Enable Port 3389 on Cisco 1700 series router

I have a WIndows 2003 Server with Terminal Services running on.  I worked with my firewall vendor to allow outside accesss from port 3389.  They now tell me I need to open up port 3389 on my cisco router.  Can you tell me which commands I need to enter to accomplish this.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shermetaAuthor Commented:
If I make my question worth more points will it get answered quicker?

The port is already open unless you have an access list.  Otherwise it's:

access-list <number of ACL> permit 3389 any any <---- this makes everything open to that port
access-list <number of ACL> permit 3389 <ip address coming from> <inverse subnet of source> host <server IP>

The second statement is much more secure as it only allows the traffic from one subnet to a specific host rather than opening it up for everything.  For troubleshooting, you may want to use the first one at first then fine-tune it.  However, if you have no ACL applied to the interface, this port is probably already open.
shermetaAuthor Commented:
forgive me as I'm really not a Cisco guy.

So I should just go into enable mode and type in
             "access-list" 1 permit 3389 any any    -  or do i need to be in config t ?

   This will allow anyone from the internet to reach my Terminal Server?

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

shermetaAuthor Commented:
okay i went into enable mode, then I entered config t mode  
   here's the command I typed and where I had problems.

access-list 1 permit 3389 any <ip of server>
I don't think it liked the 3389 value because after the permit I hit ? and any was on the list of available choices, not port number.  Maybe port 3389 is not already configured.  

Hopefully you understand what I'm saying here.  Let me know if you need more info.

You can't use a standard access-list (1-99) as it does not support destination addresses and ports.  Also, syntax is wrong, should be:

access-list 100 permit tcp any any eq 3389

If you are running NAT on your router, you will also need to forward port 3389 to your internal server running RDP.

ip nat inside source static tcp <internal IP address> 3389 <outside interface or IP address> 3389

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shermetaAuthor Commented:
I do not believe I am running NAT on my router because I think my firewall handles that, but I could be wrong.

I typed the first command as you stated
access-list 100 permit tcp any any eq 3389
  The command was accepted however outsiders still can not ping the address of my servers (public NIC).    

How do I look for nat on my router?  Or am I missing someething else ?

Also in the <internal IP address>  is that the ip of my firewall or my server?  Either way, is it the private IP address or the public IP address?  I setup some sort of NAT with my firewall people linking my the IP of my server to the IP of the firewall.  

Should I post my config here to make it easier to figure out what I need?  My goal is to allow anyone from the Internet to log on to my terminal server.

If you are running NAT on the firewall, you probably don't have an access-list applied to the router at all.  You can post the config of the router for us to verify.  Sounds like all the changes to be made need to be set on the Firewall, not the router.
shermetaAuthor Commented:

I typed in the 2nd half of what you suggested per Nat.  Now I'm getting a bit of a different response.  I think maybe it's working somewhat...

If someone from the outside pings the public address of my terminal server - they used to get fails accross the board.  Now they get a repy from another address stating the destination was unreachable.  however the sucess rate is 100%, so I believe we are getting somewhere.  I am going to call my firewall people next to see if they can tell me more.  I'll post my config shortly.  


shermetaAuthor Commented:
here is my config.

Also if you could tell me why I can not access my router using Hyper Terminal over the network that would be a huge bonus.  I the only way I can access it now is through a com port.  Maybe I'm trying to connect to the wrong IP.  It tells me bad password even know I have tried all 3 that I know.  However this is a much less of a concern.

Current configuration : 1113 bytes                                  
version 12.1" for a list
service timestamps debug uptime                              
service timestamps log uptimeyright (c) 1986-200          
no service password-encryption          
 state to down    
hostname INET0.1          
enable secret 5 $1$W55t$iBaFynKYgCKmCgPgFs1iL/                                              
memory-size iomem 25                    
ip subnet-zero              
ip name-server '^' mar                
ip name-server commands, one per line.  En
interface Serial0ONFIG_I: Configur
 description Circuit HCFS 377610 DS1XXXXFE74564                                              

 no ip addressg)#enable pa  
 encapsulation frame-relay IETFig)#serial0n 12.1(8a), RELEA  
 service-module t1 timeslots 1-24

                ^ong Passwor
 frame-relay lmi-type ansi            
interface FastEthernet0
 ip address
 speed auto
ip nat inside source static tcp 3389 3389 extendable
ip classless
ip route
no ip http server
access-list 100 permit tcp any any eq 3389
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
line con 0
line aux 0
line vty 0 4
no scheduler allocate
shermetaAuthor Commented:
Okay it's working.

so they say.  Thanks for all the help JFrederick29.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.