Windows XP pro remote desktop over Cisco router?

Hello, my husband and I have a small business with about 6 computers and they are all networked with a basic peer to peer and Windows XP, I have a Cisco 831 router and I do have a VPN connection on it but it's only to connect to a remote computer which is a customer of ours and we pull down information from there computer for our business, this was wrote down for me by a friend of ours and that's how I was able to set all this stuff up, we know nothing about routers or  how to program them. We both wanted to be able to connect to our main computer at work that acts as the server when we are on the road, I have Windows XP pro on the work computer and found an article about using the remote desktop feature on Windows XP pro, it really explains it well but the only part we are having trouble with is what do I type in on the router to forward port 3389 which is what the article says we need for this to work, I believe we need a static ip set on the computer that acts as the server so I'm trying to work on that today, and then we will need our ip address to forward to the server, sorry for the long message, I appreciate any help on this, thank you.
abaseballfan_1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

-Leo-Commented:
You need to translate internal IP address of your work server to outside address.
Answer is here: http://www.experts-exchange.com/Networking/Q_21195883.html
wirthrCommented:
if you have a public ip on the router, to forward port 3389

en (into enable mode)
conf t (configure from terminal)
ip nat inside source static tcp 192.168.0.4 3389 interface ATM0/0.1 3389

where 192.168.0.4 is the internal ip of the server, and ATM0/0.1 is the router interface connected to the internet.
abaseballfan_1Author Commented:
okay here is my configuration so this may help you understand what I have already, if you can walk me through what I need to type in that would be great, I have 192.168.1.125 as the static ip for the server that I need to access remotely, thank you.


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$nAgz$QxuezlmewypCB4.5m8T7Y/
!
username ************** privilege 15 password 0 ********** username ******* privilege 15 secret 5 $1$1ci0$/YuodNmEn..AH1lZsnNiL0
username *********** password 0 ***********
username***********privilege 15 secret 5 $1$HRIL$8Shq3NaTnaoFp5d/JNsFW1
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
!
ip dhcp pool pool-dhcp
   network 192.168.1.0 255.255.255.0
   dns-server 151.164.14.201 151.164.1.8
   default-router 192.168.1.1
   lease infinite
!
ip dhcp pool POOL-DHCP
   dns-server 151.164.14.201 151.164.1.8
   default-router 192.168.1.1
!
!
ip domain name yourdomain.com
ip name-server 151.164.14.201
ip name-server 151.164.1.8
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 18
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key !*********! address **********!
!
crypto ipsec transform-set Alternative esp-3des esp-sha-hmac
!
crypto map mymap 11 ipsec-isakmp
 set peer ***********
 set transform-set Alternative
 set pfs group2
 match address 148
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address *************** ****************
ip access-group 120 in
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname *******************
 ppp chap password 0 ******************
 ppp pap sent-username ************password 0 *********
 crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any established
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any gt 1023 any eq ftp-data
access-list 120 permit tcp any any gt 1023
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 69
access-list 120 permit tcp any any eq finger
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 161
access-list 120 permit tcp any any eq 144
access-list 120 permit tcp any any eq 115
access-list 120 permit tcp any any eq ident
access-list 120 permit icmp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit esp any any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 1521
access-list 120 permit tcp any any eq 15000
access-list 120 permit tcp any any eq 139
access-list 120 permit tcp any any eq 812
access-list 120 permit tcp any any eq 813
access-list 120 permit tcp any any eq 814
access-list 120 permit tcp any any eq 815
access-list 120 permit tcp any any eq 816
access-list 120 permit tcp any any eq 817
access-list 120 permit tcp any any eq 818
access-list 120 permit tcp any any eq 819
access-list 120 permit tcp any any eq 820
access-list 120 permit tcp any any eq 821
access-list 120 permit tcp any any eq 1701
access-list 120 permit tcp any any eq 1702
access-list 120 permit tcp any any eq 1703
access-list 120 permit tcp any any eq 1704
access-list 120 permit tcp any any eq 1705
access-list 120 permit tcp any any eq 1706
access-list 120 permit tcp any any eq 1707
access-list 120 permit tcp any any eq 32771
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 9443
access-list 120 permit tcp any any eq 563
access-list 120 permit tcp any any eq 448
access-list 120 permit udp any any eq snmp
access-list 120 permit tcp any any eq 30
access-list 120 permit tcp any any eq 5900
access-list 120 permit tcp any any eq 5800
access-list 129 permit ip 192.168.1.0 0.0.0.255 any
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
route-map nonat permit 10
 match ip address 129
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

wirthrCommented:
that should all be cool

so, you want to be in config t

type

ip nat inside source static tcp 192.168.1.125 3389 interface dialer1 3389

Then, add and entry to your access lists, like

ip access-list extended 120
permit tcp any host 192.168.1.125 eq 3389

I think that should do it
wirthrCommented:
so, once in

enable
conf t
ip nat inside source static tcp 192.168.1.125 3389 interface dialer1 3389
ip access-list extended 120
permit tcp any host 192.168.1.125 eq 3389
abaseballfan_1Author Commented:
Thanks, I just put all that in, still no luck trying to access this computer from home though, I'm able to telnet into my router at work so I typed all that in but maybe I'm not going about it the right way here to access it, I opened up remote desktop and then put my IP address in and :3389, is that right? Thanks for the help.
wirthrCommented:
no
you dont have to put the :3389

