RDP issues

Unanswered Question
Sep 30th, 2010

We have a cisco 1941 router with two internet interfaces, one a cable modem, the other a T1 interface.


When employees try to RDP to a local machine on the network from outside the network using cable internet (same provider as office cable) they are unable to attach either using the cable or the T1 IP address.


If we unplug the cable connection from the router, so it switches over to the T1 service as primary, they are able to then RDP to the IP address of the T1.  With both interfaces connected they are unable to RDP to either.


From DSL service in the same area they are able to RDP to both interfaces.  From cable service from a different provider they are able to RDP to both interfaces.  I think this is a problem the cable provider.  but to be sure I wanted to see if anyone had any other ideas on why this would happen.  Below is the config of the 1941 router.


Current configuration : 6572 bytes
!
! Last configuration change at 12:34:40 Arizona Thu Sep 9 2010 by integra
! NVRAM config last updated at 10:05:44 Arizona Fri Aug 20 2010 by integra
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IASROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone Arizona -7
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.30
ip dhcp excluded-address 10.0.1.101 10.0.1.254
!
ip dhcp pool MainIP
   import all
   network 10.0.1.0 255.255.255.0
   domain-name inlandmarketing
   dns-server 8.8.8.8
   default-router 10.0.1.1
   lease 5
!
!
ip domain name yourdomain.com
ip name-server 10.0.1.202
ip name-server 8.8.8.8
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1898501780
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1898501780
revocation-check none
rsakeypair TP-self-signed-1898501780
!
!
crypto pki certificate chain TP-self-signed-1898501780
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383938 35303137 3830301E 170D3130 30373036 32313538
  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393835
  30313738 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A813 4AABB729 D95BBFFB C2DD6AFE DA1BB3A0 29F34E96 F009A973 35EEF9F5
  3760CE30 A8C8CA51 95677605 7162372D 59408F0A F7CE98D3 B16F1DF6 E3C00939
  904518F6 D3EE5AA5 B309D264 866FDB40 97353318 9CDBE89A F994BADC 0CB6257A
  E6DDA7C0 AFCAC4AB 3E7022C5 22319B04 F267D638 0DDFE44B 541B3528 8A4604AA
  5CAD0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14CFDF66 9F74E57E F3B5CD64 24433E17 C3581543
  7D301D06 03551D0E 04160414 CFDF669F 74E57EF3 B5CD6424 433E17C3 5815437D
  300D0609 2A864886 F70D0101 04050003 8181002B 4D5CAB31 ECAFE35A 24DFF2FA
  B14E4583 0C298A75 14D67E8D D0308FD4 55C2E664 E8F009DE EAC52961 B9054FA7 
86DE2D10 BCCFC3F2 366086C1 46D25722 9A16EA0D ADC7EC83 3AA48B0A E66F7CD5
  2978A904 AEB58DD4 7218393A 15F0CB4B 9CC5FF73 CBE0647C 9F2E3732 F39B3DB9
  19F0AD8A B2728764 49EF3451 4C1BA1B1 156DC5
   quit
license udi pid CISCO1941/K9 sn FTX1428809G
!
!
username integra privilege 15 secret 5 $1$ZO6x$wbqTFrX2KHgh8lGXW8ZKs/
username admin privilege 15 secret 5 $1$.eRH$lsruSvjOa9cgBLXyszy4t1
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Cable-Modem0/0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
no fair-queue
!
interface Serial0/1/0
ip address 000.000.000.000 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
no clock rate 2000000
service-module t1 fdl ansi
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map cable-modem interface Cable-Modem0/0/0 overload
ip nat inside source route-map t1 interface Serial0/1/0 overload
ip nat inside source static tcp 10.0.1.201 3389 CableIP 3389 extendable
ip nat inside source static tcp 10.0.1.23 5631 CableIP 5631 extendable
ip nat inside source static udp 10.0.1.23 5632 CableIP 5632 extendable
ip nat inside source static tcp 10.0.1.201 3389 T1IP 3389 extendable
ip nat inside source static tcp 10.0.1.23 5631 T1IP 5631 extendable
ip nat inside source static udp 10.0.1.23 5632 T1IP 5632 extendable
ip route 0.0.0.0 0.0.0.0 Serial0/1/0 50
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 23 permit 10.0.1.0 0.0.0.255
!
route-map cable-modem permit 10
match ip address 1
match interface Cable-Modem0/0/0
route-map t1 permit 10
match ip address 2
match interface Serial0/1/0
!
!


!
control-plane
!!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
--More--                            login local
transport input telnet ssh
!
scheduler allocate 20000 1000

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gatlin007 Thu, 09/30/2010 - 12:06

It may be that your cable provider has an 'anti-spoofing' ACL facing you that blocks you as a customer from sourcing IP addresses they haven't allocated you.  From their perspective should never source another ISP's public address.  Of course this doesn't explain why it fails when your user tries to connect to the cable modem address.

To troubleshoot try this:

Have the user with the failure scenario discover their public IP address and reveal it to you.  Then enable netflow on the interfaces.

int cable 0/0/0
ip flow ingress
exit

int ser 0/1/0
ip flow ingress
exit

int g0/0
ip flow ingress
exit

Ask the user to attempt the RDP session.

execute a 'show ip cache flow'

Do you see an entry from the user PC?  If so you know the packet got to your router.

If the packet got there take a look at the NAT.  Try a 'show ip nat translations' to determine if it's translating the way you intend it too.

Next check to see if the return packet from the server is getting to the router, once again with the 'show ip cache flow' command.  Is the packet being routed out the interface you expect it to be?  Does it have the correct pubic address as it get's routed out?


Keep in mind that the output of the 'show ip cache flow' command contains port information in hexadecimal.  For instance 3389 will look like 0D3D.


Chris

Actions

This Discussion

Related Content