Cannot connect to Terminal Services with Cisco 1721 Router

Thank you for your answer.  Could you guide how to copy an paste the configuration file?
Thanks again>

It depends on what terminal program you are using to do this with.  If you are connected with a serial port cable, you are probably using hyper terminal and you can just hightlitht the above, click edit and copy, then click edit and paste in hyper term.  If you are using a terminal command though a dos window, copy the above like before then just right click in the terminal window.  You may want to look into getting a better program though, like putty (for telnet) or teraterm (telnet and serial port)

Good luck

Hi:
So far I have tried the first two options:
access-list 100 permit tcp any host 172.16.1.3 eq 3389, and access-list 100 permit tcp any any eq 3389, but I still cannot connect...

I noticed under IP Nat Pool that there are two external IPs. However, none of them are mapped to either Terminal servers. for example:
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3  a.b.c.100 extendable
ip nat inside source static 172.16.1.7  a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable

Could that be the problem?

Also, I was using telnet and tried to copy and paste (3rd option) like you suggested, and I lost the connection to the router, that's why I asked if there was a proper way of copy-paste. I don't know what I am doing!
So I drove down to the office (15 minutes from home) and check it out.  Everything seems to be alright ( I am writing this post from work!)...But, I cannot connect to any TS :-(

Anything else I should try?

Thanks for all your help and time!  I apprecciated..
JC

Hello,

For starters you already have the terminal services entries in your confiugration.  Are you able to terminal services to the servers locally?  I do not see any reason to believe the router is causing the problem from the little bit of information provided.  

Please post the access-group line and the interfaces they are applied to.

Thanks,

Dan

Hi Dan,

I am able to connect to the terminal servers from within the LAN.  I was able to connect to them before we switched to the Cisco router.
Is information missing from the access-list I posted in my original post?

Please advise.
Thanks,
JC

What are the internal IP addresses of your servers.

If they are not
172.16.1.3
172.16.1.7
or 172.16.1.11

then yes you are right about the external ip address mapping.  Since it was not listed, I kind of assummed that those were there internal servers.  

Let me know...
Thanks,
Daniel

Daniel,

You are right, those are the IP's of the terminal servers.  I am sorry for the confusion.

Thank you for your  patience!

The earlier suggestion to remove specific lines from your access list was incorrect. With a numbered access list, if you say no access-list 100 blah blah, then the router removes the ENTIRE access list. Then when you added the new lines, your access list consisted of ONLY the new lines, with an implicit deny all at the end. So as soon as you added the first line, you automatically denied telnet in and you lost your connection.

You need to do the following:
1. copy your entire access list into notepad and edit it how you want it.
2. On the interface, type
    no ip access-group 100 in
    This will make sure it isn't being used.
3. now type
    no access-list 100
4. now paste in the new access list
5. Now go back to the interface and type
    ip access-group 100 in

I would suggest that if you didn't save the changes you made, that you reboot the router to put it back how it was originally. You probably have people complaining about their internet access.

Now that said, the lines
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any

are useless because this is an inbound list (I think- as earlier stated, you need to show us your interface config so we can see how it was applied). Those lines are allowing OUTSIDE servers with those private addresses into your network. This line
access-list 100 permit tcp any any eq 3389

should be all you need.

The above last comment is incorrect.  You did not delete your entire access list.  If you type:
no access-list 100  - It will erase all of the entries, but if you type:
no access-list 100 permit tcp host 172.16.1.3 eq 3389 any - It will only delete that line of the access list.
I wanted to make sure you understand that if you are going to learn anything about cisco, becouse that becomes very important.  If it was not that way, ever time you needed to change a access-list then you would have to recreate the whole thing, and you don't have to recreat the whole thing all the time.

I agree with mikebernhardt that all I would use is the access-list 100 permit tcp any any eq 3389.  Can you post the rest of your config for us like he said?

