Re: Why can't I get Terminal Services through this ACL?

Discussion in 'Cisco' started by Cakeholes, Feb 23, 2005.

  1. Cakeholes

    Cakeholes Guest

    Hi Rob,

    Thanks again...unfortunately I can't monkey with the dynamic NAT that gives
    my internal users access to the Internet or there will be alot of screaming.
    I'm not sure if you got my last post or if I even get myself to be quite
    honest :p...let me attempt a diagram:

    Vast Expanse of the
    Internet-----------MyISPNextHop(a.b.27.1)------MyRouterExternalPort(a.b.27.2
    )--------A whole bunch of magic(to
    me)-------MyInternalVLAN(192.168.0.0/24)----Internal Users

    so conversely my internal users go like:

    192.168.0.x------->192.168.0.254(gateway)------->GlobalIPNo.1------>Internet

    So where does the external interface come in?

    My understanding with this model at least is that you need to have an
    internal VLAN and the only way to NAT it to the outside IP is use an address
    pool (in this case a pool of 1). So internally my users go through
    192.168.0.254 as their gateway and are NATd to one of my assigned IPs using
    a NAT pool.

    I guess this is where my understanding of it all breaks down....they get to
    my assigned IP but how does that get through to the external interface IP
    which is hopped on to the ISP?

    I think I am hopelessly lost on this whole thing.....I have to go now but I
    will be back online in a few hours....

    Thanks

    Kevin
    Cakeholes, Feb 23, 2005
    #1
    1. Advertising

  2. Cakeholes

    RobO Guest

    Hi Kevin,

    Users hey!!!...
    If you can, get some possible downtime redo the NAT statments.
    This is only my suggestion and my understanding of it so hope it
    helps...

    -The internal network is overloading ie sharing the NAT pool of your
    global ips.
    /
    ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
    ip nat inside source list 7 pool INTERNET overload
    access-list 7 remark SDM_ACL Category=16
    access-list 7 permit 192.168.0.0 0.0.0.255 log
    /
    You'll most likely find that there is an overlap.
    So!
    -As it stands now (you have to excuse me coz its late here).
    -You dont even need to use the extra global IPs but you can for many
    other purposes.
    -Your external interface is already a global IP which can be used to
    perform PAT port address translation.
    /
    interface FastEthernet0
    description $ETH-WAN$$FW_OUTSIDE$Internet
    ip address a.b.c.d 255.255.255.252
    /

    -The NAT statement would have to be changed to PAT port address
    translation.
    -"ip nat inside source list 110 interface FastEthernet0 overload"
    -"access-list 110 permit ip 192.168.0.0 0.0.0.255 any"
    -The changes arent that severe as to disrupt the screaming its just a
    case of a reload and putting the old info back in if it does'nt work.
    -You might not even need some downtime when perhaps only a reload is
    necessary if done correctly.
    -You can use the other 5 global IPs for some other purpose but for
    now...
    -All thats happening now everyone on the internal network will be port
    address translated to a single external IP ie the address of
    FastEthernet0.
    -Change the nat statement to replect the new external IP
    "ip nat inside source static tcp 192.168.0.x 3389 Fastthernet_IP 3389
    extendable"

    This way I believe.. will narrow it down for you and maybe Im off the
    beaten track but nevertheless its worth a shot...
    Hope it makes sense.

    Regards,

    Rob
    RobO, Feb 23, 2005
    #2
    1. Advertising

  3. Cakeholes

    Cakeholes Guest

    Good morning Rob,

    Thanks for the reply again....I had a brief look last night but now that I'm
    back at work its a little more clear..:p

    So based on your last post....there is really nothing wrong with the way my
    outbound overloading is setup, correct?

    > ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
    > ip nat inside source list 7 pool INTERNET overload
    > access-list 7 remark SDM_ACL Category=16
    > access-list 7 permit 192.168.0.0 0.0.0.255 log


    The above is all already in my config.......the pool is only a pool of 1 of
    my assigned IPs

    So the real issue is in how I get the Terminal Services traffic in. That
    being said you said:

    > -The NAT statement would have to be changed to PAT port address
    > translation.


