not work, I feel that I am learning a great deal.
Thanks again.
John C.
ASKER
Ok. I think this is it.
debug ip nat 25 detailed and debug ip packet 111 detail:
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27392]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27392]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34278]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34278]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27394]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27394]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34528]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34528]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27400]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27400]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35191]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35191]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27402]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27402]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35251]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35251]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27404]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27404]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35435]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35435]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27406]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27406]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35467]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35467]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27408]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27408]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35500]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35500]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27410]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27410]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35525]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35525]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27412]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27412]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35549]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35549]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27414]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27414]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35584]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35584]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27416]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27416]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35807]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35807]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27434]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27434]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36179]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36179]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27436]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27436]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36199]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36199]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27549]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27549]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36699]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36699]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27557]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27557]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36911]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36911]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27559]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27559]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36957]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36957]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27561]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27561]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37062]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37062]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27564]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27564]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37384]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37384]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27566]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27566]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37567]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37567]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27569]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27569]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37854]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37854]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27571]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27571]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [38095]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [38095]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27617]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27617]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [41927]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [41927]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27619]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27619]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42070]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42070]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27622]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27622]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42192]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42192]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27658]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27658]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27661]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27661]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42346]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42346]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42350]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42350]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [28558]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [28558]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [56314]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [56314]
1d22h: NAT: creating portlist proto 6 globaladdr a.b.c.100
1d22h: NAT: Allocated Port for 172.16.1.3 -> a.b.c.100: wanted 3389 got 3389
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4415]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4415]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28818]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28818]
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4416]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4416]
1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28918]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28918]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28919]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28919]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29029]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29029]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15867]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15867]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29031]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29031]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15917]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15917]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29033]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29033]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15981]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15981]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29036]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29036]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16080]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16080]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29040]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29040]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16188]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16188]
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4417]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4417]
1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29042]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29042]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29045]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29045]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16429]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16429]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29046]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29046]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16435]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16435]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29049]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29049]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16519]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16519]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29061]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29061]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29395]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29395]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19342]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19342]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29421]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29421]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19426]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19426]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29423]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29423]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19503]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19503]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29437]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29437]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19599]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19599]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29496]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29496]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19776]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19776]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29645]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29645]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19876]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19876]
1d22h: NAT: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4444]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4444]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29664]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29664]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4450]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4450]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29671]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29671]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4452]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4452]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29673]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29673]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4454]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4454]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29682]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29682]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29779]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29779]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24206]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24206]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29781]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29781]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24250]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24250]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29783]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29783]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24333]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24333]
1d22h: NAT: expiring a.b.c.100 (172.16.1.3) tcp 3389 (3389)
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30151]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30151]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31728]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31728]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30153]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30153]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31779]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31779]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30155]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30155]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31900]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31900]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30171]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30171]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31992]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31992]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30209]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30209]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32331]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32331]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30211]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30211]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32621]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32621]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30217]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30217]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [33272]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [33272]
1d22h: NAT: expiring a.b.c.100 (172.16.1.3) icmp 512 (512)
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30452]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30452]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [46761]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [46761]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30468]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30468]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [47116]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [47116]
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ +++++
debug ip packet 111 detail
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ +++++
Router#debug ip packet 111 detail
IP packet debugging is on (detailed) for access list 111
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++++++++ ++++++++++ +++++
I wonder why the input of this one is much smaller than debug ip nat 25 detailed?
