09-22-2004 09:11 PM - edited 02-21-2020 01:21 PM
Hi
I am having trouble establishing a Terminal Service session between my remote branch computers and my head office server. Ping's are find and the VPN is active.
the network setup is as follows:
host-|branch router|--VPN--|Cisco1721|-server
however at the head office the server has a default gateway set to another router, a Nortel Contivity so it looks like this
server-|Nortel|--INTERNET LINK
I can ping all branch computers and all branch computers can ping the server however all terminal server sessions do not connect to the server
Do you guys have any solutions i can implement on my cisco router that will aid in establishing the terminal services sessions ?
My Cisco 1720 Head Office Router config is as follows:
Current configuration : 3085 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOTRAK01
!
aaa new-model
!
!
aaa session-id common
enable secret *****
!
username ***** secret *********.
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip domain-name hotrak01
!
ip ssh time-out 60
ip ssh authentication-retries 3
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ***** address ***.***.***.***
crypto isakmp key ***** address ***.***.***.***
crypto isakmp key ***** address ***.***.***.***
crypto isakmp key ***** address ***.***.***.***
!
!
crypto ipsec transform-set corpvpn esp-des
!
crypto map remoffice 10 ipsec-isakmp
set peer ***.***.***.***
set transform-set corpvpn
match address 109
crypto map remoffice 20 ipsec-isakmp
set peer ***.***.***.***
set transform-set corpvpn
match address 110
crypto map remoffice 30 ipsec-isakmp
set peer ***.***.***.***
set transform-set corpvpn
match address 111
crypto map remoffice 40 ipsec-isakmp
set peer ***.***.***.***
set transform-set corpvpn
match address 112
!
!
!
!
interface BRI0
no ip address
shutdown
no cdp enable
!
interface Ethernet0
ip address ***.***.***.*** ***.***.***.***
ip nat outside
no ip mroute-cache
half-duplex
ntp disable
no cdp enable
crypto map remoffice
!
interface FastEthernet0
ip address 192.168.90.3 255.255.255.0
ip nat inside
ip policy route-map clear-df
no ip mroute-cache
speed auto
ntp disable
no cdp enable
hold-queue 100 out
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static tcp 192.168.90.21 3389 210.0.67.233 3389 extendable
ip nat inside source static tcp 192.168.90.21 1723 210.0.67.233 1723 extendable
ip nat inside source static tcp 192.168.90.21 443 210.0.67.233 443 extendable
ip nat inside source static tcp 192.168.90.30 21 210.0.67.233 21 extendable
ip nat inside source static tcp 192.168.90.30 25 210.0.67.233 25 extendable
ip nat inside source static tcp 192.168.90.21 8080 210.0.67.233 8080 extendable
ip nat inside source static tcp 192.168.90.30 80 210.0.67.233 80 extendable
ip nat inside source static tcp 192.168.90.30 110 210.0.67.233 110 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 210.0.67.238
no ip http server
ip pim bidir-enable
!
!
access-list 101 permit ip 192.168.90.0 0.0.0.255 any
access-list 109 permit ip 192.168.90.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 110 permit ip 192.168.90.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit ip 192.168.90.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 112 permit ip 192.168.90.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 150 deny ip 192.168.90.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 150 permit ip 192.168.90.0 0.0.0.255 any
no cdp run
!
route-map clear-df permit 10
match ip address 101
set ip df 0
!
route-map nonat permit 10
match ip address 150
!
snmp-server community ***** RO
!
line con 0
stopbits 1
line aux 0
line vty 0
exec-timeout 60 0
line vty 1
transport input ssh
line vty 2 4
!
end
09-26-2004 06:58 PM
What IP address do the clients view the Terminal Services host as? If they use names, what ip address does the name resolve to?
If the ip address resolves correctly to the internal, non-nated name then I wonder if this statement:
ip nat inside source static tcp 192.168.90.21 3389 210.0.67.233 3389 extendable
is being applied, even though you have the route-map defined not to perform nat for vpn connections. A debug ip nat events will confirm that. Run that command and let me know what you find.
If however the address resolves incorrectly, then the vpn clients need to use a dns name that will be the true ip address.
Let me know if this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide