Cisco 1721 router and Terminal Services

Windows

Collapse -

by Manthax · 16 years ago In reply to Cisco 1721 router and Ter ...

FYI: If I start a terminal session from within the LAN I can connect to the Terminal servers, but not from the outside.
I was able to connect to them from the outside before we purchased the Cisco router. The only difference is that we were using public IPs when the old router was in service.
Thanks.

Collapse -

by Mikel~T · 16 years ago In reply to Cisco 1721 router and Ter ...

If you only have one static IP for the outside interface of your router, you will only be able to term serv into one internal server...you need to setup an ACL on your outside interface that will allow outside traffic destined for port 3389 inside your network.

in your access-list 102, applied to your outside interface, you need to have:

access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389

This will let any outside IP connect to your internal server 172.16.1.3 via Terminal services...just change the 0.0.0.0 0.0.0.0 to the IP of the host/network you want to allow internal access to your terminal server.

Again, with one external/public IP, you can only connect to one internal IP...unless you specify a different external host/network in the acl rule, and point it at the other internal server IPs

Hope this helps.

Mike

Collapse -

by Mikel~T · 16 years ago In reply to

first, do this : x is a hidden value to me

ip nat inside source static tcp 172.16.1.3 3389 69.x.x.100 3389 extendible

ip nat inside source static tcp 172.16.1.7 3389 69.x.x.99 3389 extendible

ip nat inside source static tcp 172.16.1.11 3389 69.x.x.101 extendable

If you are the only one that will be accessing the Terminal servers, change 0.0.0.0 0.0.0.0 to an external/public IP range or host.

If your home IP was 1.1.1.1 the acl should read as follows:

access-list 102 permit tcp host 1.1.1.1 172.16.1.3 eq 3389

access-list 102 permit tcp host 1.1.1.1 172.16.1.7 eq 3389

access-list 102 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

sorry this is so long winded...

Mike

Collapse -

by Mikel~T · 16 years ago In reply to

is the 102 Access-list applied to the external interface?

do a show interface command and make sure the 102 access list is displayed under your external interface.

Collapse -

by Mikel~T · 16 years ago In reply to

there is an implicit deny any any at the end of all ACLs.

create and apply this to your internal interface

access-list 105 deny tcp any any eq 137
access-list 105 deny tcp any any eq 138
access-list 105 deny tcp any any eq 139
access-list 105 permit ip any any
access-list 105 permit icmp any any echo
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable
access-list 105 permit udp any any eq ntp
access-list 105 permit tcp any any eq www
access-list 105 permit udp any any eq domain
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq 7070
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq telnet
access-list 105 permit gre any any

create and apply this to your external interface
(1.1.1.1 = your home public IP address)

access-list 111 permit tcp host 1.1.1.1 172.16.1.3 eq 3389
access-list 111 permit tcp host 1.1.1.1 172.16.1.7 eq 3389
access-list 111 permit tcp host 1.1.1.1 172.16.1.111 eq 3389

Collapse -

by Manthax · 16 years ago In reply to

Poster rated this answer.

Collapse -

by Manthax · 16 years ago In reply to Cisco 1721 router and Ter ...

Hi Mikel~T,
I just went into the router configuration and noticed the following entries:
============================================================
ip nat inside source static 172.16.1.3 69.x.x.100 extendable
ip nat inside source static 172.16.1.7 69.x.x.99 extendable
ip nat inside source static 172.16.1.11 69.x.X.101 extendable

============================================================
So it seems to me that I have more than one public IP?
You also said that I need to create an ACL
access-list 102 permit tcp 0.0.0.0 0.0.0.0 172.16.1.3 eq 3389
Do I need to change the 0.0.0.0.0.0.0 to a public IP, an internal IP or my home-router IP?

Pardon my ignorance and thank you for your time!

Collapse -

by Manthax · 16 years ago In reply to Cisco 1721 router and Ter ...

Hi MIke~T!

Could you please provide me with a step-by-step to configure my external interface and access-list 102?

I am so afraid of breaking a production router!

Thanks again for your time and happy holidays!

Collapse -

by Manthax · 16 years ago In reply to Cisco 1721 router and Ter ...

Hi Mike~T,
I just went into config mode and executed the command, and it returned the following error message:

Router1(config)#access-list 102 permit tcp host 69.x.x.101 172.16.1.11 eq 3389
^
Invalid input detected at '^' marker.

Collapse -

by Manthax · 16 years ago In reply to Cisco 1721 router and Ter ...

The marker is between e and q

Windows

General discussion

Cisco 1721 router and Terminal Services

All Comments

Start or search

Create a new discussion

Post type

Subject title

Topic Tags

Message Body

Track this discussion and email me when there are updates

Related Discussions

You can still get a free Windows 10 upgrade

Top Windows 10 questions

How to perform a total system reset in Windows 10

Avoid Windows 10 crapware

Windows 10 setup and configuration tips

Related Forums