Looking it over further, you need to change the inside commands to outside.  It should read:
ip nat outside source static a.b.c.100 172.16.1.3

That command tells it to translate anything hitting that external IP address to the internal ip address stated.  The way you have it now, whenever those servers send information to the internet, the router masks their IP address as the specified IP address in the nat...  So 1.3 allways goes to the internet as c.100....

Good luck

Guys,
Thank you so much for all your help in this matter. When you asked to post the rest of the configuration. How do I do that?  I thought that "sh run" was all I needed? I am sorry for the dumb question, but I just want to make sure I sent you the right information the first time, so that I don't waste your time.
Thanks,

John C

No problem.  
Show run is what you need, but we want to get some other parts that do not seem to be listed.  Are you saying that the config you listed is everything?  Try what I told you about the changing of the nat command.

The config that I've listed is everything (as far as "sh run" goes!), but if there are any other commands that I should use, please let me know.
I will try to change the nat command as you suggested. Do you think it would be easier if I post the real
IP addresses?

Thanks Again,

What we need is the configuration before
frame-relay interface-dlci 16

OK. Here it is.  Thanks!
+++++++++++++++++++++++++++++++++++++++++++++
Building configuration...

Current configuration : 4281 bytes
!
! Last configuration change at 22:15:15 UTC Sat Oct 2 2004
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password 7 05180B0C1E4940081B0912
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect dns-timeout 30
ip inspect name myfw cuseeme
ip inspect name myfw rcmd
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw tftp
ip inspect name myfw smtp
ip inspect name myfw realaudio
ip inspect name myfw h323
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
!
ip audit notify log
ip audit po max-events 100
ip name-server a.b.c.179
ip name-server a.b.c.198
no ftp-server write-enable
!
!
!
interface FastEthernet0
 description << Local Lan Network >>
 ip address 172.16.1.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 speed auto
 no cdp enable
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description << Link to SBCIS ckt HCGM 003125 T1 >>
 ip address a.b.c.50 255.255.255.252
 ip access-group 100 in
 ip nat outside
 ip inspect myfw out
 frame-relay interface-dlci 16
!
ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.49
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp a.b.c.0 0.0.0.255 any eq telnet
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit tcp any any eq 8025
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 100 permit tcp any host 172.16.1.3 eq 3389
access-list 102 deny   tcp any any eq 137
access-list 102 deny   tcp any any eq 138
access-list 102 deny   tcp any any eq 139
access-list 102 deny   tcp any any eq finger
access-list 102 remark block all netbios to the internet
access-list 102 permit ip any any

!
line con 0
line aux 0
line vty 0 4
 password 7 0832414D360D001B1C0E18
 login
!
ntp clock-period 17179844
ntp server 207.55.146.54
ntp server 128.10.252.10
!
end
+++++++++++++++++++++++++++++++++++++++++++++

Just checking: Your config has this
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable

This means that to get to terminal services, you have to go to a.b.c.100, a.b.c.99 or a.b.c.101. Is that what you're trying to do? If you go to a.b.c.50 it won't work.

GreatWhiteOne,
Config t
ip nat outside source static a.b.c.100 172.16.1.3.  As soon as I did this, I received the following error message in my workstation "The system detected and address conflict for IP address 172.16.1.3 with the system having network hardware address 00.0E:84B7:48:F8.  Network operations on this system may be disrupted as a result"  The Mac address (00.0E:84B7:48:F8) is the MAc address of the Cisco router!.

I went back to the Cisco config t and reloaded without saving any changes. I don't understand. It must be something I did wrong!

It's because that IP address is "used" by the NAT translation entry in my last post.

mikebernhardt,

Yes, that is exactly what I am tryiing to do. I have tried .100 .99 .101. I had the feeling that using .50 would not work, but I tried it anyway.  If I ping those addresses, I get a reply. However. no cigar!
Thank you for your time.

JC

Static translation works both ways. What you had initially was correct. You are translating your inside private address to an outside public address, not the other way. And I'm sorry, but GreatWhiteOne is wrong about access lists. A NAMED access list works as he said. A NUMBERED access list, which you are using, works as I said.

A correction to my last post. The reason it is used is because although you changed your translation statement, the router still cached the old one. You need to "clear ip nat translation" after the change.

Try the following as an expriment:
interface Serial0.1 point-to-point
no ip inspect myfw out

Then see if it works. Also, add the following line

access-list 100 permit tcp any any established

Hi mikebernhardt,
The first statement
 "interface Serial0.1 point-to-point
no ip inspect myfw out"
 I have to do this at the interface level? config t > interface Serial0.1 point-to-point? Is that correct?

Thanks,

Yes. I'm wondering if the ip inspect is causing your problem. You stated that you can ping the outside address of your server. This indicates that NAT is working, so something must be blocking the terminal services traffic.

Actually, you don't need to type
interface Serial0.1 point-to-point
 no ip inspect myfw out


You can type
interface Serial0.1
 no ip inspect myfw out

I'm pretty convinced at this point that this is your problem. Let me know. I think you would need to make it " ip inspect myfw in."

Hi:

This is what I did:
config t
interface Serial0.1
 no ip inspect myfw out
^Z
All the worksations and servers on the Lan lost Internet connection.  I had to reload once again, without saving changes. Internet connection is back to normal.  We do have a software proxy (this is a product that we are testing) on the network with an IP address of 172.16.1.2.  There are 36 workstations that receive their IP address from a W2K DHCP server that assigns the default gateways in the following order: 172.16.1.2 (Proxy), and 172.16.1.1 (Cisco Router).
The terminal servers have static IPs and their default gateway is the Cisco Router. Which I prefer, over the software proxy. Do you think this setup may be the problem?
Thanks,
JC

I read up more on CBAC (the IP inspect stuff) and I no longer think that's the problem.

Try changing this
ip nat inside source static 172.16.1.3 a.b.c.100 extendable
ip nat inside source static 172.16.1.7 a.b.c.99 extendable
ip nat inside source static 172.16.1.11 a.b.c.101 extendable


to this

ip nat inside source static tcp 172.16.1.3 3389 a.b.c.100 3389
ip nat inside source static tcp 172.16.1.7 3389 a.b.c.99 3389
ip nat inside source static tcp 172.16.1.11 3389 a.b.c.101 3389

Then type "clear ip nat translation" after you've left config mode. Note that this will limit those servers NAT, so that only port 3389 will be available on those outside IP addresses. You won't be able to access them on other ports from the outside. This shouldn't help, but maybe it will. I can't see that anything else is wrong.

If that doesn't help, I have to wonder if you've hit a software bug or something. Please give us the output of "show version" so we can see what version of software the router is running. Also, try the following:
1. Try to access TS from wherever you usually do it.
2. Immediately after it fails, type "show access-list 100" on the router and post the output here.

By the way, your access list 100 is permitting a lot of traffic to come into your network that you probably don't want. For example, anyone can telnet to your router and into your network. Anyone can access any web servers you may have. And anyone using a source address of 172.16.1.x can get in- and those could only be spoofed addresses if they're coming from outside. Several lines are redundant and unnecessary. You may want to tighten that up for security's sake, though it has nothing to do with your TS problem. But that's a whole other question.

Hi mikebernhardt,

I added the statements as you suggested.  I noticed that the new statements were appended to the bottom of the list.  Is that how is suppossed to be?
After I left config mode (back to (#) I typed "clear ip nat translation" and received and "Incomplete command"  I know it must something I did!...
I would like to tighten the security on the router.  We are a small shop, and do not have any web or email servers in our LAN (evertyhing is hosted by third party providers) However, I find it very scary that anyone using a source address of 172.16.1 can get in, but like you said "that's a whole other question. I am going to try and connect to TS, and I will let you know the results.

