«

Hi Rob,

Thanks again...unfortunately I can't monkey with the dynamic NAT that gives
my internal users access to the Internet or there will be alot of screaming.
I'm not sure if you got my last post or if I even get myself to be quite
honest ...let me attempt a diagram:

Vast Expanse of the
Internet-----------MyISPNextHop(a.b.27.1)------MyRouterExternalPort(a.b.27.2
)--------A whole bunch of magic(to
me)-------MyInternalVLAN(192.168.0.0/24)----Internal Users

so conversely my internal users go like:

192.168.0.x------->192.168.0.254(gateway)------->GlobalIPNo.1------>Internet

So where does the external interface come in?

My understanding with this model at least is that you need to have an
internal VLAN and the only way to NAT it to the outside IP is use an address
pool (in this case a pool of 1). So internally my users go through
192.168.0.254 as their gateway and are NATd to one of my assigned IPs using
a NAT pool.

I guess this is where my understanding of it all breaks down....they get to
my assigned IP but how does that get through to the external interface IP
which is hopped on to the ISP?

I think I am hopelessly lost on this whole thing.....I have to go now but I
will be back online in a few hours....

Thanks

Kevin

Hi Kevin,

Users hey!!!...
If you can, get some possible downtime redo the NAT statments.
This is only my suggestion and my understanding of it so hope it
helps...

-The internal network is overloading ie sharing the NAT pool of your
global ips.
/
ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
ip nat inside source list 7 pool INTERNET overload
access-list 7 remark SDM_ACL Category=16
access-list 7 permit 192.168.0.0 0.0.0.255 log
/
You'll most likely find that there is an overlap.
So!
-As it stands now (you have to excuse me coz its late here).
-You dont even need to use the extra global IPs but you can for many
other purposes.
-Your external interface is already a global IP which can be used to
perform PAT port address translation.
/
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$Internet
ip address a.b.c.d 255.255.255.252
/

-The NAT statement would have to be changed to PAT port address
translation.
-"ip nat inside source list 110 interface FastEthernet0 overload"
-"access-list 110 permit ip 192.168.0.0 0.0.0.255 any"
-The changes arent that severe as to disrupt the screaming its just a
case of a reload and putting the old info back in if it does'nt work.
-You might not even need some downtime when perhaps only a reload is
necessary if done correctly.
-You can use the other 5 global IPs for some other purpose but for
now...
-All thats happening now everyone on the internal network will be port
address translated to a single external IP ie the address of
FastEthernet0.
-Change the nat statement to replect the new external IP
"ip nat inside source static tcp 192.168.0.x 3389 Fastthernet_IP 3389
extendable"

This way I believe.. will narrow it down for you and maybe Im off the
beaten track but nevertheless its worth a shot...
Hope it makes sense.

Regards,

Rob

Good morning Rob,

Thanks for the reply again....I had a brief look last night but now that I'm
back at work its a little more clear..

So based on your last post....there is really nothing wrong with the way my
outbound overloading is setup, correct?

> ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
> ip nat inside source list 7 pool INTERNET overload
> access-list 7 remark SDM_ACL Category=16
> access-list 7 permit 192.168.0.0 0.0.0.255 log

The above is all already in my config.......the pool is only a pool of 1 of
my assigned IPs

So the real issue is in how I get the Terminal Services traffic in. That
being said you said:

> -The NAT statement would have to be changed to PAT port address
> translation.

What exactly would the statement below be replacing? I only have my overload
NAT statement for outbound Internet access and a NAT statement attempting to
allow 3389 traffic in? Is this a new NAT statement?

> -"ip nat inside source list 110 interface FastEthernet0 overload"
> -"access-list 110 permit ip 192.168.0.0 0.0.0.255 any"

Does this have to be Natted to the External Interface or can it be one of my
other assigned IPs (thus allowing me to add a DNS alias for my external
users).
Also is 110 a new ACL? Could this ACL be refined to only allow the internal
TS server (192.168.0.50)?

I think I'm kind fo starting to get things (maybe)! Am I even close?