    What exactly would the statement below be replacing? I only have my overload
    NAT statement for outbound Internet access and a NAT statement attempting to
    allow 3389 traffic in? Is this a new NAT statement?

    > -"ip nat inside source list 110 interface FastEthernet0 overload"
    > -"access-list 110 permit ip 192.168.0.0 0.0.0.255 any"


    Does this have to be Natted to the External Interface or can it be one of my
    other assigned IPs (thus allowing me to add a DNS alias for my external
    users).
    Also is 110 a new ACL? Could this ACL be refined to only allow the internal
    TS server (192.168.0.50)?

    I think I'm kind fo starting to get things (maybe)! Am I even close?

    Kevin



    "RobO" <> wrote in message
    news:...
    > Hi Kevin,
    >
    > Users hey!!!...
    > If you can, get some possible downtime redo the NAT statments.
    > This is only my suggestion and my understanding of it so hope it
    > helps...
    >
    > -The internal network is overloading ie sharing the NAT pool of your
    > global ips.
    > /
    > ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
    > ip nat inside source list 7 pool INTERNET overload
    > access-list 7 remark SDM_ACL Category=16
    > access-list 7 permit 192.168.0.0 0.0.0.255 log
    > /
    > You'll most likely find that there is an overlap.
    > So!
    > -As it stands now (you have to excuse me coz its late here).
    > -You dont even need to use the extra global IPs but you can for many
    > other purposes.
    > -Your external interface is already a global IP which can be used to
    > perform PAT port address translation.
    > /
    > interface FastEthernet0
    > description $ETH-WAN$$FW_OUTSIDE$Internet
    > ip address a.b.c.d 255.255.255.252
    > /
    >
    > -The NAT statement would have to be changed to PAT port address
    > translation.
    > -"ip nat inside source list 110 interface FastEthernet0 overload"
    > -"access-list 110 permit ip 192.168.0.0 0.0.0.255 any"
    > -The changes arent that severe as to disrupt the screaming its just a
    > case of a reload and putting the old info back in if it does'nt work.
    > -You might not even need some downtime when perhaps only a reload is
    > necessary if done correctly.
    > -You can use the other 5 global IPs for some other purpose but for
    > now...
    > -All thats happening now everyone on the internal network will be port
    > address translated to a single external IP ie the address of
    > FastEthernet0.
    > -Change the nat statement to replect the new external IP
    > "ip nat inside source static tcp 192.168.0.x 3389 Fastthernet_IP 3389
    > extendable"
    >
    > This way I believe.. will narrow it down for you and maybe Im off the
    > beaten track but nevertheless its worth a shot...
    > Hope it makes sense.
    >
    > Regards,
    >
    > Rob
    >
    Cakeholes, Feb 23, 2005
    #3
  4. Cakeholes

    RobO Guest

    Hi Kevin!

    This is what I believe is happening in respect of your NAT
    translations.
    Hope this makes more sense....as it was quite late last night so please
    excuse me.
    This is your NAT setup.
    > ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
    > ip nat inside source list 7 pool INTERNET overload
    > access-list 7 remark SDM_ACL Category=16
    > access-list 7 permit 192.168.0.0 0.0.0.255 log


    According to the above:
    -You have a NAT POOL called INTERNET associated with the external IPs.
    -All clients ie (192.168.0.0 0.0.0.255) are translating to the NAT POOL
    (INTERNET) hence the keyword "overload"
    Your static statement for TS is being overlapped because of the NAT
    statements above.
    Make sense?
    What you have is dynamic-NAT translation and PAT together.....
    I think the quick solution would be to just PAT your existing external
    IP as below:
    //
    ip nat inside source list 110 interface FastEthernet0 overload
    access-list 110 permit ip 192.168.0.0 0.0.0.255 any
    //

    You will have to create this ACL 110 to bind to the PAT statement.
    //
    ip nat inside source list 110 interface FastEthernet0 overload
    access-list 110 permit ip 192.168.0.0 0.0.0.255 any
    //
    All this is doing is translating any device on the 192.168.0.0 network
    to the external fastethernet IP address.
    This will replace the NAT POOL that you have assigned currently and use
    the existing external IP of interface FastEthternet0 for all your
    translations.