I am also pasting the Router version for your review ( I sound like a Cisco expert ;-)).  Thanks a million for all your help!.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 25-Nov-03 11:18 by kellythw
Image text-base: 0x80008120, data-base: 0x80F7CAF4

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

Router uptime is 19 hours, 53 minutes
System returned to ROM by reload at 21:45:44 UTC Mon Oct 4 2004
System restarted at 21:47:39 UTC Mon Oct 4 2004
System image file is "flash:c1700-advsecurityk9-mz.123-5a.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco 1721 (MPC860P) processor (revision 0x300) with 56945K/8591K bytes of memory.
Processor board ID FOC08021416 (2859757696), with hardware revision 0000
MPC860P processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

mikebernhardt,

I just tried it. and it did not work. Do you think it would be easier if I sent you the access-list 100 to your email? I am not sure if I should post the real outside IPs on this forum.  Please let me know.
Thanks,
JC

Sorry, my bad. Type "clear ip nat translation *" and then try again.

So here's what I'm looking for in the access list... If you compare the configured access list 100 with the output of "show access-list 100" you should see a lot of extra stuff in the latter after the last configured line. This is placed there dynamically by the ip inspect function. What I want to see specifically is anything placed there that relates to your terminal services. So anything that has "3389" in it, after the configured stuff. You may have a lot to sort through, I don't know. You can mask the outside IPs for the lines you post here.

I just tried that command "clear ip nat translation *", and received this message:
Router>clear ip nat translation *
                   ^
 % Invalid input detected at '^' marker.?? It mus be me!...

Also this is the Access-list 100.  I've decided to go ahead and give you the whole list.  I did not see a lot references to "3389" except for the part at the bottom that reads"
"250 permit tcp any any eq 3389 (51 matches)"  

++++++++++++++++++++++++++++++++++++++++++++++++++
Extended IP access list 100
     permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1830 (50 matches)
     permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1829 (41 matches)
     permit udp host a.b.c.179 eq domain host a.b.c.100 eq 1101 (21 matches)
     permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2163 (64 matches)
     permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2162 (79 matches)
     permit tcp host a.b.c.51 eq 1863 host a.b.c.98 eq 1313 (18 matches)
     permit tcp host a.b.c.94 eq www host a.b.c.98 eq 1323 (8 matches)
     permit tcp host a.b.c.39 eq 1863 host a.b.c.98 eq 3998 (141 matches)
     permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1899 (117 matches)
     permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1898 (121 matches)
     permit tcp host a.b.c.139 eq 1494 host a.b.c.98 eq 2643 (16892 matches)
     permit tcp host a.b.c.118 eq www host a.b.c.98 eq 1322 (6 matches)
     permit tcp host a.b.c.45 eq www host a.b.c.98 eq 2099 (21 matches)
     permit tcp host a.b.c.54 eq www host a.b.c.98 eq 1321 (5 matches)
     permit tcp host a.b.c.178 eq www host a.b.c.98 eq 1343 (4 matches)
     permit tcp host a.b.c.175 eq www host a.b.c.98 eq 1901 (5 matches)
     permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1331 (10 matches)
     permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1327 (78 matches)
     permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1347 (31 matches)
     permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1337 (81 matches)
     permit tcp host a.b.c.98 eq 443 host a.b.c.98 eq 4008 (12 matches)
     permit tcp host a.b.c.32 eq 6350 host a.b.c.98 eq 1839 (10121 matches)
    10 permit ipinip any any
    20 permit icmp any any echo (31878 matches)
    30 permit icmp any any echo-reply
    40 permit icmp any any packet-too-big
    50 permit icmp any any time-exceeded (9616 matches)
    60 permit icmp any any traceroute
    70 permit icmp any any unreachable
    80 permit udp any any eq ntp (1578 matches)
    90 permit tcp any any eq www (2348 matches)
    100 permit udp any any eq domain (63 matches)
    110 permit tcp any any eq smtp (20538 matches)
    120 permit tcp any any eq pop3
    130 permit tcp any any eq 7070
    140 permit tcp any any eq 443 (8446 matches)
    150 permit tcp any any eq telnet (2538 matches)
    160 permit gre any any
    170 permit ip 172.16.1.0 0.0.0.255 any
    180 permit tcp a.b.c.0 0.0.0.255 any eq telnet
    190 permit tcp host 172.16.1.3 eq 3389 any
    200 permit tcp host 172.16.1.7 eq 3389 any
    210 permit tcp host 172.16.1.9 eq 3389 any
    220 permit tcp any any eq 8025
    230 permit udp any any eq 3389
    240 permit udp any any eq 25
    250 permit tcp any any eq 3389 (51 matches)
    260 permit udp any any eq 80
    270 permit tcp any any established (40630 matches)
++++++++++++++++++++++++++++++++++++++++++++++++++

