Enable Port 3389 on Cisco 1700 series router

Posted on 2004-11-05
Last Modified: 2013-11-29
I have a WIndows 2003 Server with Terminal Services running on.  I worked with my firewall vendor to allow outside accesss from port 3389.  They now tell me I need to open up port 3389 on my cisco router.  Can you tell me which commands I need to enter to accomplish this.


Question by:shermeta

    Author Comment

    If I make my question worth more points will it get answered quicker?

    LVL 5

    Expert Comment

    The port is already open unless you have an access list.  Otherwise it's:

    access-list <number of ACL> permit 3389 any any <---- this makes everything open to that port
    access-list <number of ACL> permit 3389 <ip address coming from> <inverse subnet of source> host <server IP>

    The second statement is much more secure as it only allows the traffic from one subnet to a specific host rather than opening it up for everything.  For troubleshooting, you may want to use the first one at first then fine-tune it.  However, if you have no ACL applied to the interface, this port is probably already open.

    Author Comment

    forgive me as I'm really not a Cisco guy.

    So I should just go into enable mode and type in
                 "access-list" 1 permit 3389 any any    -  or do i need to be in config t ?

       This will allow anyone from the internet to reach my Terminal Server?


    Author Comment

    okay i went into enable mode, then I entered config t mode  
       here's the command I typed and where I had problems.

    access-list 1 permit 3389 any <ip of server>
    I don't think it liked the 3389 value because after the permit I hit ? and any was on the list of available choices, not port number.  Maybe port 3389 is not already configured.  

    Hopefully you understand what I'm saying here.  Let me know if you need more info.

    LVL 43

    Accepted Solution

    You can't use a standard access-list (1-99) as it does not support destination addresses and ports.  Also, syntax is wrong, should be:

    access-list 100 permit tcp any any eq 3389

    If you are running NAT on your router, you will also need to forward port 3389 to your internal server running RDP.

    ip nat inside source static tcp <internal IP address> 3389 <outside interface or IP address> 3389

    Author Comment

    I do not believe I am running NAT on my router because I think my firewall handles that, but I could be wrong.

    I typed the first command as you stated
    access-list 100 permit tcp any any eq 3389
      The command was accepted however outsiders still can not ping the address of my servers (public NIC).    

    How do I look for nat on my router?  Or am I missing someething else ?

    Also in the <internal IP address>  is that the ip of my firewall or my server?  Either way, is it the private IP address or the public IP address?  I setup some sort of NAT with my firewall people linking my the IP of my server to the IP of the firewall.  

    Should I post my config here to make it easier to figure out what I need?  My goal is to allow anyone from the Internet to log on to my terminal server.

    LVL 43

    Expert Comment

    If you are running NAT on the firewall, you probably don't have an access-list applied to the router at all.  You can post the config of the router for us to verify.  Sounds like all the changes to be made need to be set on the Firewall, not the router.

    Author Comment


    I typed in the 2nd half of what you suggested per Nat.  Now I'm getting a bit of a different response.  I think maybe it's working somewhat...

    If someone from the outside pings the public address of my terminal server - they used to get fails accross the board.  Now they get a repy from another address stating the destination was unreachable.  however the sucess rate is 100%, so I believe we are getting somewhere.  I am going to call my firewall people next to see if they can tell me more.  I'll post my config shortly.  



    Author Comment

    here is my config.

    Also if you could tell me why I can not access my router using Hyper Terminal over the network that would be a huge bonus.  I the only way I can access it now is through a com port.  Maybe I'm trying to connect to the wrong IP.  It tells me bad password even know I have tried all 3 that I know.  However this is a much less of a concern.

    Current configuration : 1113 bytes                                  
    version 12.1" for a list
    service timestamps debug uptime                              
    service timestamps log uptimeyright (c) 1986-200          
    no service password-encryption          
     state to down    
    hostname INET0.1          
    enable secret 5 $1$W55t$iBaFynKYgCKmCgPgFs1iL/                                              
    memory-size iomem 25                    
    ip subnet-zero              
    ip name-server '^' mar                
    ip name-server commands, one per line.  En
    interface Serial0ONFIG_I: Configur
     description Circuit HCFS 377610 DS1XXXXFE74564                                              

     no ip addressg)#enable pa  
     encapsulation frame-relay IETFig)#serial0n 12.1(8a), RELEA  
     service-module t1 timeslots 1-24

                    ^ong Passwor
     frame-relay lmi-type ansi            
    interface FastEthernet0
     ip address
     speed auto
    ip nat inside source static tcp 3389 3389 extendable
    ip classless
    ip route
    no ip http server
    access-list 100 permit tcp any any eq 3389
    dialer-list 1 protocol ip permit
    dialer-list 1 protocol ipx permit
    line con 0
    line aux 0
    line vty 0 4
    no scheduler allocate

    Author Comment

    Okay it's working.

    so they say.  Thanks for all the help JFrederick29.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now