cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
0
Helpful
14
Replies

can't access TS from outside

chicagotech
Level 1
Level 1

I try to configure a Cisco router 831 to open port 3389 for TS. The TS in the LAN is 172.6.5.2 and the AN port IP is 192.168.10.70. I add ?ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable?, but can?t access the TS from 192.168.10.100. This is the result of ?show ip nat translation?:

Pro Inside global Inside local Outside local Outside global

tcp 192.168.10.70:3389 172.16.5.2:3389 --- ---

tcp 192.168.10.70:3389 172.16.5.2:3389 192.168.10.100:2175 192.168.10.100:2175

This is configuration

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 831

!

logging buffered 52000 debugging

!

clock timezone America/Chicago -6

clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

no ip source-route

ip domain name cisco.com

ip name-server 4.x.x.1

ip dhcp excluded-address 172.16.5.1 172.16.5.9

ip dhcp excluded-address 172.16.5.51 172.16.5.254

!

ip dhcp pool sdm-pool1

network 172.16.5.0 255.255.255.0

default-router 172.16.5.1

dns-server 4.2.2.1

!

!

no ip bootp server

ip inspect name sdm_ins_in_100 cuseeme

ip inspect name sdm_ins_in_100 ftp

ip inspect name sdm_ins_in_100 h323

ip inspect name sdm_ins_in_100 netshow

ip inspect name sdm_ins_in_100 rcmd

ip inspect name sdm_ins_in_100 realaudio

ip inspect name sdm_ins_in_100 rtsp

ip inspect name sdm_ins_in_100 smtp

ip inspect name sdm_ins_in_100 sqlnet

ip inspect name sdm_ins_in_100 streamworks

ip inspect name sdm_ins_in_100 tftp

ip inspect name sdm_ins_in_100 tcp

ip inspect name sdm_ins_in_100 udp

ip inspect name sdm_ins_in_100 vdolive

ip inspect name sdm_ins_in_100 icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 172.16.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-WAN$

ip address 192.168.10.70 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect sdm_ins_in_100 in

duplex auto

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent

ip http server

ip http authentication local

ip http secure-server

!

access-list 1 permit 172.0.0.0 0.255.255.255

no cdp run

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

!

end

3 Accepted Solutions

Accepted Solutions

sachinraja
Level 9
Level 9

hello,

why do you want to do overloads/statics etc on the same IP?? This isnt the right way of doing, since once you overload, u will have the same IP (10.70) seen on the outside with various internal IPs.. So, the router will not forward the packets to the inside...

do the following:

leave the PAT as it is, since it is only the traffic going from inside to outside.. for the traffic to come in, configure a seperate static statement with some other free IP..

ip nat inside source static 172.16.5.2 192.168.10.100

clear the nat tables and try accessing 10.100.. it should work..

Hope this helps.. all the best. rate replies if found useful.

Raj

View solution in original post

It should work when natting to 192.168.10.70 or ethernet1

use Internetface ethernet1 when natting instead of 192.168.10.70 in your original config and it should work.

View solution in original post

jarvar832004
Level 1
Level 1

can you try putting an extended access-list instead of a standard one and check out if there are hits occuring while accessing form the 192.168.10.100

access-list 101 permit ip 172.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

View solution in original post

14 Replies 14

sachinraja
Level 9
Level 9

hello,

why do you want to do overloads/statics etc on the same IP?? This isnt the right way of doing, since once you overload, u will have the same IP (10.70) seen on the outside with various internal IPs.. So, the router will not forward the packets to the inside...

do the following:

leave the PAT as it is, since it is only the traffic going from inside to outside.. for the traffic to come in, configure a seperate static statement with some other free IP..

ip nat inside source static 172.16.5.2 192.168.10.100

clear the nat tables and try accessing 10.100.. it should work..

Hope this helps.. all the best. rate replies if found useful.

Raj

chicagotech
Level 1
Level 1

Thank you for th ereply. Hwever, I still can't access the ST using IP 192.168.10.71 aftre added "ip nat inside source static 172.16.5.2 192.168.10.71".

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 831

!

logging buffered 52000 debugging

clock timezone America/Chicago -6

clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

no ip source-route

ip domain name cisco.com

ip name-server 4.2.2.1

ip dhcp excluded-address 172.16.5.1 172.16.5.9

ip dhcp excluded-address 172.16.5.51 172.16.5.254

!

ip dhcp pool sdm-pool1

network 172.16.5.0 255.255.255.0

default-router 172.16.5.1

dns-server 4.2.2.1

!

!

no ip bootp server

ip inspect name sdm_ins_in_100 cuseeme

ip inspect name sdm_ins_in_100 ftp

ip inspect name sdm_ins_in_100 h323

ip inspect name sdm_ins_in_100 netshow

ip inspect name sdm_ins_in_100 rcmd

ip inspect name sdm_ins_in_100 realaudio

ip inspect name sdm_ins_in_100 rtsp

ip inspect name sdm_ins_in_100 smtp

ip inspect name sdm_ins_in_100 sqlnet

ip inspect name sdm_ins_in_100 streamworks

ip inspect name sdm_ins_in_100 tftp

ip inspect name sdm_ins_in_100 tcp

ip inspect name sdm_ins_in_100 udp

ip inspect name sdm_ins_in_100 vdolive

ip inspect name sdm_ins_in_100 icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 172.16.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-WAN$

ip address 192.168.10.70 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect sdm_ins_in_100 in

duplex auto

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static 172.16.5.2 192.168.10.71

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent

ip http server

ip http authentication local

ip http secure-server

!

access-list 1 permit 172.0.0.0 0.255.255.255

no cdp run

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

!

end

hello

where are u accessing this from? is it through another private network?? if from public u cannot access, and u need to do a nat onto a public IP then...

config seems OK..take care if the routing is fine.. do a trace and post the result if possible.. do a show ip nat trans and see if the entry is there...

Raj

I am accessing the 172.16.5.2 from 192.168.10.100 that is in other LAN (192.168.10.0/24). I am not access it from the Internet. Here are ip nat translation and ping.

831#show ip nat translation

Pro Inside global Inside local Outside local Outside global

--- 192.168.10.71 172.16.5.2 --- ---

831#

ping 192.168.10.70 (note: from 192.168.10.100)

Pinging 192.168.10.70 with 32 bytes of data:

Reply from 192.168.10.70: bytes=32 time=4ms TTL=255

Reply from 192.168.10.70: bytes=32 time=5ms TTL=255

Reply from 192.168.10.70: bytes=32 time=3ms TTL=255

Reply from 192.168.10.70: bytes=32 time=3ms TTL=255

Ping statistics for 192.168.10.70:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 3ms, Maximum = 5ms, Average = 3ms

ping 192.168.10.71 (note: from 192.168.10.100)

Pinging 192.168.10.71 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.10.71:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

It should work when natting to 192.168.10.70 or ethernet1

use Internetface ethernet1 when natting instead of 192.168.10.70 in your original config and it should work.

1. I have two Windows 2003 servers in the 172 subnet. They can access each other using TS.

2. I also try another server which ip is 172.16.5.10. This is the command line I just changed:

ip nat inside source static tcp 172.16.5.10 3389 interface Ethernet1 3389.

3. Here is the ip nat translation.

831#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 192.168.10.70:3389 172.16.5.10:3389 --- ---

tcp 192.168.10.70:3389 172.16.5.10:3389 192.168.10.100:3523 192.168.10.100:352

3

Can you try TS from some other machine on 192.168.10.x?

Muhammad

Sure, I have another windows 2003 in 192 subnet. It is 192.168.10.10. It can't access the 172.16.5.10. Here is the ip nat translation.

831#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 192.168.10.70:3389 172.16.5.10:3389 --- ---

icmp 192.168.10.70:2619 172.16.5.10:2619 4.2.2.1:53 4.2.2.1:53

udp 192.168.10.70:2619 172.16.5.10:2619 4.2.2.1:53 4.2.2.1:53

udp 192.168.10.70:2621 172.16.5.10:2621 4.2.2.1:53 4.2.2.1:53

tcp 192.168.10.70:3389 172.16.5.10:3389 192.168.10.11:1195 192.168.10.11:1195

831#

jarvar832004
Level 1
Level 1

can you try putting an extended access-list instead of a standard one and check out if there are hits occuring while accessing form the 192.168.10.100

access-list 101 permit ip 172.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

Still the same problem. This is the result of configuration and ip nat translation.

Thank you.

Sorry, forgot the configuration

hostname 831

!

logging buffered 52000 debugging

clock timezone America/Chicago -6

clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

no ip source-route

ip domain name cisco.com

ip name-server 4.2.2.1

ip dhcp excluded-address 172.16.5.1 172.16.5.9

ip dhcp excluded-address 172.16.5.51 172.16.5.254

!

ip dhcp pool sdm-pool1

network 172.16.5.0 255.255.255.0

default-router 172.16.5.1

dns-server 4.2.2.1

!

!

no ip bootp server

ip inspect name sdm_ins_in_100 cuseeme

ip inspect name sdm_ins_in_100 ftp

ip inspect name sdm_ins_in_100 h323

ip inspect name sdm_ins_in_100 netshow

ip inspect name sdm_ins_in_100 rcmd

ip inspect name sdm_ins_in_100 realaudio

ip inspect name sdm_ins_in_100 rtsp

ip inspect name sdm_ins_in_100 smtp

ip inspect name sdm_ins_in_100 sqlnet

ip inspect name sdm_ins_in_100 streamworks

ip inspect name sdm_ins_in_100 tftp

ip inspect name sdm_ins_in_100 tcp

ip inspect name sdm_ins_in_100 udp

ip inspect name sdm_ins_in_100 vdolive

ip inspect name sdm_ins_in_100 icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

!

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 172.16.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-WAN$

ip address 192.168.10.70 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect sdm_ins_in_100 in

duplex auto

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 172.16.5.10 3389 interface Ethernet1 3389

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent

ip http server

ip http authentication local

ip http secure-server

!

access-list 10 permit 172.16.5.2

access-list 101 permit ip 172.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

no cdp run

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

!

end

831#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 192.168.10.70:3389 172.16.5.10:3389 --- ---

tcp 192.168.10.70:3389 172.16.5.10:3389 192.168.10.11:1247 192.168.10.11:1247

831#

Can you try to use "ip nat outside static 192.168.10.71 172.16.5.2" instead of "ip nat inside static..." and test again.

If you use the original NAT rule, can you access from 172.16.5.2 to 192.168.10.x network ?

Can you confirm all the default gateway in hosts are configured correctly ? inside point to 172.16.5.1 & outside point 192.168.10.70.

Hope this helps.

1. tried "ip nat outside static 192.168.10.71 172.16.5.2". No differnt.

2. from 172.16.5.2 and 10, I can access any computers in 192 subnet and internet.

3. The gateway of all computers in 172 point to 172.16.5.1 and they can access the Internet without issue.

FYI. originally, I re-set this router to the factoru settings. Since I could not make it work for TS. I restore it from the backup that worked for TS access before. Shouls I re-do it?

OK, finally fixed it. It is no thing wrong with the Cisco configuration. It is because the TS is multihomed computer. Disable one NIC and keeps 172 subnet only. It works. Thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: