Could someone out there please help me with this problem. We want to open
our network to allow Terminal Services. We have a Cisco 1711 that NATs our
private IPs to one of our 5 public IPs given to us by our ISP. Outbound
traffic is fine but I want to have a static mapping to an internal Terminal
Server. I think that I have set up the Static NAT for our internal server
correctly and I also think I have the ACL set up to allow it too, but when I
use the Monitor option in the SDM I can see ACL 101 denying packets on port
3389.
Current configuration : 5626 bytes
!
! Last configuration change at 13:45:37 UTC Tue Feb 22 2005 by
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ##########
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret ####################
username ######## privilege 15 password ###############
clock summer-time America/Los_Angeles date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip tcp synwait-time 10
ip domain name ###############
ip name-server a.b.c.d
ip name-server a.b.c.d
!
!
no ip bootp server
ip cef
ip inspect tcp max-incomplete host 200 block-time 0
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
no crypto isakmp enable
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$Internet
ip address a.b.c.d 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
description LAN (192.168.0.0)
no ip address
no cdp enable
!
interface FastEthernet2
description
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface Vlan1
description $FW_INSIDE$Config Port
ip address 192.168.0.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect DEFAULT100 in
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip classless
ip route 0.0.0.0 0.0.0.0 a.b.c.d 2 permanent
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat pool INTERNET a.b.c.d a.b.c.d netmask 255.255.255.248
ip nat inside source list 7 pool INTERNET overload
ip nat inside source static tcp 192.168.0.50 3389 a.b.c.d 3389 extendable
!
!
!
ip access-list extended FE1
remark SDM_ACL Category=2
permit ip host 192.168.0.254 any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255 log
access-list 2 deny any
access-list 7 remark SDM_ACL Category=16
access-list 7 permit 192.168.0.0 0.0.0.255 log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip a.b.c.d 0.0.0.3 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 192.168.0.50 eq 3389 log
access-list 101 deny ip 192.168.0.0 0.0.0.255 any log
access-list 101 permit icmp any host a.b.c.d echo-reply
access-list 101 permit icmp any host a.b.c.d time-exceeded
access-list 101 permit icmp any host a.b.c.d unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark Outbound Rule
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180038
!
end
I have changed all sensitive info to either ##### or a.b.c.d for IP
addresses.
Thanks in advance,
Kevin
