shermeta
asked on
Enable Port 3389 on Cisco 1700 series router
I have a WIndows 2003 Server with Terminal Services running on. I worked with my firewall vendor to allow outside accesss from port 3389. They now tell me I need to open up port 3389 on my cisco router. Can you tell me which commands I need to enter to accomplish this.
Thanks
Ron
Thanks
Ron
The port is already open unless you have an access list. Otherwise it's:
access-list <number of ACL> permit 3389 any any <---- this makes everything open to that port
access-list <number of ACL> permit 3389 <ip address coming from> <inverse subnet of source> host <server IP>
The second statement is much more secure as it only allows the traffic from one subnet to a specific host rather than opening it up for everything. For troubleshooting, you may want to use the first one at first then fine-tune it. However, if you have no ACL applied to the interface, this port is probably already open.
access-list <number of ACL> permit 3389 any any <---- this makes everything open to that port
access-list <number of ACL> permit 3389 <ip address coming from> <inverse subnet of source> host <server IP>
The second statement is much more secure as it only allows the traffic from one subnet to a specific host rather than opening it up for everything. For troubleshooting, you may want to use the first one at first then fine-tune it. However, if you have no ACL applied to the interface, this port is probably already open.
ASKER
forgive me as I'm really not a Cisco guy.
So I should just go into enable mode and type in
"access-list" 1 permit 3389 any any - or do i need to be in config t ?
This will allow anyone from the internet to reach my Terminal Server?
So I should just go into enable mode and type in
"access-list" 1 permit 3389 any any - or do i need to be in config t ?
This will allow anyone from the internet to reach my Terminal Server?
ASKER
okay i went into enable mode, then I entered config t mode
here's the command I typed and where I had problems.
access-list 1 permit 3389 any <ip of server>
I don't think it liked the 3389 value because after the permit I hit ? and any was on the list of available choices, not port number. Maybe port 3389 is not already configured.
Hopefully you understand what I'm saying here. Let me know if you need more info.
here's the command I typed and where I had problems.
access-list 1 permit 3389 any <ip of server>
I don't think it liked the 3389 value because after the permit I hit ? and any was on the list of available choices, not port number. Maybe port 3389 is not already configured.
Hopefully you understand what I'm saying here. Let me know if you need more info.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do not believe I am running NAT on my router because I think my firewall handles that, but I could be wrong.
I typed the first command as you stated
access-list 100 permit tcp any any eq 3389
The command was accepted however outsiders still can not ping the address of my servers (public NIC).
How do I look for nat on my router? Or am I missing someething else ?
Also in the <internal IP address> is that the ip of my firewall or my server? Either way, is it the private IP address or the public IP address? I setup some sort of NAT with my firewall people linking my the IP of my server to the IP of the firewall.
Should I post my config here to make it easier to figure out what I need? My goal is to allow anyone from the Internet to log on to my terminal server.
I typed the first command as you stated
access-list 100 permit tcp any any eq 3389
The command was accepted however outsiders still can not ping the address of my servers (public NIC).
How do I look for nat on my router? Or am I missing someething else ?
Also in the <internal IP address> is that the ip of my firewall or my server? Either way, is it the private IP address or the public IP address? I setup some sort of NAT with my firewall people linking my the IP of my server to the IP of the firewall.
Should I post my config here to make it easier to figure out what I need? My goal is to allow anyone from the Internet to log on to my terminal server.
If you are running NAT on the firewall, you probably don't have an access-list applied to the router at all. You can post the config of the router for us to verify. Sounds like all the changes to be made need to be set on the Firewall, not the router.
ASKER
Okay,
I typed in the 2nd half of what you suggested per Nat. Now I'm getting a bit of a different response. I think maybe it's working somewhat...
If someone from the outside pings the public address of my terminal server - they used to get fails accross the board. Now they get a repy from another address stating the destination was unreachable. however the sucess rate is 100%, so I believe we are getting somewhere. I am going to call my firewall people next to see if they can tell me more. I'll post my config shortly.
Thanks
I typed in the 2nd half of what you suggested per Nat. Now I'm getting a bit of a different response. I think maybe it's working somewhat...
If someone from the outside pings the public address of my terminal server - they used to get fails accross the board. Now they get a repy from another address stating the destination was unreachable. however the sucess rate is 100%, so I believe we are getting somewhere. I am going to call my firewall people next to see if they can tell me more. I'll post my config shortly.
Thanks
ASKER
here is my config.
Also if you could tell me why I can not access my router using Hyper Terminal over the network that would be a huge bonus. I the only way I can access it now is through a com port. Maybe I'm trying to connect to the wrong IP. It tells me bad password even know I have tried all 3 that I know. However this is a much less of a concern.
Current configuration : 1113 bytes
!%
version 12.1" for a list
service timestamps debug uptime
service timestamps log uptimeyright (c) 1986-200
no service password-encryption
state to down
!
hostname INET0.1
!
enable secret 5 $1$W55t$iBaFynKYgCKmCgPgFs
!
memory-size iomem 25
ip subnet-zero
ip name-server 209.156.0.54at '^' mar
ip name-server 209.156.22.28 commands, one per line. En
!w
!h
!N
!/
interface Serial0ONFIG_I: Configur
description Circuit HCFS 377610 DS1XXXXFE74564
no ip addressg)#enable pa
encapsulation frame-relay IETFig)#serial0n 12.1(8a), RELEA
service-module t1 timeslots 1-24
R
^ong Passwor
frame-relay lmi-type ansi
INET(config
!
interface FastEthernet0
ip address 64.198.41.177 255.255.255.248
speed auto
!
ip nat inside source static tcp 10.10.1.103 3389 64.198.41.179 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 64.198.181.57
no ip http server
!
access-list 100 permit tcp any any eq 3389
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
line aux 0
line vty 0 4
password
login
!
no scheduler allocate
end
Also if you could tell me why I can not access my router using Hyper Terminal over the network that would be a huge bonus. I the only way I can access it now is through a com port. Maybe I'm trying to connect to the wrong IP. It tells me bad password even know I have tried all 3 that I know. However this is a much less of a concern.
Current configuration : 1113 bytes
!%
version 12.1" for a list
service timestamps debug uptime
service timestamps log uptimeyright (c) 1986-200
no service password-encryption
state to down
!
hostname INET0.1
!
enable secret 5 $1$W55t$iBaFynKYgCKmCgPgFs
!
memory-size iomem 25
ip subnet-zero
ip name-server 209.156.0.54at '^' mar
ip name-server 209.156.22.28 commands, one per line. En
!w
!h
!N
!/
interface Serial0ONFIG_I: Configur
description Circuit HCFS 377610 DS1XXXXFE74564
no ip addressg)#enable pa
encapsulation frame-relay IETFig)#serial0n 12.1(8a), RELEA
service-module t1 timeslots 1-24
R
^ong Passwor
frame-relay lmi-type ansi
INET(config
!
interface FastEthernet0
ip address 64.198.41.177 255.255.255.248
speed auto
!
ip nat inside source static tcp 10.10.1.103 3389 64.198.41.179 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 64.198.181.57
no ip http server
!
access-list 100 permit tcp any any eq 3389
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
line aux 0
line vty 0 4
password
login
!
no scheduler allocate
end
ASKER
Okay it's working.
so they say. Thanks for all the help JFrederick29.
so they say. Thanks for all the help JFrederick29.
ASKER