Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Hello experts!

I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.

I do have the passwords and I can login, after some research I figured out how to show the router configuration. The router was installed and configured by our ISP. I have not made any changes to the configuration. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!

Thanks,

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

frame-relay interface-dlci 16

!

ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248

ip nat inside source list 1 pool overload

ip nat inside source static 172.16.1.3 a.b.c.d extendable

ip nat inside source static 172.16.1.7 a.b.c.d extendable

ip nat inside source static 172.16.1.11 a.b.c.d extendable

ip classless

ip route 0.0.0.0 0.0.0.0 a.b.c.d

no ip http server

no ip http secure-server

!

access-list 1 permit 172.16.1.0 0.0.0.255

access-list 100 permit ipinip any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any unreachable

access-list 100 permit udp any any eq ntp

access-list 100 permit tcp any any eq www

access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp any any eq 7070

access-list 100 permit tcp any any eq 443

access-list 100 permit tcp any any eq telnet

access-list 100 permit gre any any

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit tcp host 172.16.1.3 eq 3389 any

access-list 100 permit tcp host 172.16.1.7 eq 3389 any

access-list 100 permit tcp host 172.16.1.9 eq 3389 any

access-list 100 permit tcp any any eq 8025

access-list 100 permit udp any any eq 3389

access-list 100 permit udp any any eq 25

access-list 100 permit tcp any any eq 3389

access-list 100 permit udp any any eq 80

access-list 102 deny tcp any any eq 137

access-list 102 deny tcp any any eq 138

access-list 102 deny tcp any any eq 139

access-list 102 deny tcp any any eq finger

access-list 102 remark block all netbios to the internet

access-list 102 permit ip any any

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.

I do have the passwords and I can login, after some research I figured out how to show the router configuration. The router was installed and configured by our ISP. I have not made any changes to the configuration. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!

Thanks,

++++++++++++++++++++++++++

frame-relay interface-dlci 16

!

ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248

ip nat inside source list 1 pool overload

ip nat inside source static 172.16.1.3 a.b.c.d extendable

ip nat inside source static 172.16.1.7 a.b.c.d extendable

ip nat inside source static 172.16.1.11 a.b.c.d extendable

ip classless

ip route 0.0.0.0 0.0.0.0 a.b.c.d

no ip http server

no ip http secure-server

!

access-list 1 permit 172.16.1.0 0.0.0.255

access-list 100 permit ipinip any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any unreachable

access-list 100 permit udp any any eq ntp

access-list 100 permit tcp any any eq www

access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp any any eq 7070

access-list 100 permit tcp any any eq 443

access-list 100 permit tcp any any eq telnet

access-list 100 permit gre any any

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit tcp host 172.16.1.3 eq 3389 any

access-list 100 permit tcp host 172.16.1.7 eq 3389 any

access-list 100 permit tcp host 172.16.1.9 eq 3389 any

access-list 100 permit tcp any any eq 8025

access-list 100 permit udp any any eq 3389

access-list 100 permit udp any any eq 25

access-list 100 permit tcp any any eq 3389

access-list 100 permit udp any any eq 80

access-list 102 deny tcp any any eq 137

access-list 102 deny tcp any any eq 138

access-list 102 deny tcp any any eq 139

access-list 102 deny tcp any any eq finger

access-list 102 remark block all netbios to the internet

access-list 102 permit ip any any

++++++++++++++++++++++++++

access-list 100 permit tcp host 172.16.1.3 eq 3389 any

should be

access-list 100 permit tcp any host 172.16.1.3 eq 3389

You can just use this too...

access-list 100 permit tcp any any eq 3389

That will allow traffic to any host that is rdp related.

Or you can copy then paste the following into your terminal window.

no access-list 100 permit tcp host 172.16.1.3 eq 3389 any

no access-list 100 permit tcp host 172.16.1.7 eq 3389 any

no access-list 100 permit tcp host 172.16.1.9 eq 3389 any

access-list 100 permit tcp any host 172.16.1.3 eq 3389

access-list 100 permit tcp any host 172.16.1.7 eq 3389

access-list 100 permit tcp any host 172.16.1.9 eq 3389

if this works, don't forget to type "write mem" afterwards.

