General discussion

Locked

Help with CBAC-Config !

By Manthax ·
Hi all!

I cannot connect remotely to any Windows 2000 Terminal Servers. However, unfortunately I am not familiar with Cisco routers.
The router was installed and configured by our ISP.

When I remove the "Ip inspect' command I am able to connect to the Terminal servers from the outside. However, workstations and servers on the LAN loose Internet access!

Thanks,
!
!
version 12.3

!
ip inspect dns-timeout 30
ip inspect name myfw cuseeme
ip inspect name myfw rcmd
ip inspect name myfw udp
ip inspect name myfw tcp
ip inspect name myfw tftp
ip inspect name myfw smtp
ip inspect name myfw realaudio
ip inspect name myfw h323
ip inspect name myfw ftp
ip inspect name myfw http
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
!
interface FastEthernet0
ip address 172.16.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
speed auto
no cdp enable

interface Serial0.1 point-to-point
ip address 65.x.x.50 255.255.255.252
ip access-group 100 in
ip nat outside
ip inspect myfw out
frame-relay interface-dlci 16
!
ip nat pool SBC 69.x.x.97 69.x.x.98 netmask 255.255.255.248
ip nat inside source list 1 pool SBC overload
ip nat inside source static tcp 172.16.1.3 3389 69.x.x.100 3389
ip nat inside source static tcp 172.16.1.7 3389 69.x.x.99 3389
ip classless
ip route 0.0.0.0 0.0.0.0 69.x.x.49
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit tcp any any eq 3389
access-list 100 permit ipinip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any any eq ntp
access-list 100 permit udp any any eq domain
access-list 100 permit gre any any
access-list 102 deny tcp any any eq 137
access-list 102 deny tcp any any eq 138
access-list 102 permit ip any any

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by joker64 In reply to Help with CBAC-Config !

Your isp may have a software program you can run to access the config of router....if not you can try running your network wizard and set up a port to port ip....if your server is runnin static ip just get that ip and port address it access's...and set it up that way.

Collapse -

by Manthax In reply to

All the ports for the terminal servers are open and functional at the firewall. The router's web interface has been disabled, and frankly I like the CLI better.

Collapse -

by CG IT In reply to Help with CBAC-Config !

first rule of thumb in trouble shooting cisco routers with access lists. disable the access lists. then try. If you can connect, the problem is somewhere in the access list. this is because there is an implicit deny at the end of the access list [meaning that at the end of an access list there is a deny statement even if you don't see it so that everything not specific as allowed in the list is denied]. If you don't have traffic and are using an access list, the implicit deny usually is the problem [which is why the first thing to do is disable the access list and see if that clears up the problem.

Collapse -

by CG IT In reply to

BTW is this a 1721 or a PIX or ???

Collapse -

by Manthax In reply to

Hello CG IT!
I found the problem was the IP inspect statement was not working properly. The problem is no longer an issue.
Thanks!

Collapse -

by Manthax In reply to Help with CBAC-Config !

The router is a Cisco 1721 router.
I've remnoved both access lists, but I'm still unable to connect.
Thanks,

Collapse -

by Manthax In reply to Help with CBAC-Config !

Hello CG IT,
This is a Cisco 1721 router. I've removed the access-lists,but that did not work!
Thanks,

Collapse -

by Manthax In reply to Help with CBAC-Config !

This question was closed by the author

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums