Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Access List Issue with port 3389

Status
Not open for further replies.
ski12

ski12

IS-IT--Management
Apr 9, 2003
4
US
I need help with setting up Access List on a Cisco 1720 router. I need to forward any traffic to the router on port 3389, Microsoft Terminal Service, to the computer running Terminal Services on an inside IP.

Any help would be great!

version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$cM1r$IjoFQfTjJRC5WUel9MvDF0
enable password 7 1436473B5F2A
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
description connected to Internet
ip address xxx.xxx.xxx.234 255.255.255.252
ip nat outside
service-module t1 data-coding inverted
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.1.249 255.255.255.0
ip nat inside
speed auto
!
router eigrp 1
network 192.168.0.0
auto-summary
no eigrp log-neighbor-changes
!
ip nat inside source list 1 interface Serial0 overload
ip nat inside source static tcp 192.168.1.10 3389 interface Serial0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.233
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
password 7 123850274125
login
line aux 0
line vty 0 4
password 7 0800197E5A37
login
!
no scheduler allocate
end
 
Sort by date Sort by votes
That looks like it should work. Whati s happening when you try to TS from the outside?

Burke
 
Upvote 0 Downvote
The client could not connect to the Terinal server. The server may be too busy. Please try connecting later.
 
Upvote 0 Downvote
From that router can you ping the sever (192.168.1.10)?
 
Upvote 0 Downvote
You may have a problem with your T.Server. Microsoft not Cisco!!!! I have seen this same error message when the number of established connections where already made with the TermServer. Is it set up for admin or client access?

As rburke states try to ping that IP or better yet attepmt a telnet to the server on that port. My gut feeling is that if you are getting the M$ error message you may be able to connect to the Server just to many connections are in use. Oh BTW...with M$ Term Server, if you close out of the window your connection can stay established until a Terminal Services Admin goes in and disconnects those unused connections.

SF18C
CCNA, MCSE, A+, N+ & HPCC

"Tis better to die on your feet than live on your knees!"
 
Upvote 0 Downvote
Yes I can ping the terminal server and open a telnet connection on port 3389. The server is set in application mode for clients.
 
Upvote 0 Downvote
I'm not sure if TS uses UDP too, but I would try forwarding UDP port 3389 as well...

The one thing you do know is that it is forwarding to the server correctly or else you would never get that error message.

Burke
 
Upvote 0 Downvote
New Config - still does not work

Help !!!


version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname name
!
enable secret 5 $1$cM1r$IjoFQfTjJRC5WUel9MvDF0
enable password 7 1436473B5F2A
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
!
!
!
interface Serial0
description connected to Internet
ip address 0.0.0.234 255.255.255.252
ip nat outside
service-module t1 data-coding inverted
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.1.249 255.255.255.0
ip nat inside
speed auto
!
router eigrp 1
network 192.168.0.0
auto-summary
no eigrp log-neighbor-changes
!
ip nat pool lan 0.0.0.234 0.0.0.234 netmask 255.255.255.252
ip nat inside source list 1 pool lan overload
ip nat inside source static tcp 192.168.1.10 3389 0.0.0.234 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 0.0.0.233
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 permit tcp any any eq 3389
access-list 110 permit tcp any any established
!
line con 0
exec-timeout 0 0
password 7 123850274125
login
line aux 0
line vty 0 4
password 7 0800197E5A37
login
!
no scheduler allocate
end
 
Upvote 0 Downvote
Log your access list to make sure that the request is being passed. This is from my config ..

ip nat translation timeout 3600
ip nat inside source list 5 interface ATM0.1 overload
ip nat inside source static tcp 192.168.3.2 3389 interface ATM0.1 3389
!
access-list 105 permit tcp host <my_work_address> any eq 3389 log
access-list 105 deny tcp any any eq 3389 log

I agree with SF18C that the problem is most likely not with the router config. If you can open a telnet session to port 3389 then the router is translating the address and port correctly and passing the session to the server on the LAN. Either way, log the access list and then check the logs and also check the translation (sh ip nat trans).

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
492
DavetheChef
DavetheChef
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
534
CPM86
CPM86
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
486
Zero6
Zero6
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
876
BIS
BIS
Gartech
  • Locked
  • Question
LAN Port Test Device
Replies
3
Views
437
ipohead
ipohead

Part and Inventory Search

Sponsor

Back
Top