If it does not work, than you can reload the router and you will be back where you started.

Good luck

Thanks again>

Good luck

So far I have tried the first two options:

access-list 100 permit tcp any host 172.16.1.3 eq 3389, and access-list 100 permit tcp any any eq 3389, but I still cannot connect...

I noticed under IP Nat Pool that there are two external IPs. However, none of them are mapped to either Terminal servers. for example:

ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248

ip nat inside source list 1 pool SBC overload

ip nat inside source static 172.16.1.3 a.b.c.100 extendable

ip nat inside source static 172.16.1.7 a.b.c.99 extendable

ip nat inside source static 172.16.1.11 a.b.c.101 extendable

Could that be the problem?

Also, I was using telnet and tried to copy and paste (3rd option) like you suggested, and I lost the connection to the router, that's why I asked if there was a proper way of copy-paste. I don't know what I am doing!

So I drove down to the office (15 minutes from home) and check it out. Everything seems to be alright ( I am writing this post from work!)...But, I cannot connect to any TS :-(

Anything else I should try?

Thanks for all your help and time! I apprecciated..

JC

For starters you already have the terminal services entries in your confiugration. Are you able to terminal services to the servers locally? I do not see any reason to believe the router is causing the problem from the little bit of information provided.

Please post the access-group line and the interfaces they are applied to.

Thanks,

Dan

I am able to connect to the terminal servers from within the LAN. I was able to connect to them before we switched to the Cisco router.

Is information missing from the access-list I posted in my original post?

Please advise.

Thanks,

JC

If they are not

172.16.1.3

172.16.1.7

or 172.16.1.11

then yes you are right about the external ip address mapping. Since it was not listed, I kind of assummed that those were there internal servers.

Let me know...

Thanks,

Daniel

You are right, those are the IP's of the terminal servers. I am sorry for the confusion.

Thank you for your patience!

You need to do the following:

1. copy your entire access list into notepad and edit it how you want it.

2. On the interface, type

no ip access-group 100 in

This will make sure it isn't being used.

3. now type

no access-list 100

4. now paste in the new access list

5. Now go back to the interface and type

ip access-group 100 in

I would suggest that if you didn't save the changes you made, that you reboot the router to put it back how it was originally. You probably have people complaining about their internet access.

Now that said, the lines

access-list 100 permit tcp host 172.16.1.3 eq 3389 any

access-list 100 permit tcp host 172.16.1.7 eq 3389 any

access-list 100 permit tcp host 172.16.1.9 eq 3389 any

are useless because this is an inbound list (I think- as earlier stated, you need to show us your interface config so we can see how it was applied). Those lines are allowing OUTSIDE servers with those private addresses into your network. This line

access-list 100 permit tcp any any eq 3389

should be all you need.

no access-list 100 - It will erase all of the entries, but if you type:

no access-list 100 permit tcp host 172.16.1.3 eq 3389 any - It will only delete that line of the access list.

I wanted to make sure you understand that if you are going to learn anything about cisco, becouse that becomes very important. If it was not that way, ever time you needed to change a access-list then you would have to recreate the whole thing, and you don't have to recreat the whole thing all the time.

I agree with mikebernhardt that all I would use is the access-list 100 permit tcp any any eq 3389. Can you post the rest of your config for us like he said?

Looking it over further, you need to change the inside commands to outside. It should read:

ip nat outside source static a.b.c.100 172.16.1.3

That command tells it to translate anything hitting that external IP address to the internal ip address stated. The way you have it now, whenever those servers send information to the internet, the router masks their IP address as the specified IP address in the nat... So 1.3 allways goes to the internet as c.100....

Good luck

Thank you so much for all your help in this matter. When you asked to post the rest of the configuration. How do I do that? I thought that "sh run" was all I needed? I am sorry for the dumb question, but I just want to make sure I sent you the right information the first time, so that I don't waste your time.

Thanks,

John C

Show run is what you need, but we want to get some other parts that do not seem to be listed. Are you saying that the config you listed is everything? Try what I told you about the changing of the nat command.

