Why can't I get Terminal Services through this ACL?

Discussion in 'Cisco' started by Cakeholes, Feb 22, 2005.

  1. Cakeholes

    Cakeholes Guest

    Could someone out there please help me with this problem. We want to open
    our network to allow Terminal Services. We have a Cisco 1711 that NATs our
    private IPs to one of our 5 public IPs given to us by our ISP. Outbound
    traffic is fine but I want to have a static mapping to an internal Terminal
    Server. I think that I have set up the Static NAT for our internal server
    correctly and I also think I have the ACL set up to allow it too, but when I
    use the Monitor option in the SDM I can see ACL 101 denying packets on port
    3389.

    Current configuration : 5626 bytes
    !
    ! Last configuration change at 13:45:37 UTC Tue Feb 22 2005 by
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname ##########
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret ####################
    username ######## privilege 15 password ###############
    clock summer-time America/Los_Angeles date Apr 6 2003 2:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    ip tcp synwait-time 10
    ip domain name ###############
    ip name-server a.b.c.d
    ip name-server a.b.c.d
    !
    !
    no ip bootp server
    ip cef
    ip inspect tcp max-incomplete host 200 block-time 0
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 smtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip audit po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    no crypto isakmp enable
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0
    description $ETH-WAN$$FW_OUTSIDE$Internet
    ip address a.b.c.d 255.255.255.252
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet1
    description LAN (192.168.0.0)
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    description
    switchport access vlan 2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    no ip address
    no cdp enable
    !
    interface Vlan1
    description $FW_INSIDE$Config Port
    ip address 192.168.0.254 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip inspect DEFAULT100 in
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Async1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 a.b.c.d 2 permanent
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
    ip nat inside source list 7 pool INTERNET overload
    ip nat inside source static tcp 192.168.0.50 3389 a.b.c.d 3389 extendable
    !
    !
    !
    ip access-list extended FE1
    remark SDM_ACL Category=2
    permit ip host 192.168.0.254 any
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit 192.168.0.0 0.0.0.255 log
    access-list 2 deny any
    access-list 7 remark SDM_ACL Category=16
    access-list 7 permit 192.168.0.0 0.0.0.255 log
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip a.b.c.d 0.0.0.3 any log
    access-list 100 deny ip host 255.255.255.255 any log
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit tcp any host 192.168.0.50 eq 3389 log
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
    access-list 101 permit icmp any host a.b.c.d echo-reply
    access-list 101 permit icmp any host a.b.c.d time-exceeded
    access-list 101 permit icmp any host a.b.c.d unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 101 deny ip host 255.255.255.255 any log
    access-list 101 deny ip host 0.0.0.0 any log
    access-list 101 deny ip any any log
    access-list 102 remark Outbound Rule
    access-list 102 remark SDM_ACL Category=1
    access-list 102 permit ip any any
    access-list 103 remark VTY Access-class list
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit ip 192.168.0.0 0.0.0.255 any
    access-list 103 deny ip any any
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    transport output telnet
    line 1
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    access-class 103 in
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 103 in
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17180038
    !
    end


    I have changed all sensitive info to either ##### or a.b.c.d for IP
    addresses.

    Thanks in advance,

    Kevin
    Cakeholes, Feb 22, 2005
    #1
    1. Advertising

  2. Cakeholes

    RobO Guest

    Hi Kevin,

    Just for the sake of testing could you change the acl 101 entry for
    terminal services to
    access-list 101 permit tcp any any eq 3389
    and see if you get access through.
    If it does then try cut it finer a bit by changing it to
    access-list 101 permit tcp any host EXTERNAL_IP eq 3389
    I think the latter will work anyway.

    Do a "show ip nat translation" to see if the translation is actually
    taking place once you try initiate an inbound terminal services
    request.
    Can I suggest you use a non standard port for terminal services, just
    good practise.....

    Rob
    RobO, Feb 22, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl

    Terminal services and VNC

    =?Utf-8?B?aXMgVGVybWluYWwgc2VydmVycyBjb21wYXRpYmxl, Jan 13, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    7,392
    =?Utf-8?B?U3RldmU=?=
    Feb 3, 2005
  2. hook

    terminal services via wireless

    hook, Mar 17, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    579
  3. Shad T
    Replies:
    0
    Views:
    615
    Shad T
    Jun 29, 2004
  4. Cakeholes
    Replies:
    1
    Views:
    502
  5. Cakeholes
    Replies:
    9
    Views:
    506
Loading...

Share This Page