asked on

Windows XP pro remote desktop over Cisco router?

Hello, my husband and I have a small business with about 6 computers and they are all networked with a basic peer to peer and Windows XP, I have a Cisco 831 router and I do have a VPN connection on it but it's only to connect to a remote computer which is a customer of ours and we pull down information from there computer for our business, this was wrote down for me by a friend of ours and that's how I was able to set all this stuff up, we know nothing about routers or how to program them. We both wanted to be able to connect to our main computer at work that acts as the server when we are on the road, I have Windows XP pro on the work computer and found an article about using the remote desktop feature on Windows XP pro, it really explains it well but the only part we are having trouble with is what do I type in on the router to forward port 3389 which is what the article says we need for this to work, I believe we need a static ip set on the computer that acts as the server so I'm trying to work on that today, and then we will need our ip address to forward to the server, sorry for the long message, I appreciate any help on this, thank you.

-Leo-

You need to translate internal IP address of your work server to outside address.
Answer is here: https://www.experts-exchange.com/questions/21195883/Enable-Port-3389-on-Cisco-1700-series-router.html

wirthr

if you have a public ip on the router, to forward port 3389

en (into enable mode)
conf t (configure from terminal)
ip nat inside source static tcp 192.168.0.4 3389 interface ATM0/0.1 3389

where 192.168.0.4 is the internal ip of the server, and ATM0/0.1 is the router interface connected to the internet.

abaseballfan_1

ASKER

okay here is my configuration so this may help you understand what I have already, if you can walk me through what I need to type in that would be great, I have 192.168.1.125 as the static ip for the server that I need to access remotely, thank you.

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$nAgz$QxuezlmewypCB4.5m8T7Y/
!
username ************** privilege 15 password 0 ********** username ******* privilege 15 secret 5 $1$1ci0$/YuodNmEn..AH1lZsnNiL0
username *********** password 0 ***********
username***********privilege 15 secret 5 $1$HRIL$8Shq3NaTnaoFp5d/JNsFW1
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
!
ip dhcp pool pool-dhcp
network 192.168.1.0 255.255.255.0
dns-server 151.164.14.201 151.164.1.8
default-router 192.168.1.1
lease infinite
!
ip dhcp pool POOL-DHCP
dns-server 151.164.14.201 151.164.1.8
default-router 192.168.1.1
!
!
ip domain name yourdomain.com
ip name-server 151.164.14.201
ip name-server 151.164.1.8
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 18
encr 3des
authentication pre-share
group 2
crypto isakmp key !*********! address **********!
!
crypto ipsec transform-set Alternative esp-3des esp-sha-hmac
!
crypto map mymap 11 ipsec-isakmp
set peer ***********
set transform-set Alternative
set pfs group2
match address 148
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Ethernet1
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address *************** ****************
ip access-group 120 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *******************
ppp chap password 0 ******************
ppp pap sent-username ************password 0 *********
crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any established
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any gt 1023 any eq ftp-data
access-list 120 permit tcp any any gt 1023
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 69
access-list 120 permit tcp any any eq finger
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 161
access-list 120 permit tcp any any eq 144
access-list 120 permit tcp any any eq 115
access-list 120 permit tcp any any eq ident
access-list 120 permit icmp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit esp any any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 1521
access-list 120 permit tcp any any eq 15000
access-list 120 permit tcp any any eq 139
access-list 120 permit tcp any any eq 812
access-list 120 permit tcp any any eq 813
access-list 120 permit tcp any any eq 814
access-list 120 permit tcp any any eq 815
access-list 120 permit tcp any any eq 816
access-list 120 permit tcp any any eq 817
access-list 120 permit tcp any any eq 818
access-list 120 permit tcp any any eq 819
access-list 120 permit tcp any any eq 820
access-list 120 permit tcp any any eq 821
access-list 120 permit tcp any any eq 1701
access-list 120 permit tcp any any eq 1702
access-list 120 permit tcp any any eq 1703
access-list 120 permit tcp any any eq 1704
access-list 120 permit tcp any any eq 1705
access-list 120 permit tcp any any eq 1706
access-list 120 permit tcp any any eq 1707
access-list 120 permit tcp any any eq 32771
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 9443
access-list 120 permit tcp any any eq 563
access-list 120 permit tcp any any eq 448
access-list 120 permit udp any any eq snmp
access-list 120 permit tcp any any eq 30
access-list 120 permit tcp any any eq 5900
access-list 120 permit tcp any any eq 5800
access-list 129 permit ip 192.168.1.0 0.0.0.255 any
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
access-list 148 permit ip host ***************
route-map nonat permit 10
match ip address 129

wirthr

that should all be cool

so, you want to be in config t

type

ip nat inside source static tcp 192.168.1.125 3389 interface dialer1 3389

Then, add and entry to your access lists, like

ip access-list extended 120
permit tcp any host 192.168.1.125 eq 3389

I think that should do it

wirthr

so, once in

enable
conf t
ip nat inside source static tcp 192.168.1.125 3389 interface dialer1 3389
ip access-list extended 120
permit tcp any host 192.168.1.125 eq 3389

abaseballfan_1

ASKER

Thanks, I just put all that in, still no luck trying to access this computer from home though, I'm able to telnet into my router at work so I typed all that in but maybe I'm not going about it the right way here to access it, I opened up remote desktop and then put my IP address in and :3389, is that right? Thanks for the help.

wirthr

no
you dont have to put the :3389

rdp runs on 3389 anyway, try it without the 3389

wirthr

and what ip address did you put in?