    I am fairly certain that if you do this you will get your access to TS
    but you will have to remove the existing NAT statements.
    Touch Wood....only kidding!
    Copy the current config to tftp so you have a backup..
    Then the translation for TS:
    //
    ip nat inside source static tcp 192.168.0.50 3389 fastethernet_ip 3389
    extendable
    //
    This way you simplify the config and make it more scalable.
    Remember you can always put back the original statements if it does'nt
    work.
    Once you are certain that translations are happening correctly and
    everyone is browsing away happily(no screaming) then you could start to
    use the global IPs for your own purposes on subinterfaces or as
    secondary ip addresses.

    Please tell me if you think this is silly I might not be explaining
    this clearly but thats just how I would approach it.

    Regards,

    Rob
    RobO, Feb 23, 2005
    #4
  5. Cakeholes

    Cakeholes Guest

    Thanks so much Rob it makes much more sense to me now. But of course I still
    have some questions :p.

    I now understand what you meant my replacing my NAT that uses the NAT
    pool....and replace it with NAT using the External Interface. My only
    concern being what the ISP would have to say about that.

    As for my Terminals Services NAT, if I use the External Interface IP I would
    not be able to use one of my IPs to create a DNS alias.....aka
    myterminalservices.mycompany.com.....which would be nice but not
    essential.....the external TS users would just end up using the interface
    IP. I guess the question becomes why do I have these IPs if I end up doing
    everything through the IP of the router interface? I know they can be used
    in conjunction with the additional ports on the back of the router for DMZ
    etc.

    So for further clarification here (I must seem quite obtuse) any request to
    one of my IPs is directed (via DNS from my ISP) to the router's external
    interface IP?

    I think I will experiment with your suggestion.....what about security
    inbound.....this change shouldn't effect anything since the inbound rules
    apply to the interface itself correct?

    Man you must be sick of me!

    Thanks again (broken record)

    Kevin


    "RobO" <> wrote in message
    news:...
    > Hi Kevin!
    >
    > This is what I believe is happening in respect of your NAT
    > translations.
    > Hope this makes more sense....as it was quite late last night so please
    > excuse me.
    > This is your NAT setup.
    > > ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
    > > ip nat inside source list 7 pool INTERNET overload
    > > access-list 7 remark SDM_ACL Category=16
    > > access-list 7 permit 192.168.0.0 0.0.0.255 log

    >
    > According to the above:
    > -You have a NAT POOL called INTERNET associated with the external IPs.
    > -All clients ie (192.168.0.0 0.0.0.255) are translating to the NAT POOL
    > (INTERNET) hence the keyword "overload"
    > Your static statement for TS is being overlapped because of the NAT
    > statements above.
    > Make sense?
    > What you have is dynamic-NAT translation and PAT together.....
    > I think the quick solution would be to just PAT your existing external
    > IP as below:
    > //
    > ip nat inside source list 110 interface FastEthernet0 overload
    > access-list 110 permit ip 192.168.0.0 0.0.0.255 any
    > //
    >
    > You will have to create this ACL 110 to bind to the PAT statement.
    > //
    > ip nat inside source list 110 interface FastEthernet0 overload
    > access-list 110 permit ip 192.168.0.0 0.0.0.255 any
    > //
    > All this is doing is translating any device on the 192.168.0.0 network
    > to the external fastethernet IP address.
    > This will replace the NAT POOL that you have assigned currently and use
    > the existing external IP of interface FastEthternet0 for all your
    > translations.
    >
    > I am fairly certain that if you do this you will get your access to TS
    > but you will have to remove the existing NAT statements.
    > Touch Wood....only kidding!
    > Copy the current config to tftp so you have a backup..
    > Then the translation for TS:
    > //
    > ip nat inside source static tcp 192.168.0.50 3389 fastethernet_ip 3389
    > extendable
    > //
    > This way you simplify the config and make it more scalable.
    > Remember you can always put back the original statements if it does'nt
    > work.
    > Once you are certain that translations are happening correctly and
    > everyone is browsing away happily(no screaming) then you could start to
    > use the global IPs for your own purposes on subinterfaces or as
    > secondary ip addresses.
    >
    > Please tell me if you think this is silly I might not be explaining
    > this clearly but thats just how I would approach it.
    >
    > Regards,
    >
    > Rob
    >
    Cakeholes, Feb 23, 2005
    #5
  6. Cakeholes

