[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Routing RDP (MS-Terminal Services 3389) over multiple routers

Posted on 2004-11-10
4
Medium Priority
?
389 Views
Last Modified: 2010-05-18
I have a client that needs to connect to their terminal services server (W2k3) in their office from remote locations. Here is the configuration


                                                      (Main Office)                                                                                                    (Branch Office)
[Remote Client] - -  {WWW} - - > [Cisco ADSL Router] - - {LAN} - - > [Xyplex Routerunner] - - {dedicated T1} - - > [Xyplex Routerrunner] - - - > [Server]
                                                   192.168.1.1                                   192.168.1.101                                             192.168.2.101                       192.168.2.2

The current configuration is two offices connected via dedicated T1 with a DSL connection at the main office to provide internet connectivity for both offices. We have a static route on the Cisco router defined as "ip route 192.168.2.0 255.255.255.0 192.168.1.101 2 permanent". Every internal client at the main office can connect to Terminal Services on the server. This is a requirement. The clients at the branch office can connect to the internet without any problem.

This is where the problem is: How do I route an external RDP request to the terminal server? I have opened the firewall to allow port 3389 access. I am port forwarding TCP port 3389 to 192.168.2.2. However, any requests from the outside do not complete. I believe that the packet gets in, but does not how to get back out.

I am open to suggestions.


Thanks.

 
0
Comment
Question by:ramborabbit
  • 2
  • 2
4 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12548778
From the outside, you are connecting to the public IP address on the interface facing your ISP, right? not 192.168.2.2.  Can you post your configuration on the Main office Cisco ADSL router?  Edit out any passwords or sensitive information.
0
 

Author Comment

by:ramborabbit
ID: 12548941
Yes, I am connecting to the public IP.

Here is the Cisco config.

!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.2
no parser cache
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MainOffice
!
logging queue-limit 100
logging buffered 52000 debugging
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool sdm-pool1
   network 192.168.1.0 255.255.255.0
   dns-server 205.152.0.5 205.152.160.20
   default-router 192.168.1.1
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip access-group 1 out
 ip verify unicast reverse-path
 ip nat inside
 ip tcp adjust-mss 1452
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.2 point-to-point
 description Static IP 65.xx.xx.xxx
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 104 in
 ip access-group 102 out
 ip mtu 1452
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxx
 ppp chap password 0 xxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
router rip
 network 192.168.2.0
 no auto-summary
!
ip nat inside source list 1 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.0 255.255.255.0 192.168.1.101 2 permanent
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark Inbound Access from internet
access-list 101 remark SDM_ACL Category=1
access-list 101 remark MS Terminal Services
access-list 101 permit tcp any eq 3389 host 192.168.2.2 eq 3389
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip any any
access-list 102 remark Outbound to internet
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Outbound to Internet
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 permit tcp any eq 3389 any eq 3389 log
access-list 104 permit udp any eq 3389 any eq 3389 log
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
banner login ^CThis is a secured router. Any unauthorized access
is considered trespassing.

^C
!
line con 0
 exec-timeout 120 0
 login
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 15
 exec-timeout 0 0
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 12549019
You are missing your PAT statement, you mentioned you setup port forwarding, where was that done?

On the router, you need the command:

ip nat inside source static tcp 192.168.2.2 3389 interface dialer1 3389

Also, the access-list statements in access-list 104 for port 3389 are incorrect.  The source port should be any, destination port should be 3389:

access-list 104 permit tcp any any eq 3389

(NOT access-list 104 permit tcp any eq 3389 any eq 3389 log, also access-list 104 permit udp any eq 3389 any eq 3389 log is unnecessary).

You will probably want to remove "no ip access-group 104 in" from the dialer1 interface, copy the access-list 104 and paste it in notepad.  Make your changes there (remove the 3389 statements and add the one I specified at the top of the list), then copy and paste back into the router and add "ip access-group 104 in" back to your dialer1 interface.
0
 

Author Comment

by:ramborabbit
ID: 12568919
I will make these changes and let you know what happens.

I used the Cisco SDM to configure the router. It apparently did not put in everything necessary.

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question