General discussion

  • Creator
    Topic
  • #2291067

    Cisco 1721 router and Terminal Services

    Locked

    by manthax ·

    Hi all!

    I cannot connect to any of 3 Windows Terminal Servers. However, unfortunately I am not familiar with Cisco routers.
    The router was installed and configured by our ISP. Can someone help me figure it out? I have used a.b.c.d for the external IP address. Sorry for the long post!
    Thanks,
    !
    ip nat pool a.b.c.d a.b.c.d netmask 255.255.255.248
    ip nat inside source list 1 pool overload
    ip nat inside source static 172.16.1.3 a.b.c.d extendable
    ip nat inside source static 172.16.1.7 a.b.c.d extendable
    ip nat inside source static 172.16.1.11 a.b.c.d extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 a.b.c.d
    no ip http server
    no ip http secure-server
    !
    access-list 1 permit 172.16.1.0 0.0.0.255
    access-list 100 permit ipinip any any
    access-list 100 permit icmp any any echo
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any packet-too-big
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any traceroute
    access-list 100 permit icmp any any unreachable
    access-list 100 permit udp any any eq ntp
    access-list 100 permit tcp any any eq www
    access-list 100 permit udp any any eq domain
    access-list 100 permit tcp any any eq smtp
    access-list 100 permit tcp any any eq pop3
    access-list 100 permit tcp any any eq 7070
    access-list 100 permit tcp any any eq 443
    access-list 100 permit tcp any any eq telnet
    access-list 100 permit gre any any
    access-list 100 permit ip 172.16.1.0 0.0.0.255 any
    access-list 100 permit tcp host 172.16.1.3 eq 3389 any
    access-list 100 permit tcp host 172.16.1.7 eq 3389 any
    access-list 100 permit tcp host 172.16.1.9 eq 3389 any
    access-list 100 permit udp any any eq 3389
    access-list 100 permit udp any any eq 25
    access-list 100 permit tcp any any eq 3389
    access-list 100 permit udp any any eq 80
    access-list 102 deny tcp any any eq 137
    access-list 102 deny tcp any any eq 138
    access-list 102 deny tcp any any eq 139
    access-list 102 deny tcp any any eq finge

All Comments

  • Author
    Replies
    • #3291168

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      FYI: If I start a terminal session from within the LAN I can connect to the Terminal servers, but not from the outside.
      I was able to connect to them from the outside before we purchased the Cisco router. The only difference is that we were using public IPs when the old router was in service.
      Thanks.

    • #3291150

      Reply To: Cisco 1721 router and Terminal Services

      by mikel~t ·

      In reply to Cisco 1721 router and Terminal Services

      If you only have one static IP for the outside interface of your router, you will only be able to term serv into one internal server…you need to setup an ACL on your outside interface that will allow outside traffic destined for port 3389 inside your network.

      in your access-list 102, applied to your outside interface, you need to have:

      access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389

      This will let any outside IP connect to your internal server 172.16.1.3 via Terminal services…just change the 0.0.0.0 0.0.0.0 to the IP of the host/network you want to allow internal access to your terminal server.

      Again, with one external/public IP, you can only connect to one internal IP…unless you specify a different external host/network in the acl rule, and point it at the other internal server IPs

      Hope this helps.

      Mike

      • #3290956

        Reply To: Cisco 1721 router and Terminal Services

        by mikel~t ·

        In reply to Reply To: Cisco 1721 router and Terminal Services

        first, do this : x is a hidden value to me

        ip nat inside source static tcp 172.16.1.3 3389 69.x.x.100 3389 extendible

        ip nat inside source static tcp 172.16.1.7 3389 69.x.x.99 3389 extendible

        ip nat inside source static tcp 172.16.1.11 3389 69.x.x.101 extendable

        If you are the only one that will be accessing the Terminal servers, change 0.0.0.0 0.0.0.0 to an external/public IP range or host.

        If your home IP was 1.1.1.1 the acl should read as follows:

        access-list 102 permit tcp host 1.1.1.1 172.16.1.3 eq 3389

        access-list 102 permit tcp host 1.1.1.1 172.16.1.7 eq 3389

        access-list 102 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

        sorry this is so long winded…

        Mike

      • #3314993

        Reply To: Cisco 1721 router and Terminal Services

        by mikel~t ·

        In reply to Reply To: Cisco 1721 router and Terminal Services

        is the 102 Access-list applied to the external interface?

        do a show interface command and make sure the 102 access list is displayed under your external interface.