I will try to change the nat command as you suggested. Do you think it would be easier if I post the real

IP addresses?

Thanks Again,

++++++++++++++++++++++++++

Building configuration...

Current configuration : 4281 bytes

!

! Last configuration change at 22:15:15 UTC Sat Oct 2 2004

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable password 7 05180B0C1E4940081B0912

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

ip cef

!

!

ip inspect dns-timeout 30

ip inspect name myfw cuseeme

ip inspect name myfw rcmd

ip inspect name myfw udp

ip inspect name myfw tcp

ip inspect name myfw tftp

ip inspect name myfw smtp

ip inspect name myfw realaudio

ip inspect name myfw h323

ip inspect name myfw ftp

ip inspect name myfw http

ip inspect name myfw streamworks

ip inspect name myfw vdolive

ip inspect name myfw sqlnet

!

ip audit notify log

ip audit po max-events 100

ip name-server a.b.c.179

ip name-server a.b.c.198

no ftp-server write-enable

!

!

!

interface FastEthernet0

description << Local Lan Network >>

ip address 172.16.1.1 255.255.255.0

ip access-group 102 in

ip nat inside

speed auto

no cdp enable

!

interface Serial0

no ip address

encapsulation frame-relay IETF

no fair-queue

service-module t1 timeslots 1-24

frame-relay lmi-type ansi

!

interface Serial0.1 point-to-point

description << Link to SBCIS ckt HCGM 003125 T1 >>

ip address a.b.c.50 255.255.255.252

ip access-group 100 in

ip nat outside

ip inspect myfw out

frame-relay interface-dlci 16

!

ip nat pool SBC a.b.c.97 a.b.c.98 netmask 255.255.255.248

ip nat inside source list 1 pool SBC overload

ip nat inside source static 172.16.1.3 a.b.c.100 extendable

ip nat inside source static 172.16.1.7 a.b.c.99 extendable

ip nat inside source static 172.16.1.11 a.b.c.101 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 a.b.c.49

no ip http server

no ip http secure-server

!

access-list 1 permit 172.16.1.0 0.0.0.255

access-list 100 permit ipinip any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any unreachable

access-list 100 permit udp any any eq ntp

access-list 100 permit tcp any any eq www

access-list 100 permit udp any any eq domain

access-list 100 permit tcp any any eq smtp

access-list 100 permit tcp any any eq pop3

access-list 100 permit tcp any any eq 7070

access-list 100 permit tcp any any eq 443

access-list 100 permit tcp any any eq telnet

access-list 100 permit gre any any

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 100 permit tcp a.b.c.0 0.0.0.255 any eq telnet

access-list 100 permit tcp host 172.16.1.3 eq 3389 any

access-list 100 permit tcp host 172.16.1.7 eq 3389 any

access-list 100 permit tcp host 172.16.1.9 eq 3389 any

access-list 100 permit tcp any any eq 8025

access-list 100 permit udp any any eq 3389

access-list 100 permit udp any any eq 25

access-list 100 permit tcp any any eq 3389

access-list 100 permit udp any any eq 80

access-list 100 permit tcp any host 172.16.1.3 eq 3389

access-list 102 deny tcp any any eq 137

access-list 102 deny tcp any any eq 138

access-list 102 deny tcp any any eq 139

access-list 102 deny tcp any any eq finger

access-list 102 remark block all netbios to the internet

access-list 102 permit ip any any

!

line con 0

line aux 0

line vty 0 4

password 7 0832414D360D001B1C0E18

login

!

ntp clock-period 17179844

ntp server 207.55.146.54

ntp server 128.10.252.10

!

end

++++++++++++++++++++++++++

ip nat inside source static 172.16.1.3 a.b.c.100 extendable

ip nat inside source static 172.16.1.7 a.b.c.99 extendable

ip nat inside source static 172.16.1.11 a.b.c.101 extendable

This means that to get to terminal services, you have to go to a.b.c.100, a.b.c.99 or a.b.c.101. Is that what you're trying to do? If you go to a.b.c.50 it won't work.