Thank you!

You can't clear the translations because you're not in enable mode. Did you try using Terminal Services just before typing "show access-list 100?"

That's what I tought!..Yes I did try using Terminal Services before typing shows access-list.

FYI:
I went to the router and executed the command "clear ip nat translation *", and this time the router did not bark at me with an error message.
I've also tried again to TS, but no luck yet...

I have two silly questions for you, but I am stretching becouse I can not think of much else...

Where are you trying to connect to the terminal servers from?

Can you verify that your TS have the router as their default Gateway, and that there are NO other gateways configured.  Use the command prompt...
ipconfig /all
Please post the output.

I am trying to connect to those servers from my home. I am connected to a cable modem, and I am using a Cisco Soho 91 router. I have a terminal server at home and I can connect to it from this office!.
At the office we have a T1 and we also have a DSL line that is not being used for anything right now, except for me to troubleshoot this problem!

All the servers are hard coded; their IPs are:
172.16.1.3, 172.16.1.7, 172.16.1.11 subnet mask 255.255.255.0, and their defaul gateway is the Cisco router  172.16.1.1.  

I was able to TS to those servers before we switched to the Cisco router, the only difference is that now we are using a private block of IPs instead of public IPs....

CMD Output:
++++++++++++++++++++++++++++++++++
Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : DC1
        Primary DNS Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . .

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
        Physical Address. . . . . . . . . : 00-0B-CD-4D-F6-97
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . :  172.16.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :172.16.1.1
        DNS Servers . . . . . . . . . . . : 172.16.1.5
                                                   172.16.1.3
++++++++++++++++++++++++++++++++++

Thanks,
JC

OK. In the access list you posted, we are seeing that traffic is coming in to port 3389. You can see that 51 packets came in in the line preceded by "250.". The next step is to see if NAT is workiing correctly. So in config mode mode, type

access-list 25 permit host [your host address]
access-list 25 permit host [the TS public address]
access-list 25 permit host [the TS private address]

debug ip nat 25 detailed

Also type
terminal monitor

If your terminal software supports it, dump the session to a text file. Now, try to TS into one of the servers. Then type "u all" to turn off debug. It will probably lag for a little bit. Now go through and look for every line that references either the inside or outside address of the TS server, and post the output here. I want to see if NAT is working correctly both ways.

Then, in config mode again, type
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any eq 3389 any

in enable mode, type
debug ip packet 111 detail

Again, capture the data to a text file and try to use TS. Post the output here. when this is all done you can just delete the access lists with
no access-list 25
no access-list 111

Hi:
I am sorry, but I am confused about this:

access-list 25 permit host [your host address]  I am not sure about what goes here?  
access-list 25 permit host [the TS public address]  a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3

May be the fact that I am on my first cup of coffee...
Please advise.  Thanks

Ah, sorry. [your host address] should be the public address that you are using when you are trying to access the TS from outside.

OK. So it should look like this?

access-list 25 permit host [the TS public address]  a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3

Instead of:

access-list 25 permit host a.b.c.100  
access-list 25 permit host [the TS public address]  a.b.c.100
access-list 25 permit host [the TS private address] 172.16.1.3

So, it should be two statements instead of three?

Pardon my ignorance.

No, it should be all three. I want to watch NAT traffic that is going to your outside address, going to the TS private address, and the TS public address.

