Terminal Services

Unanswered Question
Oct 27th, 2009
User Badges:

Trying to move a client over to the UC520 from a SonicWall and had a few problems today wiht it.


Customer states they are running terminal services.  There data company stated that this was fromt he SonicWall and we need to make these changes for items to work.


CAMERAS 8000 12000 TCP     

CAMERAS1 8000 12000 UDP     

SR Camera 7000 7000 UDP     

SR Camera1 7000 7000 TCP     

second RDP 4489 4489 TCP

RDP = 3389 TCP

Send E-Mail (SMTP) = 25 TCP

1 Through 16 is for their spam filtering at AppRiver

1              69.20.58.226 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

2              69.20.68.133 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

3              207.97.224.142 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

4              207.97.229.125 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

5              207.97.230.34 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

6              207.97.230.54 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

7              207.97.242.51 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

8              92.52.89.74 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

9              74.205.4.52 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

10           72.32.252.16 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

11           72.32.253.10 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

12           72.32.252.97 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

13           69.20.60.122 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

14           69.20.58.234 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

15           212.100.247.159 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

16           212.100.247.15 - 212.100.247.159 (WAN) 192.168.1.10 (LAN) Send E-Mail (SMTP) Allow       

17           LAN 192.168.1.1 (LAN) HTTPS Management Allow            

18           LAN 192.168.1.1 (LAN) HTTP Management Allow            

19           *(WAN) 192.168.1.10 (LAN) second RDP Allow       

20           *(WAN) 192.168.1.10 (LAN) Retrieve E-Mail (POP3) Allow       

21           *(WAN) 192.168.1.10 (LAN) PC Anywhere Allow       

22           *(WAN) 192.168.1.25 (LAN) CAMERAS1 Allow       

23           *(WAN) 192.168.1.1 (LAN) Key Exchange (IKE) Allow             

24           192.168.1.1 (LAN) * Key Exchange (IKE) Allow             

25           *(WAN) 192.168.1.10 (LAN) Web (HTTP) Allow       

26           *(WAN) 192.168.1.11 (LAN) Terminal Services Allow       

27           *(WAN) 192.168.1.12 (LAN) SR Camera Allow       

28           *(WAN) 192.168.1.12 (LAN) SR Camera1 Allow       

29           *(WAN) 192.168.1.12 (LAN) Any Allow       


Any idea were we would make these changes.  As I can see from the NAT tab in CCA, I only can select certain features, like web server, email server, etc.


Any thought or referecnes would be greatly appreciated.


Joe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Saurabh Verma Thu, 10/29/2009 - 05:54
User Badges:
  • Silver, 250 points or more

Hi Joe,


This feature is currently not supported through CCA. You will need to use CLI for allowing the desired IP addresses to be excluded from firewall blocking. There is an access-list on the WAN interface, modify the access-list to allow these IP addresses.


-Saurabh

7bridgesol Thu, 10/29/2009 - 08:01
User Badges:

two things:


interface fast Ethernet 0/0 states below ip access group 105 in.  Would I then be adding a cli command of access-list 105 permit ip (and list each IP for spam filtering)


Second, I am trying to add thru the NAT tab in CCA a other TCP to 192.168.1.11 for inside and outside port 3389 for terminal service.

I get this error when hitting apply  com.cisco.cpnm.features.defn.security.vpn.sslvpn.SslVpnData


How can I add the interanl and outside ports for the few setting above via cli or what can I do about the error.

Steven Smith Thu, 10/29/2009 - 08:54
User Badges:
  • Gold, 750 points or more

Have you made changes via CLI already?  That could be a problem.


If not, could you post your cca logs and a config?  Remember to remove the passwords.

7bridgesol Thu, 10/29/2009 - 09:48
User Badges:

sort of but who knows now.  I am uploading the last running good config.  I have made some changes in per CCA, NAT is not enabled on any interface.


the config here allowed us on the Internet but could not run terminal services via port 3389 to 192.168.11 and no email was coming thru.


I think I have to do a reload to get this config back up.

Actions

This Discussion