Config t

ip nat outside source static a.b.c.100 172.16.1.3. As soon as I did this, I received the following error message in my workstation "The system detected and address conflict for IP address 172.16.1.3 with the system having network hardware address 00.0E:84B7:48:F8. Network operations on this system may be disrupted as a result" The Mac address (00.0E:84B7:48:F8) is the MAc address of the Cisco router!.

I went back to the Cisco config t and reloaded without saving any changes. I don't understand. It must be something I did wrong!

Yes, that is exactly what I am tryiing to do. I have tried .100 .99 .101. I had the feeling that using .50 would not work, but I tried it anyway. If I ping those addresses, I get a reply. However. no cigar!

Thank you for your time.

JC

A correction to my last post. The reason it is used is because although you changed your translation statement, the router still cached the old one. You need to "clear ip nat translation" after the change.

interface Serial0.1 point-to-point

no ip inspect myfw out

Then see if it works. Also, add the following line

access-list 100 permit tcp any any established

The first statement

"interface Serial0.1 point-to-point

no ip inspect myfw out"

I have to do this at the interface level? config t > interface Serial0.1 point-to-point? Is that correct?

Thanks,

interface Serial0.1 point-to-point

no ip inspect myfw out

You can type

interface Serial0.1

no ip inspect myfw out

I'm pretty convinced at this point that this is your problem. Let me know. I think you would need to make it " ip inspect myfw in."

This is what I did:

config t

interface Serial0.1

no ip inspect myfw out

^Z

All the worksations and servers on the Lan lost Internet connection. I had to reload once again, without saving changes. Internet connection is back to normal. We do have a software proxy (this is a product that we are testing) on the network with an IP address of 172.16.1.2. There are 36 workstations that receive their IP address from a W2K DHCP server that assigns the default gateways in the following order: 172.16.1.2 (Proxy), and 172.16.1.1 (Cisco Router).

The terminal servers have static IPs and their default gateway is the Cisco Router. Which I prefer, over the software proxy. Do you think this setup may be the problem?

Thanks,

JC

Try changing this

ip nat inside source static 172.16.1.3 a.b.c.100 extendable

ip nat inside source static 172.16.1.7 a.b.c.99 extendable

ip nat inside source static 172.16.1.11 a.b.c.101 extendable

to this

ip nat inside source static tcp 172.16.1.3 3389 a.b.c.100 3389

ip nat inside source static tcp 172.16.1.7 3389 a.b.c.99 3389

ip nat inside source static tcp 172.16.1.11 3389 a.b.c.101 3389

Then type "clear ip nat translation" after you've left config mode. Note that this will limit those servers NAT, so that only port 3389 will be available on those outside IP addresses. You won't be able to access them on other ports from the outside. This shouldn't help, but maybe it will. I can't see that anything else is wrong.

If that doesn't help, I have to wonder if you've hit a software bug or something. Please give us the output of "show version" so we can see what version of software the router is running. Also, try the following:

1. Try to access TS from wherever you usually do it.

2. Immediately after it fails, type "show access-list 100" on the router and post the output here.

By the way, your access list 100 is permitting a lot of traffic to come into your network that you probably don't want. For example, anyone can telnet to your router and into your network. Anyone can access any web servers you may have. And anyone using a source address of 172.16.1.x can get in- and those could only be spoofed addresses if they're coming from outside. Several lines are redundant and unnecessary. You may want to tighten that up for security's sake, though it has nothing to do with your TS problem. But that's a whole other question.

I added the statements as you suggested. I noticed that the new statements were appended to the bottom of the list. Is that how is suppossed to be?

After I left config mode (back to (#) I typed "clear ip nat translation" and received and "Incomplete command" I know it must something I did!...

I would like to tighten the security on the router. We are a small shop, and do not have any web or email servers in our LAN (evertyhing is hosted by third party providers) However, I find it very scary that anyone using a source address of 172.16.1 can get in, but like you said "that's a whole other question. I am going to try and connect to TS, and I will let you know the results.

I am also pasting the Router version for your review ( I sound like a Cisco expert ;-)). Thanks a million for all your help!.

++++++++++++++++++++++++++

Router#show version

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 25-Nov-03 11:18 by kellythw

Image text-base: 0x80008120, data-base: 0x80F7CAF4

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

Router uptime is 19 hours, 53 minutes

System returned to ROM by reload at 21:45:44 UTC Mon Oct 4 2004

System restarted at 21:47:39 UTC Mon Oct 4 2004

System image file is "flash:c1700-advsecurityk9

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco 1721 (MPC860P) processor (revision 0x300) with 56945K/8591K bytes of memory.

Processor board ID FOC08021416 (2859757696), with hardware revision 0000

MPC860P processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

WIC T1-DSU

32K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

++++++++++++++++++++++++++

I just tried it. and it did not work. Do you think it would be easier if I sent you the access-list 100 to your email? I am not sure if I should post the real outside IPs on this forum. Please let me know.

Thanks,

JC

So here's what I'm looking for in the access list... If you compare the configured access list 100 with the output of "show access-list 100" you should see a lot of extra stuff in the latter after the last configured line. This is placed there dynamically by the ip inspect function. What I want to see specifically is anything placed there that relates to your terminal services. So anything that has "3389" in it, after the configured stuff. You may have a lot to sort through, I don't know. You can mask the outside IPs for the lines you post here.

Router>clear ip nat translation *

^

% Invalid input detected at '^' marker.?? It mus be me!...

Also this is the Access-list 100. I've decided to go ahead and give you the whole list. I did not see a lot references to "3389" except for the part at the bottom that reads"

"250 permit tcp any any eq 3389 (51 matches)"

++++++++++++++++++++++++++

Extended IP access list 100

permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1830 (50 matches)

permit tcp host a.b.c.139 eq www host a.b.c.98 eq 1829 (41 matches)

permit udp host a.b.c.179 eq domain host a.b.c.100 eq 1101 (21 matches)

permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2163 (64 matches)

permit tcp host a.b.c.209 eq www host a.b.c.98 eq 2162 (79 matches)

permit tcp host a.b.c.51 eq 1863 host a.b.c.98 eq 1313 (18 matches)

permit tcp host a.b.c.94 eq www host a.b.c.98 eq 1323 (8 matches)

permit tcp host a.b.c.39 eq 1863 host a.b.c.98 eq 3998 (141 matches)

permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1899 (117 matches)

permit tcp host a.b.c.170 eq www host a.b.c.98 eq 1898 (121 matches)

permit tcp host a.b.c.139 eq 1494 host a.b.c.98 eq 2643 (16892 matches)

permit tcp host a.b.c.118 eq www host a.b.c.98 eq 1322 (6 matches)

permit tcp host a.b.c.45 eq www host a.b.c.98 eq 2099 (21 matches)

permit tcp host a.b.c.54 eq www host a.b.c.98 eq 1321 (5 matches)

permit tcp host a.b.c.178 eq www host a.b.c.98 eq 1343 (4 matches)

permit tcp host a.b.c.175 eq www host a.b.c.98 eq 1901 (5 matches)

permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1331 (10 matches)

permit tcp host a.b.c.206 eq www host a.b.c.98 eq 1327 (78 matches)

permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1347 (31 matches)

permit tcp host a.b.c.6 eq 443 host a.b.c.98 eq 1337 (81 matches)

permit tcp host a.b.c.98 eq 443 host a.b.c.98 eq 4008 (12 matches)

permit tcp host a.b.c.32 eq 6350 host a.b.c.98 eq 1839 (10121 matches)

10 permit ipinip any any

20 permit icmp any any echo (31878 matches)

30 permit icmp any any echo-reply

40 permit icmp any any packet-too-big

50 permit icmp any any time-exceeded (9616 matches)

60 permit icmp any any traceroute

70 permit icmp any any unreachable

80 permit udp any any eq ntp (1578 matches)

90 permit tcp any any eq www (2348 matches)

100 permit udp any any eq domain (63 matches)

110 permit tcp any any eq smtp (20538 matches)

