Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

Getting 3389 (Terminal Services) through a CISCO2600 router from the outside in

Hi,

I can't seem to get my CISCO 2600 to allow RDP (3389) to a specific machine on the network (a terminal server)

I changed the ouside IP references to xxx.xxx.xxx to protect the innocent! :)
The internal, private IP of the Terminal Server is: 10.16.4.17 where 3389 should go
There is no other firewall besides this Cisco 2600. but there is a WAN connection on the serial port.

Here's my 2600 config:
-------------------
!
ip inspect name fw cuseeme timeout 3600
ip inspect name fw http java-list 51 timeout 3600
ip inspect name fw rcmd timeout 3600
ip inspect name fw realaudio timeout 3600
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 15
ip inspect name fw tcp timeout 3600
ip inspect name fw ftp timeout 3600
ip inspect name fw h323
ip inspect name fw vdolive
ip inspect name fw netshow
ip inspect name fw rtsp
ip inspect name fw sqlnet
ip inspect name fw streamworks
ip inspect name fw1 smtp
ip inspect name fw1 tcp
ip inspect name fw1 http
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
 description Main ethernet segment
 ip address 10.16.4.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.40 point-to-point
 description << Connection to CTC >>
 ip address xxx.xxx.xxx.193 255.255.255.248
 ip access-group 102 in
 no ip directed-broadcast
 ip nat outside
 ip inspect fw1 in
 ip inspect fw out
 frame-relay interface-dlci 40
!
interface Ethernet0/1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Serial0/1
 description << T1 connection to Sumner Ave >>
 bandwidth 1544
 ip address 10.10.0.154 255.255.255.252
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/2
 no ip address
 no ip directed-broadcast
 ip nat inside
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay traffic-shaping
 frame-relay lmi-type ansi
!
interface Serial0/2.1 point-to-point
 description << Connecting to Hartford, CT >>
 bandwidth 768
 ip address 10.10.0.150 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay class 768cir
 frame-relay interface-dlci 75 IETF
!
router eigrp 1
 network 10.0.0.0
!
ip nat inside source list 1 interface Serial0/0.40 overload
ip nat inside source static tcp 10.16.4.17 3389 interface Ethernet0/0 3389
ip nat inside source static 10.16.4.2 xxx.xxx.xxx.194
ip nat inside source static 10.16.4.3 xxx.xxx.xxx.195
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.40 permanent
no ip http server
!
!
map-class frame-relay 768cir
 no frame-relay adaptive-shaping
 frame-relay cir 768000
 frame-relay mincir 768000
access-list 1 permit any
access-list 51 permit any
access-list 101 permit tcp 10.16.0.0 0.0.255.255 any
access-list 101 permit udp 10.16.0.0 0.0.255.255 any
access-list 101 permit icmp 10.16.0.0 0.0.255.255 any
access-list 101 deny   ip any any
access-list 102 deny   ip host xxx.xxx.xxx.193 any
access-list 102 permit icmp any host xxx.xxx.xxx.193 administratively-prohibited

access-list 102 permit icmp any host xxx.xxx.xxx.193 echo
access-list 102 permit icmp any host xxx.xxx.xxx.193 echo-reply
access-list 102 permit icmp any host xxx.xxx.xxx.193 packet-too-big
access-list 102 permit icmp any host xxx.xxx.xxx.193 time-exceeded
access-list 102 permit icmp any host xxx.xxx.xxx.193 traceroute
access-list 102 permit icmp any host xxx.xxx.xxx.193 unreachable
access-list 102 permit tcp 204.87.181.0 0.0.0.255 host xxx.xxx.xxx.193
access-list 102 permit tcp any host xxx.xxx.xxx.194 eq pop3
access-list 102 permit tcp any host xxx.xxx.xxx.194 eq www
access-list 102 permit tcp any host xxx.xxx.xxx.194 eq smtp
access-list 102 permit tcp any host xxx.xxx.xxx.195 eq 1494
access-list 102 permit icmp any host xxx.xxx.xxx.194
access-list 102 permit udp any host xxx.xxx.xxx.195 eq 1604
access-list 102 permit tcp any any eq 3389
access-list 102 permit udp any any eq 3389
snmp-server engineID local 00000009020000D0588DB400
snmp-server community goodwill RO
banner motd ^CGoodwill Industries
Dorset Street
Springfield, MA
^C
!
line con 0
 transport input none
line aux 0
line vty 0 4
 access-class 3 in
 password 7 13131E001F190526
 login
!
end
0
paul_lcs
Asked:
paul_lcs
  • 7
  • 3
1 Solution
 
lrmooreCommented:
>ip nat inside source static tcp 10.16.4.17 3389 interface Ethernet0/0 3389
This is where you're going wrong... this should point to the serial with the public IP, not the local Ethernet port
 
  no ip nat inside source static tcp 10.16.4.17 3389 interface Ethernet0/0 3389
  ip nat inside source static tcp 10.16.4.17 3389 interface Serial0/0.40 3389

0
 
paul_lcsAuthor Commented:
Sure!  Thank you.
0
 
paul_lcsAuthor Commented:
Ahh, that makes sense lrmoore. Thank you. Which address will be accessed from the outside? The .194 or the .193?

Thanks again,

Paul
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
lrmooreCommented:
Question edited to remove redundant posts..

From outside, you would access .193 - the same IP assigned to serial0/0.40 as referenced in the static nat command
0
 
paul_lcsAuthor Commented:
You are a router god! Thank you. I will try this at the customer site next week and get back
0
 
paul_lcsAuthor Commented:
Hi lrmoore,

I'm here at the client site trying to make this change and when I do this command:
  no ip nat inside source static tcp 10.16.4.17 3389 interface Ethernet0/0 3389

It tells me:
%static entry not found.

It took the add command fine and I know I'm typing it right. When I type the NO command though. I'll attach an output for you to see.

Thank you,

Paul
0
 
paul_lcsAuthor Commented:
Here's the router.txt capture file:

no ip nat inside source static tcp 10.16.4.17 3389 Eth   interfac$nside source static tcp 10.16.4.17 3389 interface          Ethernetce static tcp 10.16.4.17 3389 interface Ethernet0         /0 3389
%Static entry not found
gw-Dorset(config)#

Not sure why all the garbarge is in there.

0
 
lrmooreCommented:
If you put this one in first >
ip nat inside source static tcp 10.16.4.17 3389 interface Serial0/0.40 3389

Then it just overwrote the other existing static. That's why it is complaining that it can't find that one to delete it.
Use "sho config" and make sure that only the correct entry is there.
0
 
paul_lcsAuthor Commented:
Ok, that replaced it. I guess I don't understand why I couldn't delete the Ethernet one though. What if I decided I didn't want any 3389 open, how would I be able to remove it?

I'll try accessing it in a few minutes and post back.


Thanks,

Paul
0
 
paul_lcsAuthor Commented:
It works! Thanks so much, I now have remote access through 3389!

Best regards,

Paul
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now