Kevin



"RobO" <> wrote in message
news: ups.com...
> Hi Kevin,
>
> Users hey!!!...
> If you can, get some possible downtime redo the NAT statments.
> This is only my suggestion and my understanding of it so hope it
> helps...
>
> -The internal network is overloading ie sharing the NAT pool of your
> global ips.
> /
> ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
> ip nat inside source list 7 pool INTERNET overload
> access-list 7 remark SDM_ACL Category=16
> access-list 7 permit 192.168.0.0 0.0.0.255 log
> /
> You'll most likely find that there is an overlap.
> So!
> -As it stands now (you have to excuse me coz its late here).
> -You dont even need to use the extra global IPs but you can for many
> other purposes.
> -Your external interface is already a global IP which can be used to
> perform PAT port address translation.
> /
> interface FastEthernet0
> description $ETH-WAN$$FW_OUTSIDE$Internet
> ip address a.b.c.d 255.255.255.252
> /
>
> -The NAT statement would have to be changed to PAT port address
> translation.
> -"ip nat inside source list 110 interface FastEthernet0 overload"
> -"access-list 110 permit ip 192.168.0.0 0.0.0.255 any"
> -The changes arent that severe as to disrupt the screaming its just a
> case of a reload and putting the old info back in if it does'nt work.
> -You might not even need some downtime when perhaps only a reload is
> necessary if done correctly.
> -You can use the other 5 global IPs for some other purpose but for
> now...
> -All thats happening now everyone on the internal network will be port
> address translated to a single external IP ie the address of
> FastEthernet0.
> -Change the nat statement to replect the new external IP
> "ip nat inside source static tcp 192.168.0.x 3389 Fastthernet_IP 3389
> extendable"
>
> This way I believe.. will narrow it down for you and maybe Im off the
> beaten track but nevertheless its worth a shot...
> Hope it makes sense.
>
> Regards,
>
> Rob
>

Hi Kevin!

This is what I believe is happening in respect of your NAT
translations.
Hope this makes more sense....as it was quite late last night so please
excuse me.
This is your NAT setup.
> ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
> ip nat inside source list 7 pool INTERNET overload
> access-list 7 remark SDM_ACL Category=16
> access-list 7 permit 192.168.0.0 0.0.0.255 log

According to the above:
-You have a NAT POOL called INTERNET associated with the external IPs.
-All clients ie (192.168.0.0 0.0.0.255) are translating to the NAT POOL
(INTERNET) hence the keyword "overload"
Your static statement for TS is being overlapped because of the NAT
statements above.
Make sense?
What you have is dynamic-NAT translation and PAT together.....
I think the quick solution would be to just PAT your existing external
IP as below:
//
ip nat inside source list 110 interface FastEthernet0 overload
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
//

You will have to create this ACL 110 to bind to the PAT statement.
//
ip nat inside source list 110 interface FastEthernet0 overload
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
//
All this is doing is translating any device on the 192.168.0.0 network
to the external fastethernet IP address.
This will replace the NAT POOL that you have assigned currently and use
the existing external IP of interface FastEthternet0 for all your
translations.

I am fairly certain that if you do this you will get your access to TS
but you will have to remove the existing NAT statements.
Touch Wood....only kidding!
Copy the current config to tftp so you have a backup..
Then the translation for TS:
//
ip nat inside source static tcp 192.168.0.50 3389 fastethernet_ip 3389
extendable
//
This way you simplify the config and make it more scalable.
Remember you can always put back the original statements if it does'nt
work.
Once you are certain that translations are happening correctly and
everyone is browsing away happily(no screaming) then you could start to
use the global IPs for your own purposes on subinterfaces or as
secondary ip addresses.

Please tell me if you think this is silly I might not be explaining
this clearly but thats just how I would approach it.

Regards,

Rob

Thanks so much Rob it makes much more sense to me now. But of course I still
have some questions .

I now understand what you meant my replacing my NAT that uses the NAT
pool....and replace it with NAT using the External Interface. My only
concern being what the ISP would have to say about that.