120 permit tcp any any eq pop3

130 permit tcp any any eq 7070

140 permit tcp any any eq 443 (8446 matches)

150 permit tcp any any eq telnet (2538 matches)

160 permit gre any any

170 permit ip 172.16.1.0 0.0.0.255 any

180 permit tcp a.b.c.0 0.0.0.255 any eq telnet

190 permit tcp host 172.16.1.3 eq 3389 any

200 permit tcp host 172.16.1.7 eq 3389 any

210 permit tcp host 172.16.1.9 eq 3389 any

220 permit tcp any any eq 8025

230 permit udp any any eq 3389

240 permit udp any any eq 25

250 permit tcp any any eq 3389 (51 matches)

260 permit udp any any eq 80

270 permit tcp any any established (40630 matches)

++++++++++++++++++++++++++

Thank you!

I went to the router and executed the command "clear ip nat translation *", and this time the router did not bark at me with an error message.

I've also tried again to TS, but no luck yet...

Where are you trying to connect to the terminal servers from?

Can you verify that your TS have the router as their default Gateway, and that there are NO other gateways configured. Use the command prompt...

ipconfig /all

Please post the output.

At the office we have a T1 and we also have a DSL line that is not being used for anything right now, except for me to troubleshoot this problem!

All the servers are hard coded; their IPs are:

172.16.1.3, 172.16.1.7, 172.16.1.11 subnet mask 255.255.255.0, and their defaul gateway is the Cisco router 172.16.1.1.

I was able to TS to those servers before we switched to the Cisco router, the only difference is that now we are using a private block of IPs instead of public IPs....

CMD Output:

++++++++++++++++++++++++++

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : DC1

Primary DNS Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . .

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter

Physical Address. . . . . . . . . : 00-0B-CD-4D-F6-97

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.16.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :172.16.1.1

DNS Servers . . . . . . . . . . . : 172.16.1.5

172.16.1.3

++++++++++++++++++++++++++

Thanks,

JC

access-list 25 permit host [your host address]

access-list 25 permit host [the TS public address]

access-list 25 permit host [the TS private address]

debug ip nat 25 detailed

Also type

terminal monitor

If your terminal software supports it, dump the session to a text file. Now, try to TS into one of the servers. Then type "u all" to turn off debug. It will probably lag for a little bit. Now go through and look for every line that references either the inside or outside address of the TS server, and post the output here. I want to see if NAT is working correctly both ways.

Then, in config mode again, type

access-list 111 permit tcp any any eq 3389

access-list 111 permit tcp any eq 3389 any

in enable mode, type

debug ip packet 111 detail

Again, capture the data to a text file and try to use TS. Post the output here. when this is all done you can just delete the access lists with

no access-list 25

no access-list 111

I am sorry, but I am confused about this:

access-list 25 permit host [your host address] I am not sure about what goes here?

access-list 25 permit host [the TS public address] a.b.c.100

access-list 25 permit host [the TS private address] 172.16.1.3

May be the fact that I am on my first cup of coffee...

Please advise. Thanks

access-list 25 permit host [the TS public address] a.b.c.100

access-list 25 permit host [the TS private address] 172.16.1.3

Instead of:

access-list 25 permit host a.b.c.100

access-list 25 permit host [the TS public address] a.b.c.100

access-list 25 permit host [the TS private address] 172.16.1.3

So, it should be two statements instead of three?

Pardon my ignorance.

Problem is, one of my servers just crashed due to hard drive failure. So I need to work on that server for the rest of the afternoon, and no it's not one of the terminal servers ;-)

Please let me know. I can't believe that you actually trust me to do these things!

Even if this thing does not work, I feel that I am learning a great deal.

Thanks again.

