gooberpea
asked on
871 Port Forwarding
I have a Cisco 871 and I am tring to gain access to a second RD server. The first one is on port 3389 and I need the second one on Port 3390. I can access the server from an internal address, but not an external address. I am kind of sure I have the NAT set up ok. I am not sure but I think my issue is in the firewall Settings. I am having the same trouble with getting the port 8000 open to the phone box from a spacific IP. I am an extreme novice and know nothing. So be gentle with me and do the Step by Step. Any way I have included the config (I hope i have taken out the passwords but left the juciy parts in). thanks
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3367467111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3367467111
!
!
crypto pki certificate chain TP-self-signed-3367467111
certificate self-signed 01
********
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool wireless
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1 24.25.5.60
lease 0 2
!
!
ip port-map user-protocol--1 port tcp 3389
ip inspect log drop-pkt
no ip bootp server
no ip domain lookup
ip domain name zsr.org
!
!
!
username Mark privilege 15 secret 5 ****.
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 106
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
class-map type inspect match-any PhoneTech
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutside
match class-map PhoneTech
match access-group 108
class-map type inspect match-any PhoneTech1
match class-map PhoneTech
class-map type inspect match-all ccp-cls-sdm-pol-NATOutside
match class-map PhoneTech1
match access-group 107
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 104
match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 105
match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-isakmp-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutside
pass
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
policy-map type inspect ccp-permit
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-
service-policy type inspect sdm-pol-NATOutsideToInside
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 24.199.175.222 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.7 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
description wireless guest
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.199.175.221
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.235 8000 24.199.175.222 8000 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 68.143.170.9 host 192.168.1.235
access-list 108 remark CCP_ACL Category=128
access-list 108 permit ip host 68.143.170.9 host 192.168.1.235
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3367467111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3367467111
!
!
crypto pki certificate chain TP-self-signed-3367467111
certificate self-signed 01
********
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool wireless
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1 24.25.5.60
lease 0 2
!
!
ip port-map user-protocol--1 port tcp 3389
ip inspect log drop-pkt
no ip bootp server
no ip domain lookup
ip domain name zsr.org
!
!
!
username Mark privilege 15 secret 5 ****.
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 106
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
class-map type inspect match-any PhoneTech
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutside
match class-map PhoneTech
match access-group 108
class-map type inspect match-any PhoneTech1
match class-map PhoneTech
class-map type inspect match-all ccp-cls-sdm-pol-NATOutside
match class-map PhoneTech1
match access-group 107
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 104
match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 105
match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-isakmp-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutside
pass
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
policy-map type inspect ccp-permit
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-
service-policy type inspect sdm-pol-NATOutsideToInside
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 24.199.175.222 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.7 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
description wireless guest
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.199.175.221
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.235 8000 24.199.175.222 8000 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 68.143.170.9 host 192.168.1.235
access-list 108 remark CCP_ACL Category=128
access-list 108 permit ip host 68.143.170.9 host 192.168.1.235
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
--------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
--------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
You redirect port 3390 to 3390, the default rdp port is 3389, so you must redirect outside 3390 to 3389 on th inside
Or change the default rdp port on the server: http://support.microsoft.com/kb/306759
ASKER
Here is some more info. I have one RD server in place on ip 192.168.1.5. It is being replaced by the new server on 192.168.1.10. Untill the new server is fully tested I need to have both servers up and running. I have set the new server to listen on port 3390 and it does work internally. The old server is listening on port 3389 and works well. So directing traffic to using port 3389 would not get me to the new server. So the new server is listening on 3390 and when I attempt to remote in I use the IP:3390. fredvr666 I may not fully understand what you are telling me, but I should be able to request traffic on port 3390 to pass through from the outside to an inside computer.
Have you allowed port 3390 inbound through the firewall?
ASKER
The firewall on the test server is off. I can connect using RDC the local network and through port 3390. i cannot connect from outside the local network.
Sorry, I meant on the router.