As for my Terminals Services NAT, if I use the External Interface IP I would
not be able to use one of my IPs to create a DNS alias.....aka
myterminalservices.mycompany.com.....which would be nice but not
essential.....the external TS users would just end up using the interface
IP. I guess the question becomes why do I have these IPs if I end up doing
everything through the IP of the router interface? I know they can be used
in conjunction with the additional ports on the back of the router for DMZ
etc.

So for further clarification here (I must seem quite obtuse) any request to
one of my IPs is directed (via DNS from my ISP) to the router's external
interface IP?

I think I will experiment with your suggestion.....what about security
inbound.....this change shouldn't effect anything since the inbound rules
apply to the interface itself correct?

Man you must be sick of me!

Thanks again (broken record)

Kevin


"RobO" <> wrote in message
news: oups.com...
> Hi Kevin!
>
> This is what I believe is happening in respect of your NAT
> translations.
> Hope this makes more sense....as it was quite late last night so please
> excuse me.
> This is your NAT setup.
> > ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
> > ip nat inside source list 7 pool INTERNET overload
> > access-list 7 remark SDM_ACL Category=16
> > access-list 7 permit 192.168.0.0 0.0.0.255 log
>
> According to the above:
> -You have a NAT POOL called INTERNET associated with the external IPs.
> -All clients ie (192.168.0.0 0.0.0.255) are translating to the NAT POOL
> (INTERNET) hence the keyword "overload"
> Your static statement for TS is being overlapped because of the NAT
> statements above.
> Make sense?
> What you have is dynamic-NAT translation and PAT together.....
> I think the quick solution would be to just PAT your existing external
> IP as below:
> //
> ip nat inside source list 110 interface FastEthernet0 overload
> access-list 110 permit ip 192.168.0.0 0.0.0.255 any
> //
>
> You will have to create this ACL 110 to bind to the PAT statement.
> //
> ip nat inside source list 110 interface FastEthernet0 overload
> access-list 110 permit ip 192.168.0.0 0.0.0.255 any
> //
> All this is doing is translating any device on the 192.168.0.0 network
> to the external fastethernet IP address.
> This will replace the NAT POOL that you have assigned currently and use
> the existing external IP of interface FastEthternet0 for all your
> translations.
>
> I am fairly certain that if you do this you will get your access to TS
> but you will have to remove the existing NAT statements.
> Touch Wood....only kidding!
> Copy the current config to tftp so you have a backup..
> Then the translation for TS:
> //
> ip nat inside source static tcp 192.168.0.50 3389 fastethernet_ip 3389
> extendable
> //
> This way you simplify the config and make it more scalable.
> Remember you can always put back the original statements if it does'nt
> work.
> Once you are certain that translations are happening correctly and
> everyone is browsing away happily(no screaming) then you could start to
> use the global IPs for your own purposes on subinterfaces or as
> secondary ip addresses.
>
> Please tell me if you think this is silly I might not be explaining
> this clearly but thats just how I would approach it.
>
> Regards,
>
> Rob
>

Kevin,

No worries at all just glad to have helped if at all!....
If you have a domain name you could get your domain hosts to setup a
record of your choice for TS using the external IP address however you
will still have to put the port number(if you change the default) at
the end of the domain name when you run TSclient ie
-"ts.mycompanyname.comortnumber"

In respect of security its all still the same, as the access-lists do
their stuff before NAT takes place anyway.
Obviously there is only one level of authentication concerning TS being
the login screen so if you have to stick to TS change the listening
port on the server or just map a high external port number to the
internal(3389) port.

All I can say concerning the ISP is give PAT a go(sounds dodgy) and see
if you can browse the web from inside and connect to the terminal
server from the outside.

You will find use for the other IPs that you have and it would have
been better if you could assign one of those global IPs to your
external interface instead of the current one.
That you would have to check with your ISP though.
Subnet the current block to a 255.255.255.252 mask effectively
splitting it up into 2 networks with 2 IP addresses each giving you 4
usable IP addresses as opposed to the 6 you currently have, thus giving
you more flexibilty in respect of DMZs and security.