    RobO Guest

    Kevin,

    No worries at all just glad to have helped if at all!....
    If you have a domain name you could get your domain hosts to setup a
    record of your choice for TS using the external IP address however you
    will still have to put the port number(if you change the default) at
    the end of the domain name when you run TSclient ie
    -"ts.mycompanyname.com:portnumber"

    In respect of security its all still the same, as the access-lists do
    their stuff before NAT takes place anyway.
    Obviously there is only one level of authentication concerning TS being
    the login screen so if you have to stick to TS change the listening
    port on the server or just map a high external port number to the
    internal(3389) port.

    All I can say concerning the ISP is give PAT a go(sounds dodgy) and see
    if you can browse the web from inside and connect to the terminal
    server from the outside.

    You will find use for the other IPs that you have and it would have
    been better if you could assign one of those global IPs to your
    external interface instead of the current one.
    That you would have to check with your ISP though.
    Subnet the current block to a 255.255.255.252 mask effectively
    splitting it up into 2 networks with 2 IP addresses each giving you 4
    usable IP addresses as opposed to the 6 you currently have, thus giving
    you more flexibilty in respect of DMZs and security.

    Hope this has helped and good luck....
    Keep me posted.

    Rob
    RobO, Feb 23, 2005
    #6
  7. Cakeholes

    Cakeholes Guest

    Hi Rob,

    I was successful switching to the new NAT using the FE0 address rather than
    the pool....no screaming...yayyy!!

    However....I added the TS forwarding on 3389 and it still can't get
    through.....now keep in mind that I have the SDM and have been using the Web
    based tools to watch things....

    List 101 is still dropping my attempts.....I can see the IP of the
    residential ADSL setup I am using to simulate an external request. ACL 101
    is denying requests on 3389. Now we never did get into the ACL 101 inbound
    and how it deals with incoming 3389 requests....however I have considered it
    and attempted a few things.

    My understanding is that any request is processed by the inbound ACL 101
    before any translation or other action is take, therefore it would seem as
    though the only thing preventing access is this the ACL...I have tried
    adding a rule to the top of the ACL 101:

    permit tcp any host External_IP eq 3389 log

    This seems to make the most sense to me but it still seems to drop 3389
    requests..

    The part that really burns me is that the residential ADSL sits behind a
    D-link retail router and I can open up 3389 to the host and it works like
    that.....but I also realize security is not nearly as strong on that router.

    Here is the running config as it stands now minus the sensitive stuff and
    the boring parts:

    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname ###############
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 ############################
    !
    username ###### privilege 15 password ###############
    clock summer-time America/Los_Angeles date Apr 6 2003 2:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    no ip bootp server
    ip cef
    ip inspect tcp max-incomplete host 200 block-time 0
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 smtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip audit po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    no crypto isakmp enable
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    description $ETH-WAN$$FW_OUTSIDE$Internet
    ip address a.b.c.2 255.255.255.252
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet1
    description CUSTOMER LAN (192.168.0.0)
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    description FUTURE
    switchport access vlan 2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    no ip address
    no cdp enable
    !
    interface Vlan1
    description $FW_INSIDE$Config Port
    ip address 192.168.0.254 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip inspect DEFAULT100 in
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Async1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 a.b.c.1 2 permanent
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip nat inside source list 110 interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.0.50 3389 a.b.c.2 3389 extendable
    !
    !
    !
    ip access-list extended FE1
    remark SDM_ACL Category=2
    permit ip host 192.168.0.254 any
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.7
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.0.0 0.0.0.255 log
    access-list 2 deny any
    access-list 7 remark SDM_ACL Category=16
    access-list 7 permit 192.168.0.0 0.0.0.255 log
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip a.b.c.0 0.0.0.3 any log
    access-list 100 deny ip host 255.255.255.255 any log
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit tcp any host a.b.c.2 eq 3389 log *****added this to
    see if it would work
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 101 permit icmp any host a.b.c.2 echo-reply
    access-list 101 permit icmp any host a.b.c.2 time-exceeded
    access-list 101 permit icmp any host a.b.c.2 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 101 deny ip host 255.255.255.255 any log
    access-list 101 deny ip host 0.0.0.0 any log
    access-list 101 deny ip any any log
    access-list 102 remark Outbound Rule
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit ip any any
    access-list 103 remark VTY Access-class list
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit ip 192.168.0.0 0.0.0.255 any
    access-list 103 deny ip any any
    access-list 110 remark Test
    access-list 110 remark SDM_ACL Category=3
    access-list 110 permit ip 192.168.0.0 0.0.0.255 any log
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    transport output telnet
    line 1
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    access-class 103 in
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 103 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17180038
    !
    end


    "RobO" <> wrote in message
    news:...
    > Kevin,
    >
    > No worries at all just glad to have helped if at all!....
    > If you have a domain name you could get your domain hosts to setup a
    > record of your choice for TS using the external IP address however you
    > will still have to put the port number(if you change the default) at
    > the end of the domain name when you run TSclient ie
    > -"ts.mycompanyname.com:portnumber"
    >
    > In respect of security its all still the same, as the access-lists do
    > their stuff before NAT takes place anyway.
    > Obviously there is only one level of authentication concerning TS being
    > the login screen so if you have to stick to TS change the listening
    > port on the server or just map a high external port number to the
    > internal(3389) port.
    >
    > All I can say concerning the ISP is give PAT a go(sounds dodgy) and see
    > if you can browse the web from inside and connect to the terminal
    > server from the outside.
    >
    > You will find use for the other IPs that you have and it would have
    > been better if you could assign one of those global IPs to your
    > external interface instead of the current one.
    > That you would have to check with your ISP though.
    > Subnet the current block to a 255.255.255.252 mask effectively
    > splitting it up into 2 networks with 2 IP addresses each giving you 4
    > usable IP addresses as opposed to the 6 you currently have, thus giving
    > you more flexibilty in respect of DMZs and security.
    >
    > Hope this has helped and good luck....
    > Keep me posted.
    >
    > Rob
    >
    Cakeholes, Feb 23, 2005
    #7
  8. Cakeholes

    RobO Guest

    Kevin,

    Excellent!
    Just looking at your NAT statement and it doesnt reflect the changes...
    //
    "ip nat inside source static tcp 192.168.0.50 3389 (fastethernet0_ip)
    3389 extendable"
    //
    Thats your PAT interface(fastethernet0), every host initiating
    connections whether inbound or outbound are port address translated
    with that IP(fastethernet0) instead of 1-to-1 translations or
    6-to-many.

    Also the ACL 101 must reflect that IP where global IPs where used.
    Are you able to log on to the router via console or telnet maybe setup
    syslog and see what IP address is getting hit on the logs.

    If you want... again for testing put an entry at the beginning of ACL
    101:
    //
    "access-list 101 permit tcp any any eq 3389 log"
    "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
    "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
    //
    If you are able to view the logs you will see which one is passing
    access so to speak.
    Let me know how you get on.

    Rob
    RobO, Feb 23, 2005
    #8
  9. Cakeholes

    Cakeholes Guest

    Me again Rob...

    I think you've lost me on the lost post....I thought I did what you said to
    the tee.

    > Just looking at your NAT statement and it doesnt reflect the changes...
    > //
    > "ip nat inside source static tcp 192.168.0.50 3389 (fastethernet0_ip)
    > 3389 extendable"
    > //
    > Thats your PAT interface(fastethernet0), every host initiating
    > connections whether inbound or outbound are port address translated
    > with that IP(fastethernet0) instead of 1-to-1 translations or
    > 6-to-many.


    Was this not the way to get 3389 through?
    I guess I got lost on this again so....

    ip nat inside source list 110 a.b.c.2 overload

    in combination with...

    access-list 110 permit tcp 192.168.0.0 0.0.0.255 any

    gets my users out to the net correct? I guess it must since its working :p

    and

    ip nat inside source static tcp 192.168.0.50 3389 a.b.c.2 3389 extendable

    is the NAT required to get requests to my server

    and

    > //
    > "access-list 101 permit tcp any any eq 3389 log"
    > "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
    > "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
    > //


    As for this did you mean to add all 3 at once and see what gets past what?

    I am pretty much using the SDM web interface exclusively as I am pretty new
    to the command line....I have logging and firewall status that I can view
    but all I can see is that my attempts are denied by ACL 101....even if I
    have all 3 above...or should I try each one at a time to see if any of the 3
    will let my requests through?

    Thanks again and if you get sick of banging your head against the wall
    please tell me and I can always harras someone else :p

    Kevin

    "RobO" <> wrote in message
    news:...
    > Kevin,
    >
    > Excellent!
    > Just looking at your NAT statement and it doesnt reflect the changes...
    > //
    > "ip nat inside source static tcp 192.168.0.50 3389 (fastethernet0_ip)
    > 3389 extendable"
    > //
    > Thats your PAT interface(fastethernet0), every host initiating
    > connections whether inbound or outbound are port address translated
    > with that IP(fastethernet0) instead of 1-to-1 translations or
    > 6-to-many.
    >
    > Also the ACL 101 must reflect that IP where global IPs where used.
    > Are you able to log on to the router via console or telnet maybe setup
    > syslog and see what IP address is getting hit on the logs.
    >
    > If you want... again for testing put an entry at the beginning of ACL
    > 101:
    > //
    > "access-list 101 permit tcp any any eq 3389 log"
    > "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
    > "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
    > //
    > If you are able to view the logs you will see which one is passing
    > access so to speak.
    > Let me know how you get on.
    >
    > Rob
    >
    Cakeholes, Feb 24, 2005
    #9
  10. Cakeholes

    RobO Guest

    HI Kevin,

    No dont worry I am not banging my head against the wall at all I am
    happy to help unless you feel that I am sending you on a wild goose
    chase....but thats not the case.

    I just wanted to confirm that (a.b.c.2) is your FastEthernet0 IP
    address.
    Also that in your ACL 101 that (a.b.c.2) is your FastEthernet0 IP
    address.
    As long as ACL 101 has the FastEthernet0 IP address then we can
    definitely mode on to the ACL.

    What I mentioned previously about the ACL:

    > //
    > "access-list 101 permit tcp any any eq 3389 log"
    > "access-list 101 permit tcp any host 192.168.0.50 eq 3389 log"
    > "access-list 101 permit tcp any host (fastethernet_ip) eq 3389 log"
    > //


    If you could add those lines to the ACL 101 at the top.
    You do already have the last line.
    The reason for this is to see which line will actually allow TS traffic
    through.

    On the logs that you are viewing does it actually give you any
    information on whats being hit ie destination IP address/source IP
    address etc.
    Feel free to email me if you prefer and I can happily talk you through
    logging in via console to get better debugging against the access-list
    and see whats getting hit.

    Sorry for not being clear but heres me email:
    roboravec TA hotmail TOD com

    Rob
    RobO, Feb 24, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl

    Terminal services and VNC

    =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl, Jan 13, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    7,377
    =?Utf-8?B?U3RldmU=?=
    Feb 3, 2005
  2. hook

    terminal services via wireless

    hook, Mar 17, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    561
  3. Shad T
    Replies:
    0
    Views:
    578
    Shad T
    Jun 29, 2004
  4. Cakeholes
    Replies:
    1
    Views:
    2,780
  5. Cakeholes
    Replies:
    1
    Views:
    487
Loading...

Share This Page