Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
2
Replies

Newbie Help - Cisco 1721 passing certain ports to internal LAN addresses

losimmons
Level 1
Level 1

‎01-20-2006 08:20 AM - edited ‎03-03-2019 11:31 AM

Hello. I am a network administrator for a small services company and we have a small business client that has a T1 and a Cisco 1721. The gentleman that was handling their router configurations left unexpectedly and I have been called upon to solve a router config issue for them on short notice. I do not know Cisco routers, so this is a bit of a challenge for me.

I need to have the router opened up to allow the ports for Terminal Server to pass through. From what I can tell, they have external addresses set up to NAT through to internal, private IPs. I cannot, however, ping these external addresses. I can ping and telnet into the 1721. I would like to allow Terminal Server access from outside, but preferably just for a list of specific IPs given to me by the client.

Any assistance would be greatly appreciated. I only know a small bit about Cisco - basically how to obtain information from IOS and basic routing technology. If there is a document or help article relating to my troubles, anything directing me to that would be appreciated as well. Thank you in advance.

Labels:
0 Helpful
2 Replies 2

twojciac
Level 1
Level 1

‎01-20-2006 09:13 AM

You'll need to figure out if they're using NAT, or PAT. PAT is simply NAT utilizing a single IP address and 'overload'ing it, where NAT has a 1 to 1 relationship with inside and outside addresses.

For a PAT configuration, you'll need to map outside ports to inside ports and ip addresses. Obviously you must have unique ports on the outside, they all can't share TCP/3389. You'll need to map unique ports on the outside to TCP/3389 on the inside.

If PC1 is 192.168.1.5 and PC2 is 192.168.1.6, here's what you'll do:

ip nat inside source static tcp 192.168.1.5 3389 interface Serial0/0 3389

ip nat inside source static tcp 192.168.1.6 3389 interface Serial0/0 3390

You would then connect to their outside IP address on port 3389 to reach PC1, but then use port 3390 to connect to PC2.

The config syntax really depends on how they have NAT configured. If you could post the config, we can be more helpful.

0 Helpful

losimmons
Level 1
Level 1
In response to twojciac

‎01-20-2006 09:46 AM

OK, I *think* this is the right information. It looks to me like straightforward NAT, but ......

Information - 64.###.###.173 is the Terminal Server and needs ports 3389, 1494, and 80 opened. It looks to me like those ports are opened on the wrong internal devices. The Terminal Server's private internal addy is 192.168.1.9.

*****************************************************

Current configuration : 2679 bytes

!

! Last configuration change at 00:36:39 cst Thu Jan 12 2006 ! NVRAM config last updated at 00:36:43 cst Thu Jan 12 2006 !

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname blahblah

!

clock timezone cst -6

clock summer-time cdt recurring

ip subnet-zero

!

!

ip name-server 151.164.11.201

ip name-server 151.164.1.8

!

!

!

!

!

interface FastEthernet0

description TO LOCAL LAN

ip address 192.168.1.254 255.255.255.0

ip nat inside

speed auto

!

interface Serial0

description SBIS CKT: 28.HCGS.740757 / SBIS 1-888-212-5411 ip address 68.###.###.230 255.255.255.252 ip nat outside fair-queue service-module t1 timeslots 1-24 !

ip nat pool MAIL 64.###.###.174 64.###.###.174 netmask 255.255.255.248 ip nat inside source list 1 interface Serial0 overload ip nat inside source list 2 pool MAIL overload ip nat inside source static tcp 192.168.1.10 80 64.###.###.174 80 extendable ip nat inside source static tcp 192.168.1.10 25 64.###.###.174 25 extendable ip nat inside source static tcp 192.168.1.10 443 64.###.###.174 443 extendable ip nat inside source static tcp 192.168.1.6 80 64.###.###.170 80 extendable ip nat inside source static tcp 192.168.1.6 443 64.###.###.170 443 extendable ip nat inside source static tcp 192.168.1.7 443 64.###.###.171 443 extendable ip nat inside source static tcp 192.168.1.7 80 64.###.###.171 80 extendable ip nat inside source static tcp 192.168.1.8 80 64.###.###.172 80 extendable ip nat inside source static tcp 192.168.1.8 443 64.###.###.172 443 extendable ip nat inside source static tcp 192.168.1.9 443 64.###.###.173 443 extendable ip nat inside source static tcp 192.168.1.9 80 64.###.###.173 80 extendable ip nat inside source static tcp 192.168.1.9 5631 64.###.###.173 5631 extendable ip nat inside source static tcp 192.168.1.9 5632 64.###.###.173 5632 extendable ip nat inside source static tcp 192.168.1.10 110 64.###.###.174 110 extendable ip nat inside source static tcp 192.168.1.6 3389 64.###.###.170 3389 extendable ip nat inside source static tcp 192.168.1.6 1494 64.###.###.170 1494 extendable ip nat inside source static tcp 192.168.1.10 3389 64.###.###.174 3389 extendable ip nat inside source static tcp 192.168.1.10 1494 64.###.###.174 1494 extendable ip classless ip route 0.0.0.0 0.0.0.0 68.###.###.229 no ip http server !

access-list 1 deny 192.168.1.10

access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 permit 192.168.1.10 !

line con 0

flowcontrol hardware

line aux 0

line vty 0 4

!

no scheduler allocate

!

End

***************************************************

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card