Hope this has helped and good luck....
Keep me posted.

Rob

Hi Rob,

I was successful switching to the new NAT using the FE0 address rather than
the pool....no screaming...yayyy!!

However....I added the TS forwarding on 3389 and it still can't get
through.....now keep in mind that I have the SDM and have been using the Web
based tools to watch things....

List 101 is still dropping my attempts.....I can see the IP of the
residential ADSL setup I am using to simulate an external request. ACL 101
is denying requests on 3389. Now we never did get into the ACL 101 inbound
and how it deals with incoming 3389 requests....however I have considered it
and attempted a few things.

My understanding is that any request is processed by the inbound ACL 101
before any translation or other action is take, therefore it would seem as
though the only thing preventing access is this the ACL...I have tried
adding a rule to the top of the ACL 101:

permit tcp any host External_IP eq 3389 log

This seems to make the most sense to me but it still seems to drop 3389
requests..

The part that really burns me is that the residential ADSL sits behind a
D-link retail router and I can open up 3389 to the host and it works like
that.....but I also realize security is not nearly as strong on that router.

Here is the running config as it stands now minus the sensitive stuff and
the boring parts:

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ###############
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 ############################
!
username ###### privilege 15 password ###############
clock summer-time America/Los_Angeles date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip bootp server
ip cef
ip inspect tcp max-incomplete host 200 block-time 0
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
no crypto isakmp enable
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$Internet
ip address a.b.c.2 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description CUSTOMER LAN (192.168.0.0)
no ip address
no cdp enable
!
interface FastEthernet2
description FUTURE
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface Vlan1
description $FW_INSIDE$Config Port
ip address 192.168.0.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect DEFAULT100 in
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.1 2 permanent
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source list 110 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.0.50 3389 a.b.c.2 3389 extendable
!
!
!
ip access-list extended FE1
remark SDM_ACL Category=2
permit ip host 192.168.0.254 any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255 log
access-list 2 deny any
access-list 7 remark SDM_ACL Category=16
access-list 7 permit 192.168.0.0 0.0.0.255 log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip a.b.c.0 0.0.0.3 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host a.b.c.2 eq 3389 log *****added this to
see if it would work
access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
access-list 101 permit icmp any host a.b.c.2 echo-reply
access-list 101 permit icmp any host a.b.c.2 time-exceeded
access-list 101 permit icmp any host a.b.c.2 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark Outbound Rule
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
access-list 110 remark Test
access-list 110 remark SDM_ACL Category=3
access-list 110 permit ip 192.168.0.0 0.0.0.255 any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180038
!
end


"RobO" <> wrote in message
news: oups.com...
> Kevin,
>
> No worries at all just glad to have helped if at all!....
> If you have a domain name you could get your domain hosts to setup a
> record of your choice for TS using the external IP address however you
> will still have to put the port number(if you change the default) at
> the end of the domain name when you run TSclient ie
> -"ts.mycompanyname.comortnumber"
>
> In respect of security its all still the same, as the access-lists do
> their stuff before NAT takes place anyway.
> Obviously there is only one level of authentication concerning TS being
> the login screen so if you have to stick to TS change the listening
> port on the server or just map a high external port number to the
> internal(3389) port.
>
> All I can say concerning the ISP is give PAT a go(sounds dodgy) and see
> if you can browse the web from inside and connect to the terminal
> server from the outside.
>
> You will find use for the other IPs that you have and it would have
> been better if you could assign one of those global IPs to your
> external interface instead of the current one.
> That you would have to check with your ISP though.
> Subnet the current block to a 255.255.255.252 mask effectively
> splitting it up into 2 networks with 2 IP addresses each giving you 4
> usable IP addresses as opposed to the 6 you currently have, thus giving
> you more flexibilty in respect of DMZs and security.
>
> Hope this has helped and good luck....
> Keep me posted.
>
> Rob
>

Kevin,

Excellent!
Just looking at your NAT statement and it doesnt reflect the changes...
//
"ip nat inside source static tcp 192.168.0.50 3389 (fastethernet0_ip)
3389 extendable"
//
Thats your PAT interface(fastethernet0), every host initiating
connections whether inbound or outbound are port address translated
with that IP(fastethernet0) instead of 1-to-1 translations or
6-to-many.