ASKER
I do not think that I have it passing through the router's firewall and this is what I think the problem is. How do I get it through the Firewall? I am a novice and do not know what to put where to get it through the Firewall. Do I need access-list commands? Do I need class-map commands? Do I need an additional ip port-map lines? Do I need more Rum and Coke-a-Cola? If so what are the commands and where do I need to insert them? Inquiring minds need to know! Thanks
I’m not sure but:
access-list 104 permit ip any host 192.168.1.5
give you access to server 1.5
I'm not seeing
access-list 109 permit ip any host 192.168.1.10
access-list 104 permit ip any host 192.168.1.5
give you access to server 1.5
I'm not seeing
access-list 109 permit ip any host 192.168.1.10
ASKER
I have added the command and still no joy.
RDP to 192.168.1.10 then regedit
HKEY_LOCAL_MACHINE\System\
Change the PortNumber to 3390.
Reboot your server.
You should be able to RDP externally.
HKEY_LOCAL_MACHINE\System\
Change the PortNumber to 3390.
Reboot your server.
You should be able to RDP externally.
Also, for you to RDP into the server with port 3390 you will need to enter externalIP:3390.
ASKER
Thanks for the reply Goraek, it was the first thing I did and I do use the externalIP:3390 on the RDC system. no joy.
Any one know how I can look at a log or something when I make the attemp to remote in to see what is going on?
Any one know how I can look at a log or something when I make the attemp to remote in to see what is going on?
Use Cisco Config Professional to create a security rule to allow everything from outside to get to the server's internal IP on port 3390.
ASKER
In CCP, where to create the security rule. I have gone into the Security>Firewall and attempted to create a rule for new traffic, but do not know what to use as service name or what to select. So please guide me.
thanks
thanks
Have a look at this - it'll explain way better than I can :)
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b5a105.shtml
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b5a105.shtml
Post your ip nat config and we will see what you have done. And also your internal and external IP if you like.
ASKER
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.235 8000 24.199.175.222 8000 extendable
tring to get
outside 24.199.175.222
inside 192.168.1.10
port 3390
I think the nat is ok, I think it is the firewall
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.235 8000 24.199.175.222 8000 extendable
tring to get
outside 24.199.175.222
inside 192.168.1.10
port 3390
I think the nat is ok, I think it is the firewall
ASKER
I think outside should be any as I am trying to allow RDC on port 3390 (server already listening on 3390)
ASKER
ACL
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
ASKER
Class-map
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 106
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 104
match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 105
match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 106
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
class-map type inspect match-all sdm-nat-isakmp-1
match access-group 104
match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 105
match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
Try this
Remove this
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
And add this
ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390
You have another firewall?
Remove this
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
And add this
ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390
You have another firewall?
ASKER
I think I need to have an access-list command(s) and maybe a class-map command(s). What I will need is the exact command syntax to enter to get the job done. The Job is to allow RDC through port 3390 from any to 192.168.1.10.
Here is another line I found about port 3389, we currently have RDC to a TSS on port 3389 which we need to continue to maintain.
ip port-map user-protocol--1 port tcp 3389
Do I need to put in a command line like
ip port-map user-protocol--2 port tcp 3390
Thanks
Here is another line I found about port 3389, we currently have RDC to a TSS on port 3389 which we need to continue to maintain.
ip port-map user-protocol--1 port tcp 3389
Do I need to put in a command line like
ip port-map user-protocol--2 port tcp 3390
Thanks
Did ya try the command I listed?
Did you change the registry entry to 3390??
ASKER
Hey goraek, thanks for replying. I have done as you asked, romoving the one line and adding the other. still no joy. I have made the setting changes in the servers registry to listen on port 3390 and I can RDC to it inside the network. I still cannot connect to it from outside.
new nat and acl
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.1.10
new nat and acl
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.1.10
Ok, now that you have made changes to the server registry entry, for it to take effect, you will need to reboot that server.
Once this is rebooted, you should be able to connect.
Try that and let us know.
Once this is rebooted, you should be able to connect.
Try that and let us know.
I have just tested - it appears to be working.
Do you want to see if you can RDP to 24.199.175.222:3390?
Do you want to see if you can RDP to 24.199.175.222:3390?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have chosen this post as the solution so that others with this same issue can see all of the commands needed to ge the job done. I do want to thank all of the folks that repliyed.
Are you able to remote to it now?
ASKER
Yes I can remote in. Thanks for all of your replies