rdp runs on 3389 anyway, try it without the 3389
wirthrCommented:
and what ip address did you put in?
wirthrCommented:
sorry, dont post the ip, but are you trying the 192.168.1.125? because that a private address, you should be using the public address of the router
abaseballfan_1Author Commented:
HI, umm yeah I put the ip addres that's on the dialer1? is that right? it's the same one I can telnet into the router with ? but going to try now without the 3389, thanks.
wirthrCommented:
yep, that's right, give it a shot
abaseballfan_1Author Commented:
shoot still no luck, I typed the exact ip of dialer1 into the remote desktop and still can't connect, hmmm.
wirthrCommented:
try adding this in the router

ip access-list extended 120
permit tcp host 192.168.1.125 any eq 3389
wirthrCommented:
try rdp, if it doesnt work, post your config again, just double check it took.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
abaseballfan_1Author Commented:
I know it's set up on remote desktop at work because I can get on someones computer there and just type 192.168.1.125 in remote desktop and it takes me right to my computer so that part is good, but no luck putting the dialer1 ip in from home.
abaseballfan_1Author Commented:
User Access Verification

Password:
router#show run
Building configuration...

Current configuration : 6512 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$2MxW$mMX9MSshPja4IU8dr9nq2/
!
username
username
username
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
!
ip dhcp pool pool-dhcp
   network 192.168.1.0 255.255.255.0
   dns-server 151.164.14.201 151.164.1.8
   default-router 192.168.1.1
   lease infinite
!
ip dhcp pool POOL-DHCP
   dns-server 151.164.14.201 151.164.1.8
   default-router 192.168.1.1
!
!
ip domain name yourdomain.com
ip name-server 151.164.14.201
ip name-server 151.164.1.8
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 18
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key  address
!
!
crypto ipsec transform-set Alternative esp-3des esp-sha-hmac
!
crypto map mymap 11 ipsec-isakmp
 set peer
 set transform-set Alternative
 set pfs group2
 match address 148
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Ethernet1
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address
 ip access-group 120 in
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname
 ppp chap password 0
 ppp pap sent-username
 crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.1.125 3389 interface Dialer1 3389
ip nat inside source route-map nonat interface Dialer1 overload
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any established
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any gt 1023 any eq ftp-data
access-list 120 permit tcp any any gt 1023
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 69
access-list 120 permit tcp any any eq finger
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 161
access-list 120 permit tcp any any eq 144
access-list 120 permit tcp any any eq 115
access-list 120 permit tcp any any eq ident
access-list 120 permit icmp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit esp any any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 1521
access-list 120 permit tcp any any eq 15000
access-list 120 permit tcp any any eq 139
access-list 120 permit tcp any any eq 812
access-list 120 permit tcp any any eq 813
access-list 120 permit tcp any any eq 814
access-list 120 permit tcp any any eq 815
access-list 120 permit tcp any any eq 816
access-list 120 permit tcp any any eq 817
access-list 120 permit tcp any any eq 818
access-list 120 permit tcp any any eq 819
access-list 120 permit tcp any any eq 820
access-list 120 permit tcp any any eq 821
access-list 120 permit tcp any any eq 1701
access-list 120 permit tcp any any eq 1702
access-list 120 permit tcp any any eq 1703
access-list 120 permit tcp any any eq 1704
access-list 120 permit tcp any any eq 1705
access-list 120 permit tcp any any eq 1706
access-list 120 permit tcp any any eq 1707
access-list 120 permit tcp any any eq 32771
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 9443
access-list 120 permit tcp any any eq 563
access-list 120 permit tcp any any eq 448
access-list 120 permit udp any any eq snmp
access-list 120 permit tcp any any eq 30
access-list 120 permit tcp any host 192.168.1.125 eq 3389
access-list 129 permit ip 192.168.1.0 0.0.0.255 any
access-list 148 permit ip host
access-list 148 permit ip host
access-list 148 permit ip host
access-list 148 permit ip host
access-list 148 permit ip host
route-map nonat permit 10
 match ip address 129
!
abaseballfan_1Author Commented:
I don't know if this helps but I just did the telnet from home and read about this command to show what IP addresses you have on your LAN to just make sure it's up but I know from the office I can type that 125 IP into another computer and the remote desktop works fine into the server, thanks again.

router#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.108           2   00c0.a891.8d4a  ARPA   Ethernet0
Internet  192.168.1.103          10   0007.e9b8.9ddc  ARPA   Ethernet0
Internet  192.168.1.125          13   0007.e9b8.9e34  ARPA   Ethernet0
Internet  192.168.1.115         178   0008.a110.446b  ARPA   Ethernet0
Internet  192.168.1.1             -   0012.807b.14e2  ARPA   Ethernet0
abaseballfan_1Author Commented:
Thank you for the help, my husband just put the ip address in from home and it worked fine, I must of been putting the wrong ip in or something, but what you told me worked, thank you very much.
abaseballfan_1Author Commented:
one more question, is it possible to forward to more than one ip address? or would that work? like right now it's going to our main computer we use as the server, but if I set a static ip on this computer I'm on now can I remote access to either of the computers? or can it just be set up for one? Thanks again.
wirthrCommented:
well, you can set it up for others.  You have 2 options, if you have more static IP's you can do a static nat translation.  

If not, you could assign different ports to different computers.  If you decide to do that, set up a question for it and I'll walk you through it, but basically you would do the same thing, but instead of 3389, use a different port, like 3390, and then change the default listening port in the registry of the machine you want to rdp into.

good luck, and thanks for the points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Broadband

From novice to tech pro — start learning today.