      • #3315173

        Reply To: Cisco 1721 router and Terminal Services

        by mikel~t ·

        In reply to Reply To: Cisco 1721 router and Terminal Services

        there is an implicit deny any any at the end of all ACLs.

        create and apply this to your internal interface

        access-list 105 deny tcp any any eq 137
        access-list 105 deny tcp any any eq 138
        access-list 105 deny tcp any any eq 139
        access-list 105 permit ip any any
        access-list 105 permit icmp any any echo
        access-list 105 permit icmp any any echo-reply
        access-list 105 permit icmp any any packet-too-big
        access-list 105 permit icmp any any time-exceeded
        access-list 105 permit icmp any any traceroute
        access-list 105 permit icmp any any unreachable
        access-list 105 permit udp any any eq ntp
        access-list 105 permit tcp any any eq www
        access-list 105 permit udp any any eq domain
        access-list 105 permit tcp any any eq smtp
        access-list 105 permit tcp any any eq pop3
        access-list 105 permit tcp any any eq 7070
        access-list 105 permit tcp any any eq 443
        access-list 105 permit tcp any any eq telnet
        access-list 105 permit gre any any

        create and apply this to your external interface
        (1.1.1.1 = your home public IP address)

        access-list 111 permit tcp host 1.1.1.1 172.16.1.3 eq 3389
        access-list 111 permit tcp host 1.1.1.1 172.16.1.7 eq 3389
        access-list 111 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

      • #3342001

        Reply To: Cisco 1721 router and Terminal Services

        by manthax ·

        In reply to Reply To: Cisco 1721 router and Terminal Services

        Poster rated this answer.

    • #3291130

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      Hi Mikel~T,
      I just went into the router configuration and noticed the following entries:
      ============================================================
      ip nat inside source static 172.16.1.3 69.x.x.100 extendable
      ip nat inside source static 172.16.1.7 69.x.x.99 extendable
      ip nat inside source static 172.16.1.11 69.x.X.101 extendable

      ============================================================
      So it seems to me that I have more than one public IP?
      You also said that I need to create an ACL
      access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389
      Do I need to change the 0.0.0.0.0.0.0 to a public IP, an internal IP or my home-router IP?

      Pardon my ignorance and thank you for your time!

    • #3311169

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      Hi MIke~T!

      Could you please provide me with a step-by-step to configure my external interface and access-list 102?

      I am so afraid of breaking a production router!

      Thanks again for your time and happy holidays!

    • #3311010

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      Hi Mike~T,
      I just went into config mode and executed the command, and it returned the following error message:

      Router1(config)#access-list 102 permit tcp host 69.x.x.101 172.16.1.11 eq 3389
      ^
      Invalid input detected at ‘^’ marker.

    • #3311008

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      The marker is between e and q

    • #3310997

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      It seems that I was able to modify the access-list 102 after all, but I’m still not able to connect. I used these 3 entries in the access-list:
      “access-list 102 permit tcp host 172.16.1.11 eq 3389 any
      access-list 102 permit tcp any any eq 3389
      access-list 102 permit tcp host 69.x.x.102 eq 3389”

      Once again I don’t know what I’m doing, I just added those lines ’cause of frustration. It will probably be easier if I enable the web interface on the router and try to set up NAT from there…
      I will do this tomorrow morning and let you know how it goes.
      Thanks

    • #3314862

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      Hello again,

      The access-list 102 is applied to the internal interface. Access-list 100 is applied to the external interface. Could it be that they are reversed?
      Thanks!

    • #3315694

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      Hi Mike,
      I just realized two things:

      The router configuration reads”

      1-“ip nat inside source list 1 pool SBC overload”.
      The access-list applied to the outside interface is “100” not “1”. I am very sure that you would have noticed, but I am running out of options here.
      2- How come I don’t see a “Deny ip any any” statement?

      We are small shop. We do not have any web/email servers in house. I noticed that there are some ports open that I may not need. Could you help me secure my router?
      Thanks,
      JC

    • #3342000

      Reply To: Cisco 1721 router and Terminal Services

      by manthax ·

      In reply to Cisco 1721 router and Terminal Services

      This question was closed by the author

Viewing 9 reply threads