Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
262
Views
0
Helpful
1
Replies

VPN Remote Access Trouble

bena
Level 1
Level 1

‎09-22-2004 09:11 PM - edited ‎02-21-2020 01:21 PM

Hi

I am having trouble establishing a Terminal Service session between my remote branch computers and my head office server. Ping's are find and the VPN is active.

the network setup is as follows:

host-|branch router|--VPN--|Cisco1721|-server

however at the head office the server has a default gateway set to another router, a Nortel Contivity so it looks like this

server-|Nortel|--INTERNET LINK

I can ping all branch computers and all branch computers can ping the server however all terminal server sessions do not connect to the server

Do you guys have any solutions i can implement on my cisco router that will aid in establishing the terminal services sessions ?

My Cisco 1720 Head Office Router config is as follows:

Current configuration : 3085 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname HOTRAK01

!

aaa new-model

!

!

aaa session-id common

enable secret *****

!

username ***** secret *********.

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip domain-name hotrak01

!

ip ssh time-out 60

ip ssh authentication-retries 3

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ***** address ***.***.***.***

crypto isakmp key ***** address ***.***.***.***

crypto isakmp key ***** address ***.***.***.***

crypto isakmp key ***** address ***.***.***.***

!

!

crypto ipsec transform-set corpvpn esp-des

!

crypto map remoffice 10 ipsec-isakmp

set peer ***.***.***.***

set transform-set corpvpn

match address 109

crypto map remoffice 20 ipsec-isakmp

set peer ***.***.***.***

set transform-set corpvpn

match address 110

crypto map remoffice 30 ipsec-isakmp

set peer ***.***.***.***

set transform-set corpvpn

match address 111

crypto map remoffice 40 ipsec-isakmp

set peer ***.***.***.***

set transform-set corpvpn

match address 112

!

!

!

!

interface BRI0

no ip address

shutdown

no cdp enable

!

interface Ethernet0

ip address ***.***.***.*** ***.***.***.***

ip nat outside

no ip mroute-cache

half-duplex

ntp disable

no cdp enable

crypto map remoffice

!

interface FastEthernet0

ip address 192.168.90.3 255.255.255.0

ip nat inside

ip policy route-map clear-df

no ip mroute-cache

speed auto

ntp disable

no cdp enable

hold-queue 100 out

!

ip nat inside source route-map nonat interface Ethernet0 overload

ip nat inside source static tcp 192.168.90.21 3389 210.0.67.233 3389 extendable

ip nat inside source static tcp 192.168.90.21 1723 210.0.67.233 1723 extendable

ip nat inside source static tcp 192.168.90.21 443 210.0.67.233 443 extendable

ip nat inside source static tcp 192.168.90.30 21 210.0.67.233 21 extendable

ip nat inside source static tcp 192.168.90.30 25 210.0.67.233 25 extendable

ip nat inside source static tcp 192.168.90.21 8080 210.0.67.233 8080 extendable

ip nat inside source static tcp 192.168.90.30 80 210.0.67.233 80 extendable

ip nat inside source static tcp 192.168.90.30 110 210.0.67.233 110 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 210.0.67.238

no ip http server

ip pim bidir-enable

!

!

access-list 101 permit ip 192.168.90.0 0.0.0.255 any

access-list 109 permit ip 192.168.90.0 0.0.0.255 10.1.0.0 0.0.0.255

access-list 110 permit ip 192.168.90.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 permit ip 192.168.90.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 112 permit ip 192.168.90.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 150 deny ip 192.168.90.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 150 permit ip 192.168.90.0 0.0.0.255 any

no cdp run

!

route-map clear-df permit 10

match ip address 101

set ip df 0

!

route-map nonat permit 10

match ip address 150

!

snmp-server community ***** RO

!

line con 0

stopbits 1

line aux 0

line vty 0

exec-timeout 60 0

line vty 1

transport input ssh

line vty 2 4

!

end

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎09-26-2004 06:58 PM

What IP address do the clients view the Terminal Services host as? If they use names, what ip address does the name resolve to?

If the ip address resolves correctly to the internal, non-nated name then I wonder if this statement:

ip nat inside source static tcp 192.168.90.21 3389 210.0.67.233 3389 extendable

is being applied, even though you have the route-map defined not to perform nat for vpn connections. A debug ip nat events will confirm that. Run that command and let me know what you find.

If however the address resolves incorrectly, then the vpn clients need to use a dns name that will be the true ip address.

Let me know if this helps.

0 Helpful
Customers Also Viewed These Support Documents