OK.  I think I've got it. However, because I don't know what I am doing, I am afraid that if just look for ther references that point to the address of the TS, that I my delete information that you may need.  Should I just post the whole thing?

Problem is, one of my servers just crashed due to hard drive failure.  So I need to work on that server for the rest of the afternoon, and no it's not one of the terminal servers ;-)

Please let me know. I can't believe that you actually trust me to do these things!
Even if this thing does not work, I feel that I am learning a great deal.
Thanks again.

John C.

Ok. I think this is it.  

debug ip nat 25 detailed and debug ip packet 111 detail:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27392]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27392]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34278]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34278]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27394]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27394]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34528]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34528]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27400]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27400]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35191]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35191]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27402]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27402]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35251]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35251]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27404]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27404]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35435]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35435]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27406]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27406]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35467]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35467]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27408]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27408]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35500]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35500]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27410]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27410]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35525]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35525]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27412]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27412]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35549]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35549]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27414]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27414]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35584]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35584]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27416]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27416]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35807]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35807]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27434]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27434]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36179]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36179]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27436]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27436]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36199]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36199]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27549]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27549]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36699]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36699]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27557]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27557]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36911]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36911]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27559]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27559]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36957]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36957]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27561]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27561]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37062]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37062]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27564]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27564]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37384]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37384]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27566]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27566]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37567]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37567]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27569]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27569]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37854]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37854]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27571]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27571]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [38095]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [38095]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27617]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27617]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [41927]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [41927]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27619]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27619]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42070]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42070]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27622]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27622]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42192]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42192]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27658]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27658]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27661]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27661]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42346]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42346]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42350]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42350]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [28558]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [28558]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [56314]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [56314]
1d22h: NAT: creating portlist proto 6 globaladdr a.b.c.100
1d22h: NAT: Allocated Port for 172.16.1.3 -> a.b.c.100: wanted 3389 got 3389
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4415]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4415]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28818]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28818]
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4416]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4416]
1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28918]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28918]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28919]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28919]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29029]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29029]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15867]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15867]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29031]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29031]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15917]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15917]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29033]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29033]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15981]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15981]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29036]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29036]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16080]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16080]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29040]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29040]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16188]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16188]
1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4417]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4417]
1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29042]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29042]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29045]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29045]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16429]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16429]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29046]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29046]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16435]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16435]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29049]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29049]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16519]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16519]
1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29061]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29061]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29395]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29395]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19342]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19342]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29421]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29421]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19426]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19426]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29423]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29423]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19503]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19503]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29437]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29437]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19599]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19599]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29496]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29496]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19776]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19776]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29645]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29645]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19876]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19876]
1d22h: NAT: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4444]
1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4444]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29664]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29664]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4450]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4450]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29671]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29671]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4452]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4452]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29673]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29673]
1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4454]
1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4454]
1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29682]
1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29682]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29779]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29779]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24206]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24206]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29781]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29781]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24250]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24250]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29783]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29783]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24333]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24333]
1d22h: NAT: expiring a.b.c.100 (172.16.1.3) tcp 3389 (3389)
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30151]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30151]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31728]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31728]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30153]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30153]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31779]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31779]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30155]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30155]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31900]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31900]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30171]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30171]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31992]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31992]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30209]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30209]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32331]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32331]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30211]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30211]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32621]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32621]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30217]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30217]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [33272]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [33272]
1d22h: NAT: expiring a.b.c.100 (172.16.1.3) icmp 512 (512)
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30452]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30452]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [46761]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [46761]
1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30468]
1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30468]
1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [47116]
1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [47116]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

debug ip packet 111 detail
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Router#debug ip packet 111 detail
IP packet debugging is on (detailed) for access list 111
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h:     TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h:     TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h:     TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h:     TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward
1d22h:     TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN
1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect
1d22h:     TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I wonder why the input of this one is much smaller than debug ip nat 25 detailed?

