01-20-2006 08:20 AM - edited 03-03-2019 11:31 AM
Hello. I am a network administrator for a small services company and we have a small business client that has a T1 and a Cisco 1721. The gentleman that was handling their router configurations left unexpectedly and I have been called upon to solve a router config issue for them on short notice. I do not know Cisco routers, so this is a bit of a challenge for me.
I need to have the router opened up to allow the ports for Terminal Server to pass through. From what I can tell, they have external addresses set up to NAT through to internal, private IPs. I cannot, however, ping these external addresses. I can ping and telnet into the 1721. I would like to allow Terminal Server access from outside, but preferably just for a list of specific IPs given to me by the client.
Any assistance would be greatly appreciated. I only know a small bit about Cisco - basically how to obtain information from IOS and basic routing technology. If there is a document or help article relating to my troubles, anything directing me to that would be appreciated as well. Thank you in advance.
01-20-2006 09:13 AM
You'll need to figure out if they're using NAT, or PAT. PAT is simply NAT utilizing a single IP address and 'overload'ing it, where NAT has a 1 to 1 relationship with inside and outside addresses.
For a PAT configuration, you'll need to map outside ports to inside ports and ip addresses. Obviously you must have unique ports on the outside, they all can't share TCP/3389. You'll need to map unique ports on the outside to TCP/3389 on the inside.
If PC1 is 192.168.1.5 and PC2 is 192.168.1.6, here's what you'll do:
ip nat inside source static tcp 192.168.1.5 3389 interface Serial0/0 3389
ip nat inside source static tcp 192.168.1.6 3389 interface Serial0/0 3390
You would then connect to their outside IP address on port 3389 to reach PC1, but then use port 3390 to connect to PC2.
The config syntax really depends on how they have NAT configured. If you could post the config, we can be more helpful.
01-20-2006 09:46 AM
OK, I *think* this is the right information. It looks to me like straightforward NAT, but ......
Information - 64.###.###.173 is the Terminal Server and needs ports 3389, 1494, and 80 opened. It looks to me like those ports are opened on the wrong internal devices. The Terminal Server's private internal addy is 192.168.1.9.
*****************************************************
Current configuration : 2679 bytes
!
! Last configuration change at 00:36:39 cst Thu Jan 12 2006 ! NVRAM config last updated at 00:36:43 cst Thu Jan 12 2006 !
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname blahblah
!
clock timezone cst -6
clock summer-time cdt recurring
ip subnet-zero
!
!
ip name-server 151.164.11.201
ip name-server 151.164.1.8
!
!
!
!
!
interface FastEthernet0
description TO LOCAL LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
speed auto
!
interface Serial0
description SBIS CKT: 28.HCGS.740757 / SBIS 1-888-212-5411 ip address 68.###.###.230 255.255.255.252 ip nat outside fair-queue service-module t1 timeslots 1-24 !
ip nat pool MAIL 64.###.###.174 64.###.###.174 netmask 255.255.255.248 ip nat inside source list 1 interface Serial0 overload ip nat inside source list 2 pool MAIL overload ip nat inside source static tcp 192.168.1.10 80 64.###.###.174 80 extendable ip nat inside source static tcp 192.168.1.10 25 64.###.###.174 25 extendable ip nat inside source static tcp 192.168.1.10 443 64.###.###.174 443 extendable ip nat inside source static tcp 192.168.1.6 80 64.###.###.170 80 extendable ip nat inside source static tcp 192.168.1.6 443 64.###.###.170 443 extendable ip nat inside source static tcp 192.168.1.7 443 64.###.###.171 443 extendable ip nat inside source static tcp 192.168.1.7 80 64.###.###.171 80 extendable ip nat inside source static tcp 192.168.1.8 80 64.###.###.172 80 extendable ip nat inside source static tcp 192.168.1.8 443 64.###.###.172 443 extendable ip nat inside source static tcp 192.168.1.9 443 64.###.###.173 443 extendable ip nat inside source static tcp 192.168.1.9 80 64.###.###.173 80 extendable ip nat inside source static tcp 192.168.1.9 5631 64.###.###.173 5631 extendable ip nat inside source static tcp 192.168.1.9 5632 64.###.###.173 5632 extendable ip nat inside source static tcp 192.168.1.10 110 64.###.###.174 110 extendable ip nat inside source static tcp 192.168.1.6 3389 64.###.###.170 3389 extendable ip nat inside source static tcp 192.168.1.6 1494 64.###.###.170 1494 extendable ip nat inside source static tcp 192.168.1.10 3389 64.###.###.174 3389 extendable ip nat inside source static tcp 192.168.1.10 1494 64.###.###.174 1494 extendable ip classless ip route 0.0.0.0 0.0.0.0 68.###.###.229 no ip http server !
access-list 1 deny 192.168.1.10
access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.1.10 !
line con 0
flowcontrol hardware
line aux 0
line vty 0 4
!
no scheduler allocate
!
End
***************************************************
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide