Access List Issue with port 3389

[ski12]

I need help with setting up Access List on a Cisco 1720 router. I need to forward any traffic to the router on port 3389, Microsoft Terminal Service, to the computer running Terminal Services on an inside IP.

Any help would be great!

version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$cM1r$IjoFQfTjJRC5WUel9MvDF0
enable password 7 1436473B5F2A
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
description connected to Internet
ip address xxx.xxx.xxx.234 255.255.255.252
ip nat outside
service-module t1 data-coding inverted
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.1.249 255.255.255.0
ip nat inside
speed auto
!
router eigrp 1
network 192.168.0.0
auto-summary
no eigrp log-neighbor-changes
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static tcp 192.168.1.10 3389 interface Serial0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.233
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password 7 123850274125
login
line aux 0
line vty 0 4
password 7 0800197E5A37
login
!
no scheduler allocate
end

 

[rburke]

That looks like it should work. Whati s happening when you try to TS from the outside?

Burke

 

[ski12]

The client could not connect to the Terinal server. The server may be too busy. Please try connecting later.

 

[rburke]

From that router can you ping the sever (192.168.1.10)?

 

[SF18C]

You may have a problem with your T.Server. Microsoft not Cisco!!!! I have seen this same error message when the number of established connections where already made with the TermServer. Is it set up for admin or client access?

As rburke states try to ping that IP or better yet attepmt a telnet to the server on that port. My gut feeling is that if you are getting the M$ error message you may be able to connect to the Server just to many connections are in use. Oh BTW...with M$ Term Server, if you close out of the window your connection can stay established until a Terminal Services Admin goes in and disconnects those unused connections.

SF18C
CCNA, MCSE, A+, N+ & HPCC

"Tis better to die on your feet than live on your knees!"

 

[ski12]

Yes I can ping the terminal server and open a telnet connection on port 3389. The server is set in application mode for clients.

 

[rburke]

I'm not sure if TS uses UDP too, but I would try forwarding UDP port 3389 as well...

The one thing you do know is that it is forwarding to the server correctly or else you would never get that error message.

Burke

 

[ski12]

New Config - still does not work

Help !!!


version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname name
!
enable secret 5 $1$cM1r$IjoFQfTjJRC5WUel9MvDF0
enable password 7 1436473B5F2A
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
description connected to Internet
ip address 0.0.0.234 255.255.255.252
ip nat outside
service-module t1 data-coding inverted
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.1.249 255.255.255.0
ip nat inside
speed auto
!
router eigrp 1
network 192.168.0.0
auto-summary
no eigrp log-neighbor-changes
!
ip nat pool lan 0.0.0.234 0.0.0.234 netmask 255.255.255.252
ip nat inside source list 1 pool lan overload
ip nat inside source static tcp 192.168.1.10 3389 0.0.0.234 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 0.0.0.233
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any established
!
line con 0
exec-timeout 0 0
password 7 123850274125
login
line aux 0
line vty 0 4
password 7 0800197E5A37
login
!
no scheduler allocate
end

 

[ChrisAC]

Log your access list to make sure that the request is being passed. This is from my config ..

ip nat translation timeout 3600
ip nat inside source list 5 interface ATM0.1 overload
ip nat inside source static tcp 192.168.3.2 3389 interface ATM0.1 3389
!
access-list 105 permit tcp host <my_work_address> any eq 3389 log
access-list 105 deny tcp any any eq 3389 log

I agree with SF18C that the problem is most likely not with the router config. If you can open a telnet session to port 3389 then the router is translating the address and port correctly and passing the session to the server on the LAN. Either way, log the access list and then check the logs and also check the translation (sh ip nat trans).

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************