The NAT debug was a lot more inclusive, that's why it's shorter. We also see your problem in the ip packet debug though. Note the lines that say "dropped by inspect." So the IP inspect function is indeed the problem. I think the problem has to do with the combination of NAT and that. The packets are being dropped because with NAT, the outbound packets have a different source address than the destination address of the inbound ones. Since they don't match, IP inspect drops the outbound ones. What I don't yet understand is why, since the packets are being dropped outbound even though you don't have an outbound access list.

mikebernhardt ,

Thank you for all the information.

I've also found this:
++++++++++++++++++++++++++++++++++++++++++++++++++
sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
tcp a.b.c.98:2346  172.16.1.62:2346   a.b.c.250:80   a.b.c.250:80
tcp a.b.c.98:4179  172.16.1.36:4179   81.52.250.104:80   81.52.250.104:80
tcp a.b.c.98:4174  172.16.1.36:4174   81.52.250.111:80   81.52.250.111:80
tcp a.b.c.98:4175  172.16.1.36:4175   81.52.250.111:80   81.52.250.111:80
tcp a.b.c.98:4176  172.16.1.36:4176   81.52.250.111:80   81.52.250.111:80
tcp a.b.c.98:4177  172.16.1.36:4177   81.52.250.111:80   81.52.250.111:80
udp a.b.c.100:1101 172.16.1.3:1101    a.b.c.179:53  a.b.c.179:53
tcp a.b.c.98:3277  172.16.1.25:3277   a.b.c.247:443 a.b.c.247:443
tcp a.b.c.99:3389  172.16.1.7:3389    ---               ---
tcp a.b.c.100:3389 172.16.1.3:3389    ---                ---
tcp a.b.c.101:3389 172.16.1.11:3389   ---                ---
tcp a.b.c.98:2683  172.16.1.26:2683   a.b.c.69:8670 a.b.c.69:8670
tcp a.b.c.98:4489  172.16.1.39:4489   a.b.c.236:80  a.b.c.236:80
tcp a.b.c.98:1252  172.16.1.49:1252   a.b.c.195:80    a.b.c.195:80
tcp a.b.c.98:1123  172.16.1.69:1123   a.b.c.5:21     a.b.c..5:21
tcp a.b.c.98:1458  172.16.1.62:1458   a.b.c.125:80  a.b.c.125:80
tcp a.b.c.98:4223  172.16.1.39:4223   a.b.c.35:443 a.b.c.35:443
tcp a.b.c.98:4172  172.16.1.36:4172   a.b.c.207:80 a.b.c.207:80
tcp a.b.c.98:4563  172.16.1.26:4563   a.b.c.33:80     a.b.c.33:80
tcp a.b.c.98:1290  172.16.1.49:1290   a.b.c.195:443   a.b.c.195:443
tcp a.b.c.98:3555  172.16.1.23:3555   a.b.c.125:80  a.b.c.125:80
--- a.b.c.99       172.16.1.7         ---              ---
--- a.b.c.100      172.16.1.3         ---              ---
--- a.b.c.101      172.16.1.11        ---             ---
++++++++++++++++++++++++++++++++++++++++++++++++++
 How come there are no "Outside Local\Global" references for the TS Servers?

Thanks for the info and keeping me updated.
Have a great weekend.

Hello mikebernhardt,

First of all, Happy Holidays!!.  

I am still not able to TS. However, I was wondering about this setup:

1- Cisco SOHO 91 router connected to a DSL line that we have at the office.
2- Configure the Cisco SOHO 91 router to allow RDP protocol only.
3- Install a second NIC on one Terminal server, and connect that NIC to the Cisco SOHO 91 router.
4- Plug the other NIC on the Terminal server to the LAN, so that I can TS with the rest of the servers...?

Will this set up work?
Will it be secure?

Thanks,
JC

I found the solution https://www.experts-exchange.com/questions/21348891/Help-with-CBAC-Config.html
I want to thank GreatWhiteOne and mikebernhardt  for their help. I learned a great deal so, I am splitting points. I hope this is fair!