Re: Why can't I get Terminal Services through this ACL?

Discussion in 'Cisco' started by Cakeholes, Feb 22, 2005.

  1. Cakeholes

    Cakeholes Guest

    Hi Rob,

    Thanks for the reply.....I tried your suggestion but no luck....I had
    actually tried that among other things already. I'm not quite sure how to
    read the NAT table but it basically looked like this:

    External_IP:3389 --- ---

    All other entries had additional entires in place of the ---

    Perhaps you could shed some additonal light on this for me while I have your
    attention. we have 5 global IPs as assigned by our ISP....they did the
    initial setup for us and created a NAT pool using one of those addresses to
    our private IP scope. If I go to it shows that address as
    would be expected. However the external interface of the router has a
    completely different IP and our next hop is similar but 1 higher (the router
    is a.b.c.2 and the next hop is a.b.c.1).

    When I created the static NAT I used the gloabl IP that the ISP set up for
    NAT not the IP assigned to the external port. To me this doesn't really make
    sense since I have no idea how a call to my assigned IP address would ever
    get there. Does this make any sense to you?

    For the record all of my testing has been through a machine connected to our
    old residential ADSL setup which is a good way to simulate an external
    conenction. Also I do plan to change the port for Terminal Services once I
    have this issue resolved.

    Thanks for any help you can provide.

    Cakeholes, Feb 22, 2005
    1. Advertisements

  2. RobO

    RobO Guest

    Hey Kevin!

    The next hop router will have all the routing information to reach your
    router from the outside world, and from there on the other side its
    just subnetting and routing that gets the traffic forwarded to you.
    The 5 Global IP addresses you have are probably all one block making up
    a subnet mask of

    The external IP that shows up when you do a show ip nat translation is
    it the same as the IP address that you have configured for NAT
    translation of terminal services???

    Im a bit suspicious of the NAT pool that those guys set up for you.
    There are a lot of unnecessary translations going on.

    Again for the sake of testing could you remove both NAT statements but
    leave the static translation for Terminal Services.
    Not sure if you tried this but here goes.

    Create a new acl for NAT translation
    access-list 110 permit ip any

    Then to setup PAT.
    ip nat inside source list 110 interface fastethernet 0 overload.

    You will have to reload to get the new mapping in operation.

    Should be no problem testing it from the residential ADSL thats will
    be the best.
    Once you tried this see if any logs popup against port 3389 when you
    initiate a terminal services session incase the acl is blocking it.

    I think the next hop router will need to be checked as well unless they
    have left it wide open for you traffic wise.
    You will always be able to use the other global IPs for other mappings
    in the future for DMZ setups which is great.

    Hope this helps

    RobO, Feb 23, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl

    Terminal services and VNC

    =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl, Jan 13, 2005, in forum: Wireless Networking
    Feb 3, 2005
  2. hook

    terminal services via wireless

    hook, Mar 17, 2005, in forum: Wireless Networking
  3. Shad T
    Shad T
    Jun 29, 2004
  4. Cakeholes
  5. Cakeholes

Share This Page