[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 838
  • Last Modified:

Enable Port 3389 on Cisco 1700 series router

I have a WIndows 2003 Server with Terminal Services running on.  I worked with my firewall vendor to allow outside accesss from port 3389.  They now tell me I need to open up port 3389 on my cisco router.  Can you tell me which commands I need to enter to accomplish this.


  • 7
  • 2
1 Solution
shermetaAuthor Commented:
If I make my question worth more points will it get answered quicker?

The port is already open unless you have an access list.  Otherwise it's:

access-list <number of ACL> permit 3389 any any <---- this makes everything open to that port
access-list <number of ACL> permit 3389 <ip address coming from> <inverse subnet of source> host <server IP>

The second statement is much more secure as it only allows the traffic from one subnet to a specific host rather than opening it up for everything.  For troubleshooting, you may want to use the first one at first then fine-tune it.  However, if you have no ACL applied to the interface, this port is probably already open.
shermetaAuthor Commented:
forgive me as I'm really not a Cisco guy.

So I should just go into enable mode and type in
             "access-list" 1 permit 3389 any any    -  or do i need to be in config t ?

   This will allow anyone from the internet to reach my Terminal Server?

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

shermetaAuthor Commented:
okay i went into enable mode, then I entered config t mode  
   here's the command I typed and where I had problems.

access-list 1 permit 3389 any <ip of server>
I don't think it liked the 3389 value because after the permit I hit ? and any was on the list of available choices, not port number.  Maybe port 3389 is not already configured.  

Hopefully you understand what I'm saying here.  Let me know if you need more info.

You can't use a standard access-list (1-99) as it does not support destination addresses and ports.  Also, syntax is wrong, should be:

access-list 100 permit tcp any any eq 3389

If you are running NAT on your router, you will also need to forward port 3389 to your internal server running RDP.

ip nat inside source static tcp <internal IP address> 3389 <outside interface or IP address> 3389
shermetaAuthor Commented:
I do not believe I am running NAT on my router because I think my firewall handles that, but I could be wrong.

I typed the first command as you stated
access-list 100 permit tcp any any eq 3389
  The command was accepted however outsiders still can not ping the address of my servers (public NIC).    

How do I look for nat on my router?  Or am I missing someething else ?

Also in the <internal IP address>  is that the ip of my firewall or my server?  Either way, is it the private IP address or the public IP address?  I setup some sort of NAT with my firewall people linking my the IP of my server to the IP of the firewall.  

Should I post my config here to make it easier to figure out what I need?  My goal is to allow anyone from the Internet to log on to my terminal server.

If you are running NAT on the firewall, you probably don't have an access-list applied to the router at all.  You can post the config of the router for us to verify.  Sounds like all the changes to be made need to be set on the Firewall, not the router.
shermetaAuthor Commented:

I typed in the 2nd half of what you suggested per Nat.  Now I'm getting a bit of a different response.  I think maybe it's working somewhat...

If someone from the outside pings the public address of my terminal server - they used to get fails accross the board.  Now they get a repy from another address stating the destination was unreachable.  however the sucess rate is 100%, so I believe we are getting somewhere.  I am going to call my firewall people next to see if they can tell me more.  I'll post my config shortly.  


shermetaAuthor Commented:
here is my config.

Also if you could tell me why I can not access my router using Hyper Terminal over the network that would be a huge bonus.  I the only way I can access it now is through a com port.  Maybe I'm trying to connect to the wrong IP.  It tells me bad password even know I have tried all 3 that I know.  However this is a much less of a concern.

Current configuration : 1113 bytes                                  
version 12.1" for a list
service timestamps debug uptime                              
service timestamps log uptimeyright (c) 1986-200          
no service password-encryption          
 state to down    
hostname INET0.1          
enable secret 5 $1$W55t$iBaFynKYgCKmCgPgFs1iL/                                              
memory-size iomem 25                    
ip subnet-zero              
ip name-server '^' mar                
ip name-server commands, one per line.  En
interface Serial0ONFIG_I: Configur
 description Circuit HCFS 377610 DS1XXXXFE74564                                              

 no ip addressg)#enable pa  
 encapsulation frame-relay IETFig)#serial0n 12.1(8a), RELEA  
 service-module t1 timeslots 1-24

                ^ong Passwor
 frame-relay lmi-type ansi            
interface FastEthernet0
 ip address
 speed auto
ip nat inside source static tcp 3389 3389 extendable
ip classless
ip route
no ip http server
access-list 100 permit tcp any any eq 3389
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
line con 0
line aux 0
line vty 0 4
no scheduler allocate
shermetaAuthor Commented:
Okay it's working.

so they say.  Thanks for all the help JFrederick29.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now