Windows

General discussion

Gravatar
Locked

Cisco 1721 router and Terminal Services

By Manthax ·
Hi all!

I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.
The router was installed and configured by our ISP. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!
Thanks,
!
ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248
ip nat inside source list 1 pool overload
ip nat inside source static 172.16.1.3 a.b.c.d extendable
ip nat inside source static 172.16.1.7 a.b.c.d extendable
ip nat inside source static 172.16.1.11 a.b.c.d extendable
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.d
no ip http server
no ip http secure-server
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit tcp any any eq www
access-list 100 permit udp any any eq domain
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq pop3
access-list 100 permit tcp any any eq 7070
access-list 100 permit tcp any any eq 443
access-list 100 permit tcp any any eq telnet
access-list 100 permit gre any any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit tcp host 172.16.1.3 eq 3389 any
access-list 100 permit tcp host 172.16.1.7 eq 3389 any
access-list 100 permit tcp host 172.16.1.9 eq 3389 any
access-list 100 permit udp any any eq 3389
access-list 100 permit udp any any eq 25
access-list 100 permit tcp any any eq 3389
access-list 100 permit udp any any eq 80
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 deny tcp any any eq 139
access-list 102 deny tcp any any eq finge

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

by Manthax In reply to Cisco 1721 router and Ter ...

FYI: If I start a terminal session from within the LAN I can connect to the Terminal servers, but not from the outside.
I was able to connect to them from the outside before we purchased the Cisco router. The only difference is that we were using public IPs when the old router was in service.
Thanks.

gravatar
Collapse -

by Mikel~T In reply to Cisco 1721 router and Ter ...

If you only have one static IP for the outside interface of your router, you will only be able to term serv into one internal server...you need to setup an ACL on your outside interface that will allow outside traffic destined for port 3389 inside your network.

in your access-list 102, applied to your outside interface, you need to have:

access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389

This will let any outside IP connect to your internal server 172.16.1.3 via Terminal services...just change the 0.0.0.0 0.0.0.0 to the IP of the host/network you want to allow internal access to your terminal server.

Again, with one external/public IP, you can only connect to one internal IP...unless you specify a different external host/network in the acl rule, and point it at the other internal server IPs

Hope this helps.

Mike

gravatar
Collapse -

by Mikel~T In reply to

first, do this : x is a hidden value to me

ip nat inside source static tcp 172.16.1.3 3389 69.x.x.100 3389 extendible

ip nat inside source static tcp 172.16.1.7 3389 69.x.x.99 3389 extendible

ip nat inside source static tcp 172.16.1.11 3389 69.x.x.101 extendable

If you are the only one that will be accessing the Terminal servers, change 0.0.0.0 0.0.0.0 to an external/public IP range or host.

If your home IP was 1.1.1.1 the acl should read as follows:

access-list 102 permit tcp host 1.1.1.1 172.16.1.3 eq 3389

access-list 102 permit tcp host 1.1.1.1 172.16.1.7 eq 3389

access-list 102 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

sorry this is so long winded...

Mike

gravatar
Collapse -

by Mikel~T In reply to

is the 102 Access-list applied to the external interface?

do a show interface command and make sure the 102 access list is displayed under your external interface.

gravatar
Collapse -

by Mikel~T In reply to

there is an implicit deny any any at the end of all ACLs.

create and apply this to your internal interface

access-list 105 deny tcp any any eq 137
access-list 105 deny tcp any any eq 138
access-list 105 deny tcp any any eq 139
access-list 105 permit ip any any
access-list 105 permit icmp any any echo
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable
access-list 105 permit udp any any eq ntp
access-list 105 permit tcp any any eq www
access-list 105 permit udp any any eq domain
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq 7070
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq telnet
access-list 105 permit gre any any


create and apply this to your external interface
(1.1.1.1 = your home public IP address)

access-list 111 permit tcp host 1.1.1.1 172.16.1.3 eq 3389
access-list 111 permit tcp host 1.1.1.1 172.16.1.7 eq 3389
access-list 111 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

gravatar
Collapse -

by Manthax In reply to

Poster rated this answer.

gravatar
Collapse -

by Manthax In reply to Cisco 1721 router and Ter ...

Hi Mikel~T,
I just went into the router configuration and noticed the following entries:
============================================================
ip nat inside source static 172.16.1.3 69.x.x.100 extendable
ip nat inside source static 172.16.1.7 69.x.x.99 extendable
ip nat inside source static 172.16.1.11 69.x.X.101 extendable

============================================================
So it seems to me that I have more than one public IP?
You also said that I need to create an ACL
access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389
Do I need to change the 0.0.0.0.0.0.0 to a public IP, an internal IP or my home-router IP?

Pardon my ignorance and thank you for your time!

gravatar
Collapse -

by Manthax In reply to Cisco 1721 router and Ter ...

Hi MIke~T!

Could you please provide me with a step-by-step to configure my external interface and access-list 102?

I am so afraid of breaking a production router!

Thanks again for your time and happy holidays!

gravatar
Collapse -

by Manthax In reply to Cisco 1721 router and Ter ...

Hi Mike~T,
I just went into config mode and executed the command, and it returned the following error message:

Router1(config)#access-list 102 permit tcp host 69.x.x.101 172.16.1.11 eq 3389
^
Invalid input detected at '^' marker.

gravatar
Collapse -

by Manthax In reply to Cisco 1721 router and Ter ...

The marker is between e and q

Back to Windows Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Start or search

Related Discussions

Related Forums