debug ip nat 25 detailed and debug ip packet 111 detail:
++++++++++++++++++++++++++
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27392]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27392]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34278]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34278]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27394]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27394]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34528]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34528]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27400]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27400]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35191]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35191]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27402]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27402]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35251]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35251]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27404]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27404]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35435]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35435]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27406]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27406]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35467]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35467]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27408]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27408]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35500]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35500]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27410]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27410]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35525]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35525]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27412]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27412]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35549]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35549]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27414]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27414]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35584]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35584]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27416]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27416]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35807]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35807]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27434]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27434]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36179]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36179]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27436]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27436]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36199]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36199]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27549]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27549]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36699]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36699]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27557]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27557]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36911]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36911]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27559]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27559]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36957]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36957]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27561]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27561]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37062]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37062]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27564]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27564]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37384]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37384]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27566]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27566]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37567]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37567]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27569]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27569]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37854]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37854]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27571]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27571]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [38095]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [38095]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27617]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27617]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [41927]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [41927]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27619]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27619]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42070]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42070]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27622]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27622]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42192]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42192]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27658]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27658]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27661]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27661]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42346]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42346]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42350]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42350]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [28558]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [28558]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [56314]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [56314]
1d22h: NAT: creating portlist proto 6 globaladdr a.b.c.100
1d22h: NAT: Allocated Port for 172.16.1.3 -> a.b.c.100: wanted 3389 got 3389
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4415]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4415]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28818]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28818]
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4416]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4416]
1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28918]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28918]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28919]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28919]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29029]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29029]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15867]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15867]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29031]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29031]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15917]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15917]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29033]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29033]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15981]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15981]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29036]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29036]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16080]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16080]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29040]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29040]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16188]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16188]
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4417]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4417]
1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29042]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29042]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29045]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29045]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16429]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16429]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29046]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29046]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16435]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16435]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29049]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29049]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16519]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16519]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29061]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29061]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29395]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29395]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19342]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19342]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29421]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29421]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19426]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19426]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29423]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29423]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19503]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19503]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29437]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29437]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19599]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19599]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29496]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29496]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19776]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19776]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29645]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29645]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19876]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19876]
1d22h: NAT: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4444]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4444]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29664]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29664]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4450]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4450]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29671]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29671]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4452]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4452]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29673]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29673]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4454]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4454]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29682]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29682]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29779]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29779]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24206]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24206]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29781]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29781]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24250]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24250]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29783]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29783]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24333]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24333]
1d22h: NAT: expiring a.b.c.100 (172.16.1.3) tcp 3389 (3389)
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30151]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30151]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31728]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31728]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30153]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30153]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31779]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31779]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30155]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30155]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31900]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31900]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30171]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30171]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31992]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31992]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30209]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30209]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32331]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32331]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30211]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30211]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32621]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32621]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30217]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30217]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [33272]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [33272]
1d22h: NAT: expiring a.b.c.100 (172.16.1.3) icmp 512 (512)
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30452]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30452]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [46761]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [46761]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30468]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30468]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [47116]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [47116]
++++++++++++++++++++++++++
debug ip packet 111 detail
++++++++++++++++++++++++++
Router#debug ip packet 111 detail
IP packet debugging is on (detailed) for access list 111
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
++++++++++++++++++++++++++
I wonder why the input of this one is much smaller than debug ip nat 25 detailed?
The NAT debug was a lot more inclusive, that's why it's shorter. We also see your problem in the ip packet debug though. Note the lines that say "dropped by inspect." So the IP inspect function is indeed the problem. I think the problem has to do with the combination of NAT and that. The packets are being dropped because with NAT, the outbound packets have a different source address than the destination address of the inbound ones. Since they don't match, IP inspect drops the outbound ones. What I don't yet understand is why, since the packets are being dropped outbound even though you don't have an outbound access list.
ASKER
mikebernhardt ,
Thank you for all the information.
I've also found this:
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++
sh ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp a.b.c.98:2346 172.16.1.62:2346 a.b.c.250:80 a.b.c.250:80
tcp a.b.c.98:4179 172.16.1.36:4179 81.52.250.104:80 81.52.250.104:80
tcp a.b.c.98:4174 172.16.1.36:4174 81.52.250.111:80 81.52.250.111:80
tcp a.b.c.98:4175 172.16.1.36:4175 81.52.250.111:80 81.52.250.111:80
tcp a.b.c.98:4176 172.16.1.36:4176 81.52.250.111:80 81.52.250.111:80
tcp a.b.c.98:4177 172.16.1.36:4177 81.52.250.111:80 81.52.250.111:80
udp a.b.c.100:1101 172.16.1.3:1101 a.b.c.179:53 a.b.c.179:53
tcp a.b.c.98:3277 172.16.1.25:3277 a.b.c.247:443 a.b.c.247:443
tcp a.b.c.99:3389 172.16.1.7:3389 --- ---
tcp a.b.c.100:3389 172.16.1.3:3389 --- ---
tcp a.b.c.101:3389 172.16.1.11:3389 --- ---
tcp a.b.c.98:2683 172.16.1.26:2683 a.b.c.69:8670 a.b.c.69:8670
tcp a.b.c.98:4489 172.16.1.39:4489 a.b.c.236:80 a.b.c.236:80
tcp a.b.c.98:1252 172.16.1.49:1252 a.b.c.195:80 a.b.c.195:80
tcp a.b.c.98:1123 172.16.1.69:1123 a.b.c.5:21 a.b.c..5:21
tcp a.b.c.98:1458 172.16.1.62:1458 a.b.c.125:80 a.b.c.125:80
tcp a.b.c.98:4223 172.16.1.39:4223 a.b.c.35:443 a.b.c.35:443
tcp a.b.c.98:4172 172.16.1.36:4172 a.b.c.207:80 a.b.c.207:80
tcp a.b.c.98:4563 172.16.1.26:4563 a.b.c.33:80 a.b.c.33:80
tcp a.b.c.98:1290 172.16.1.49:1290 a.b.c.195:443 a.b.c.195:443
tcp a.b.c.98:3555 172.16.1.23:3555 a.b.c.125:80 a.b.c.125:80
--- a.b.c.99 172.16.1.7 --- ---
--- a.b.c.100 172.16.1.3 --- ---
--- a.b.c.101 172.16.1.11 --- ---
++++++++++++++++++++++++++ ++++++++++ ++++++++++ ++++
How come there are no "Outside Local\Global" references for the TS Servers?