John C.

debug ip nat 25 detailed and debug ip packet 111 detail:

++++++++++++++++++++++++++

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27392]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27392]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34278]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34278]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27394]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27394]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [34528]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [34528]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27400]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27400]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35191]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35191]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27402]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27402]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35251]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35251]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27404]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27404]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35435]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35435]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27406]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27406]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35467]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35467]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27408]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27408]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35500]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35500]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27410]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27410]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35525]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35525]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27412]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27412]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35549]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35549]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27414]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27414]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35584]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35584]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27416]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27416]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [35807]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [35807]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27434]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27434]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36179]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36179]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27436]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27436]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36199]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36199]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27549]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27549]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36699]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36699]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27557]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27557]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36911]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36911]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27559]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27559]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [36957]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [36957]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27561]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27561]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37062]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37062]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27564]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27564]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37384]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37384]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27566]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27566]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37567]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37567]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27569]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27569]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [37854]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [37854]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27571]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27571]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [38095]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [38095]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27617]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27617]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [41927]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [41927]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27619]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27619]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42070]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42070]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27622]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27622]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42192]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42192]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27658]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27658]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [27661]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [27661]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42346]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42346]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [42350]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [42350]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [28558]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [28558]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [56314]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [56314]

1d22h: NAT: creating portlist proto 6 globaladdr a.b.c.100

1d22h: NAT: Allocated Port for 172.16.1.3 -> a.b.c.100: wanted 3389 got 3389

1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4415]

1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4415]

1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28818]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28818]

1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4416]

1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4416]

1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28918]

1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28918]

1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [28919]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [28919]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29029]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29029]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15867]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15867]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29031]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29031]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15917]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15917]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29033]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29033]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [15981]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [15981]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29036]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29036]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16080]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16080]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29040]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29040]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16188]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16188]

1d22h: NAT: o: tcp (a.b.c.219, 1249) -> (a.b.c.100, 3389) [4417]

1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4417]

1d22h: NAT*: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29042]

1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29042]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29045]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29045]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16429]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16429]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29046]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29046]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16435]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16435]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29049]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29049]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [16519]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [16519]

1d22h: NAT: i: tcp (172.16.1.3, 3389) -> (a.b.c.219, 1249) [29061]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29061]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29395]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29395]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19342]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19342]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29421]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29421]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19426]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19426]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29423]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29423]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19503]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19503]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29437]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29437]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19599]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19599]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29496]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29496]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19776]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19776]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29645]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29645]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [19876]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [19876]

1d22h: NAT: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4444]

1d22h: NAT: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4444]

1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29664]

1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29664]

1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4450]

1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4450]

1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29671]

1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29671]

1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4452]

1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4452]

1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29673]

1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29673]

1d22h: NAT*: o: icmp (a.b.c.219, 512) -> (a.b.c.100, 512) [4454]

1d22h: NAT*: s=a.b.c.219, d=a.b.c.100->172.16.1.3 [4454]

1d22h: NAT*: i: icmp (172.16.1.3, 512) -> (a.b.c.219, 512) [29682]

1d22h: NAT*: s=172.16.1.3->a.b.c.100, d=a.b.c.219 [29682]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29779]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29779]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24206]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24206]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29781]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29781]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24250]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24250]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [29783]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [29783]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [24333]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [24333]

1d22h: NAT: expiring a.b.c.100 (172.16.1.3) tcp 3389 (3389)

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30151]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30151]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31728]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31728]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30153]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30153]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31779]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31779]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30155]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30155]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31900]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31900]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30171]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30171]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [31992]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [31992]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30209]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30209]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32331]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32331]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30211]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30211]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [32621]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [32621]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30217]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30217]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [33272]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [33272]

1d22h: NAT: expiring a.b.c.100 (172.16.1.3) icmp 512 (512)

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30452]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30452]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [46761]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [46761]

1d22h: NAT: i: udp (172.16.1.3, 1101) -> (a.b.c.179, 53) [30468]

1d22h: NAT: s=172.16.1.3->a.b.c.100, d=a.b.c.179 [30468]

1d22h: NAT: o: udp (a.b.c.179, 53) -> (a.b.c.100, 1101) [47116]

1d22h: NAT: s=a.b.c.179, d=a.b.c.100->172.16.1.3 [47116]

++++++++++++++++++++++++++

debug ip packet 111 detail

++++++++++++++++++++++++++

Router#debug ip packet 111 detail

IP packet debugging is on (detailed) for access list 111

1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward

1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN

1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect

1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN

1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward

1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN

1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect

1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN

1d22h: IP: s=a.b.c.219 (Serial0.1), d=172.16.1.3 (FastEthernet0), g=172.16.1.3, len 48, forward

