Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Cisco 1721 router and Terminal Services

Locked

Hi all!

I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.
The router was installed and configured by our ISP. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!
Thanks,
!
ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248
ip nat inside source list 1 pool overload
ip nat inside source static 172.16.1.3 a.b.c.d extendable
ip nat inside source static 172.16.1.7 a.b.c.d extendable
ip nat inside source static 172.16.1.11 a.b.c.d extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.d
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139
access-list 102 deny tcp any any eq finge

Topic

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

FYI: If I start a terminal session from within the LAN I can connect to the Terminal servers, but not from the outside.
I was able to connect to them from the outside before we purchased the Cisco router. The only difference is that we were using public IPs when the old router was in service.
Thanks.

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

If you only have one static IP for the outside interface of your router, you will only be able to term serv into one internal server…you need to setup an ACL on your outside interface that will allow outside traffic destined for port 3389 inside your network.

in your access-list 102, applied to your outside interface, you need to have:

access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389

This will let any outside IP connect to your internal server 172.16.1.3 via Terminal services…just change the 0.0.0.0 0.0.0.0 to the IP of the host/network you want to allow internal access to your terminal server.

Again, with one external/public IP, you can only connect to one internal IP…unless you specify a different external host/network in the acl rule, and point it at the other internal server IPs

Hope this helps.

Mike

Reply To: Cisco 1721 router and Terminal Services

In reply to Reply To: Cisco 1721 router and Terminal Services

first, do this : x is a hidden value to me

ip nat inside source static tcp 172.16.1.3 3389 69.x.x.100 3389 extendible

ip nat inside source static tcp 172.16.1.7 3389 69.x.x.99 3389 extendible

ip nat inside source static tcp 172.16.1.11 3389 69.x.x.101 extendable

If you are the only one that will be accessing the Terminal servers, change 0.0.0.0 0.0.0.0 to an external/public IP range or host.

If your home IP was 1.1.1.1 the acl should read as follows:

access-list 102 permit tcp host 1.1.1.1 172.16.1.3 eq 3389

access-list 102 permit tcp host 1.1.1.1 172.16.1.7 eq 3389

access-list 102 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

sorry this is so long winded…

Mike

Reply To: Cisco 1721 router and Terminal Services

In reply to Reply To: Cisco 1721 router and Terminal Services

is the 102 Access-list applied to the external interface?

do a show interface command and make sure the 102 access list is displayed under your external interface.

Reply To: Cisco 1721 router and Terminal Services

In reply to Reply To: Cisco 1721 router and Terminal Services

there is an implicit deny any any at the end of all ACLs.

create and apply this to your internal interface

access-list 105 deny tcp any any eq 137
access-list 105 deny tcp any any eq 138
access-list 105 deny tcp any any eq 139
access-list 105 permit ip any any
access-list 105 permit icmp any any echo
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable
access-list 105 permit udp any any eq ntp
access-list 105 permit tcp any any eq www
access-list 105 permit udp any any eq domain
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq 7070
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq telnet
access-list 105 permit gre any any

create and apply this to your external interface
(1.1.1.1 = your home public IP address)

access-list 111 permit tcp host 1.1.1.1 172.16.1.3 eq 3389
access-list 111 permit tcp host 1.1.1.1 172.16.1.7 eq 3389
access-list 111 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

Reply To: Cisco 1721 router and Terminal Services

In reply to Reply To: Cisco 1721 router and Terminal Services

Poster rated this answer.

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

Hi Mikel~T,
I just went into the router configuration and noticed the following entries:
============================================================
ip nat inside source static 172.16.1.3 69.x.x.100 extendable
ip nat inside source static 172.16.1.7 69.x.x.99 extendable
ip nat inside source static 172.16.1.11 69.x.X.101 extendable

============================================================
So it seems to me that I have more than one public IP?
You also said that I need to create an ACL
access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389
Do I need to change the 0.0.0.0.0.0.0 to a public IP, an internal IP or my home-router IP?

Pardon my ignorance and thank you for your time!

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

Hi MIke~T!

Could you please provide me with a step-by-step to configure my external interface and access-list 102?

I am so afraid of breaking a production router!

Thanks again for your time and happy holidays!

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

Hi Mike~T,
I just went into config mode and executed the command, and it returned the following error message:

Router1(config)#access-list 102 permit tcp host 69.x.x.101 172.16.1.11 eq 3389
^
Invalid input detected at ‘^’ marker.

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

The marker is between e and q

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

It seems that I was able to modify the access-list 102 after all, but I’m still not able to connect. I used these 3 entries in the access-list:
“access-list 102 permit tcp host 172.16.1.11 eq 3389 any
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp host 69.x.x.102 eq 3389”

Once again I don’t know what I’m doing, I just added those lines ’cause of frustration. It will probably be easier if I enable the web interface on the router and try to set up NAT from there…
I will do this tomorrow morning and let you know how it goes.
Thanks

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

Hello again,

The access-list 102 is applied to the internal interface. Access-list 100 is applied to the external interface. Could it be that they are reversed?
Thanks!

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

Hi Mike,
I just realized two things:

The router configuration reads”

1-“ip nat inside source list 1 pool SBC overload”.
The access-list applied to the outside interface is “100” not “1”. I am very sure that you would have noticed, but I am running out of options here.
2- How come I don’t see a “Deny ip any any” statement?

We are small shop. We do not have any web/email servers in house. I noticed that there are some ports open that I may not need. Could you help me secure my router?
Thanks,
JC

Reply To: Cisco 1721 router and Terminal Services

In reply to Cisco 1721 router and Terminal Services

This question was closed by the author

[Author]

Replies