Also the ACL 101 must reflect that IP where global IPs where used.
Are you able to log on to the router via console or telnet maybe setup
syslog and see what IP address is getting hit on the logs.

If you want... again for testing put an entry at the beginning of ACL
101:
//
"access-list 101 permit tcp any any eq 3389 log"
"access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
"access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
//
If you are able to view the logs you will see which one is passing
access so to speak.
Let me know how you get on.

Rob

Me again Rob...

I think you've lost me on the lost post....I thought I did what you said to
the tee.

> Just looking at your NAT statement and it doesnt reflect the changes...
> //
> "ip nat inside source static tcp 192.168.0.50 3389 (fastethernet0_ip)
> 3389 extendable"
> //
> Thats your PAT interface(fastethernet0), every host initiating
> connections whether inbound or outbound are port address translated
> with that IP(fastethernet0) instead of 1-to-1 translations or
> 6-to-many.

Was this not the way to get 3389 through?
I guess I got lost on this again so....

ip nat inside source list 110 a.b.c.2 overload

in combination with...

access-list 110 permit tcp 192.168.0.0 0.0.0.255 any

gets my users out to the net correct? I guess it must since its working

and

ip nat inside source static tcp 192.168.0.50 3389 a.b.c.2 3389 extendable

is the NAT required to get requests to my server

and

> //
> "access-list 101 permit tcp any any eq 3389 log"
> "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
> "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
> //

As for this did you mean to add all 3 at once and see what gets past what?

I am pretty much using the SDM web interface exclusively as I am pretty new
to the command line....I have logging and firewall status that I can view
but all I can see is that my attempts are denied by ACL 101....even if I
have all 3 above...or should I try each one at a time to see if any of the 3
will let my requests through?

Thanks again and if you get sick of banging your head against the wall
please tell me and I can always harras someone else

Kevin

"RobO" <> wrote in message
news: ups.com...
> Kevin,
>
> Excellent!
> Just looking at your NAT statement and it doesnt reflect the changes...
> //
> "ip nat inside source static tcp 192.168.0.50 3389 (fastethernet0_ip)
> 3389 extendable"
> //
> Thats your PAT interface(fastethernet0), every host initiating
> connections whether inbound or outbound are port address translated
> with that IP(fastethernet0) instead of 1-to-1 translations or
> 6-to-many.
>
> Also the ACL 101 must reflect that IP where global IPs where used.
> Are you able to log on to the router via console or telnet maybe setup
> syslog and see what IP address is getting hit on the logs.
>
> If you want... again for testing put an entry at the beginning of ACL
> 101:
> //
> "access-list 101 permit tcp any any eq 3389 log"
> "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
> "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
> //
> If you are able to view the logs you will see which one is passing
> access so to speak.
> Let me know how you get on.
>
> Rob
>

HI Kevin,

No dont worry I am not banging my head against the wall at all I am
happy to help unless you feel that I am sending you on a wild goose
chase....but thats not the case.

I just wanted to confirm that (a.b.c.2) is your FastEthernet0 IP
address.
Also that in your ACL 101 that (a.b.c.2) is your FastEthernet0 IP
address.
As long as ACL 101 has the FastEthernet0 IP address then we can
definitely mode on to the ACL.

What I mentioned previously about the ACL:

> //
> "access-list 101 permit tcp any any eq 3389 log"
> "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
> "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
> //

If you could add those lines to the ACL 101 at the top.
You do already have the last line.
The reason for this is to see which line will actually allow TS traffic
through.

On the logs that you are viewing does it actually give you any
information on whats being hit ie destination IP address/source IP
address etc.
Feel free to email me if you prefer and I can happily talk you through
logging in via console to get better debugging against the access-list
and see whats getting hit.

Sorry for not being clear but heres me email:
roboravec TA hotmail TOD com

Rob