wirthr

sorry, dont post the ip, but are you trying the 192.168.1.125? because that a private address, you should be using the public address of the router

abaseballfan_1

ASKER

HI, umm yeah I put the ip addres that's on the dialer1? is that right? it's the same one I can telnet into the router with ? but going to try now without the 3389, thanks.

wirthr

yep, that's right, give it a shot

abaseballfan_1

ASKER

shoot still no luck, I typed the exact ip of dialer1 into the remote desktop and still can't connect, hmmm.

wirthr

try adding this in the router

ip access-list extended 120
permit tcp host 192.168.1.125 any eq 3389

ASKER CERTIFIED SOLUTION

wirthr

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

abaseballfan_1

ASKER

I know it's set up on remote desktop at work because I can get on someones computer there and just type 192.168.1.125 in remote desktop and it takes me right to my computer so that part is good, but no luck putting the dialer1 ip in from home.

abaseballfan_1

ASKER

User Access Verification

Password:
router#show run
Building configuration...

Current configuration : 6512 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$2MxW$mMX9MSshPja4IU8dr9nq2/
!
username
username
username
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.150 192.168.1.254
!
ip dhcp pool pool-dhcp
network 192.168.1.0 255.255.255.0
dns-server 151.164.14.201 151.164.1.8
default-router 192.168.1.1
lease infinite
!
ip dhcp pool POOL-DHCP
dns-server 151.164.14.201 151.164.1.8
default-router 192.168.1.1
!
!
ip domain name yourdomain.com
ip name-server 151.164.14.201
ip name-server 151.164.1.8
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 18
encr 3des
authentication pre-share
group 2
crypto isakmp key address
!
!
crypto ipsec transform-set Alternative esp-3des esp-sha-hmac
!
crypto map mymap 11 ipsec-isakmp
set peer
set transform-set Alternative
set pfs group2
match address 148
!
!
!
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Ethernet1
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address
ip access-group 120 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map mymap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.1.125 3389 interface Dialer1 3389
ip nat inside source route-map nonat interface Dialer1 overload
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any established
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any gt 1023 any eq ftp-data
access-list 120 permit tcp any any gt 1023
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 69
access-list 120 permit tcp any any eq finger
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq 161
access-list 120 permit tcp any any eq 144
access-list 120 permit tcp any any eq 115
access-list 120 permit tcp any any eq ident
access-list 120 permit icmp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit udp any any eq non500-isakmp
access-list 120 permit esp any any
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 1521
access-list 120 permit tcp any any eq 15000
access-list 120 permit tcp any any eq 139
access-list 120 permit tcp any any eq 812
access-list 120 permit tcp any any eq 813
access-list 120 permit tcp any any eq 814
access-list 120 permit tcp any any eq 815
access-list 120 permit tcp any any eq 816
access-list 120 permit tcp any any eq 817
access-list 120 permit tcp any any eq 818
access-list 120 permit tcp any any eq 819
access-list 120 permit tcp any any eq 820
access-list 120 permit tcp any any eq 821
access-list 120 permit tcp any any eq 1701
access-list 120 permit tcp any any eq 1702
access-list 120 permit tcp any any eq 1703
access-list 120 permit tcp any any eq 1704
access-list 120 permit tcp any any eq 1705
access-list 120 permit tcp any any eq 1706
access-list 120 permit tcp any any eq 1707
access-list 120 permit tcp any any eq 32771
access-list 120 permit tcp any any eq ftp-data
access-list 120 permit tcp any any eq 9443
access-list 120 permit tcp any any eq 563
access-list 120 permit tcp any any eq 448
access-list 120 permit udp any any eq snmp
access-list 120 permit tcp any any eq 30
access-list 120 permit tcp any host 192.168.1.125 eq 3389
access-list 129 permit ip 192.168.1.0 0.0.0.255 any
access-list 148 permit ip host
access-list 148 permit ip host
access-list 148 permit ip host
access-list 148 permit ip host
access-list 148 permit ip host
route-map nonat permit 10
match ip address 129
!

abaseballfan_1

ASKER

I don't know if this helps but I just did the telnet from home and read about this command to show what IP addresses you have on your LAN to just make sure it's up but I know from the office I can type that 125 IP into another computer and the remote desktop works fine into the server, thanks again.

router#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.108 2 00c0.a891.8d4a ARPA Ethernet0
Internet 192.168.1.103 10 0007.e9b8.9ddc ARPA Ethernet0
Internet 192.168.1.125 13 0007.e9b8.9e34 ARPA Ethernet0
Internet 192.168.1.115 178 0008.a110.446b ARPA Ethernet0
Internet 192.168.1.1 - 0012.807b.14e2 ARPA Ethernet0

abaseballfan_1

ASKER

Thank you for the help, my husband just put the ip address in from home and it worked fine, I must of been putting the wrong ip in or something, but what you told me worked, thank you very much.

abaseballfan_1

ASKER

one more question, is it possible to forward to more than one ip address? or would that work? like right now it's going to our main computer we use as the server, but if I set a static ip on this computer I'm on now can I remote access to either of the computers? or can it just be set up for one? Thanks again.

wirthr

well, you can set it up for others. You have 2 options, if you have more static IP's you can do a static nat translation.

If not, you could assign different ports to different computers. If you decide to do that, set up a question for it and I'll walk you through it, but basically you would do the same thing, but instead of 3389, use a different port, like 3390, and then change the default listening port in the registry of the machine you want to rdp into.

good luck, and thanks for the points.