1d22h: TCP src=1251, dst=3389, seq=423673827, ack=0, win=65535 SYN

1d22h: IP: s=a.b.c.100 (FastEthernet0), d=a.b.c.219 (Serial0.1), len 48, dropped by inspect

1d22h: TCP src=3389, dst=1251, seq=3697422952, ack=423673828, win=65535 ACK SYN

++++++++++++++++++++++++++

I wonder why the input of this one is much smaller than debug ip nat 25 detailed?

Thank you for all the information.

I've also found this:

++++++++++++++++++++++++++

sh ip nat translation

Pro Inside global Inside local Outside local Outside global

tcp a.b.c.98:2346 172.16.1.62:2346 a.b.c.250:80 a.b.c.250:80

tcp a.b.c.98:4179 172.16.1.36:4179 81.52.250.104:80 81.52.250.104:80

tcp a.b.c.98:4174 172.16.1.36:4174 81.52.250.111:80 81.52.250.111:80

tcp a.b.c.98:4175 172.16.1.36:4175 81.52.250.111:80 81.52.250.111:80

tcp a.b.c.98:4176 172.16.1.36:4176 81.52.250.111:80 81.52.250.111:80

tcp a.b.c.98:4177 172.16.1.36:4177 81.52.250.111:80 81.52.250.111:80

udp a.b.c.100:1101 172.16.1.3:1101 a.b.c.179:53 a.b.c.179:53

tcp a.b.c.98:3277 172.16.1.25:3277 a.b.c.247:443 a.b.c.247:443

tcp a.b.c.99:3389 172.16.1.7:3389 --- ---

tcp a.b.c.100:3389 172.16.1.3:3389 --- ---

tcp a.b.c.101:3389 172.16.1.11:3389 --- ---

tcp a.b.c.98:2683 172.16.1.26:2683 a.b.c.69:8670 a.b.c.69:8670

tcp a.b.c.98:4489 172.16.1.39:4489 a.b.c.236:80 a.b.c.236:80

tcp a.b.c.98:1252 172.16.1.49:1252 a.b.c.195:80 a.b.c.195:80

tcp a.b.c.98:1123 172.16.1.69:1123 a.b.c.5:21 a.b.c..5:21

tcp a.b.c.98:1458 172.16.1.62:1458 a.b.c.125:80 a.b.c.125:80

tcp a.b.c.98:4223 172.16.1.39:4223 a.b.c.35:443 a.b.c.35:443

tcp a.b.c.98:4172 172.16.1.36:4172 a.b.c.207:80 a.b.c.207:80

tcp a.b.c.98:4563 172.16.1.26:4563 a.b.c.33:80 a.b.c.33:80

tcp a.b.c.98:1290 172.16.1.49:1290 a.b.c.195:443 a.b.c.195:443

tcp a.b.c.98:3555 172.16.1.23:3555 a.b.c.125:80 a.b.c.125:80

--- a.b.c.99 172.16.1.7 --- ---

--- a.b.c.100 172.16.1.3 --- ---

--- a.b.c.101 172.16.1.11 --- ---

++++++++++++++++++++++++++

How come there are no "Outside Local\Global" references for the TS Servers?

First of all, Happy Holidays!!.

I am still not able to TS. However, I was wondering about this setup:

1- Cisco SOHO 91 router connected to a DSL line that we have at the office.

2- Configure the Cisco SOHO 91 router to allow RDP protocol only.

3- Install a second NIC on one Terminal server, and connect that NIC to the Cisco SOHO 91 router.

4- Plug the other NIC on the Terminal server to the LAN, so that I can TS with the rest of the servers...?

Will this set up work?

Will it be secure?

Thanks,

JC

I want to thank GreatWhiteOne and mikebernhardt for their help. I learned a great deal so, I am splitting points. I hope this is fair!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.

I've been very busy the last few days and haven't been able to look into your problem any further. Today is no better :-(