Thank you for all the information.
I've also found this:
++++++++++++++++++++++++++
sh ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp a.b.c.98:2346 172.16.1.62:2346 a.b.c.250:80 a.b.c.250:80
tcp a.b.c.98:4179 172.16.1.36:4179 81.52.250.104:80 81.52.250.104:80
tcp a.b.c.98:4174 172.16.1.36:4174 81.52.250.111:80 81.52.250.111:80
tcp a.b.c.98:4175 172.16.1.36:4175 81.52.250.111:80 81.52.250.111:80
tcp a.b.c.98:4176 172.16.1.36:4176 81.52.250.111:80 81.52.250.111:80
tcp a.b.c.98:4177 172.16.1.36:4177 81.52.250.111:80 81.52.250.111:80
udp a.b.c.100:1101 172.16.1.3:1101 a.b.c.179:53 a.b.c.179:53
tcp a.b.c.98:3277 172.16.1.25:3277 a.b.c.247:443 a.b.c.247:443
tcp a.b.c.99:3389 172.16.1.7:3389 --- ---
tcp a.b.c.100:3389 172.16.1.3:3389 --- ---
tcp a.b.c.101:3389 172.16.1.11:3389 --- ---
tcp a.b.c.98:2683 172.16.1.26:2683 a.b.c.69:8670 a.b.c.69:8670
tcp a.b.c.98:4489 172.16.1.39:4489 a.b.c.236:80 a.b.c.236:80
tcp a.b.c.98:1252 172.16.1.49:1252 a.b.c.195:80 a.b.c.195:80
tcp a.b.c.98:1123 172.16.1.69:1123 a.b.c.5:21 a.b.c..5:21
tcp a.b.c.98:1458 172.16.1.62:1458 a.b.c.125:80 a.b.c.125:80
tcp a.b.c.98:4223 172.16.1.39:4223 a.b.c.35:443 a.b.c.35:443
tcp a.b.c.98:4172 172.16.1.36:4172 a.b.c.207:80 a.b.c.207:80
tcp a.b.c.98:4563 172.16.1.26:4563 a.b.c.33:80 a.b.c.33:80
tcp a.b.c.98:1290 172.16.1.49:1290 a.b.c.195:443 a.b.c.195:443
tcp a.b.c.98:3555 172.16.1.23:3555 a.b.c.125:80 a.b.c.125:80
--- a.b.c.99 172.16.1.7 --- ---
--- a.b.c.100 172.16.1.3 --- ---
--- a.b.c.101 172.16.1.11 --- ---
++++++++++++++++++++++++++
How come there are no "Outside Local\Global" references for the TS Servers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info and keeping me updated.
Have a great weekend.
Have a great weekend.
ASKER
Hello mikebernhardt,
First of all, Happy Holidays!!.
I am still not able to TS. However, I was wondering about this setup:
1- Cisco SOHO 91 router connected to a DSL line that we have at the office.
2- Configure the Cisco SOHO 91 router to allow RDP protocol only.
3- Install a second NIC on one Terminal server, and connect that NIC to the Cisco SOHO 91 router.
4- Plug the other NIC on the Terminal server to the LAN, so that I can TS with the rest of the servers...?
Will this set up work?
Will it be secure?
Thanks,
JC
First of all, Happy Holidays!!.
I am still not able to TS. However, I was wondering about this setup:
1- Cisco SOHO 91 router connected to a DSL line that we have at the office.
2- Configure the Cisco SOHO 91 router to allow RDP protocol only.
3- Install a second NIC on one Terminal server, and connect that NIC to the Cisco SOHO 91 router.
4- Plug the other NIC on the Terminal server to the LAN, so that I can TS with the rest of the servers...?
Will this set up work?
Will it be secure?
Thanks,
JC
ASKER
I found the solution https://www.experts-exchange.com/questions/21348891/Help-with-CBAC-Config.html
I want to thank GreatWhiteOne and mikebernhardt for their help. I learned a great deal so, I am splitting points. I hope this is fair!
I want to thank GreatWhiteOne and mikebernhardt for their help. I learned a great deal so, I am splitting points. I hope this is fair!
ASKER
Thanks again>