12-13-2006 02:53 PM - edited 03-03-2019 03:02 PM
I try to configure a Cisco router 831 to open port 3389 for TS. The TS in the LAN is 172.6.5.2 and the AN port IP is 192.168.10.70. I add ?ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable?, but can?t access the TS from 192.168.10.100. This is the result of ?show ip nat translation?:
Pro Inside global Inside local Outside local Outside global
tcp 192.168.10.70:3389 172.16.5.2:3389 --- ---
tcp 192.168.10.70:3389 172.16.5.2:3389 192.168.10.100:2175 192.168.10.100:2175
This is configuration
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 831
!
logging buffered 52000 debugging
!
clock timezone America/Chicago -6
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip domain name cisco.com
ip name-server 4.x.x.1
ip dhcp excluded-address 172.16.5.1 172.16.5.9
ip dhcp excluded-address 172.16.5.51 172.16.5.254
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 4.2.2.1
!
!
no ip bootp server
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.10.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect sdm_ins_in_100 in
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 172.0.0.0 0.255.255.255
no cdp run
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end
Solved! Go to Solution.
12-13-2006 03:40 PM
hello,
why do you want to do overloads/statics etc on the same IP?? This isnt the right way of doing, since once you overload, u will have the same IP (10.70) seen on the outside with various internal IPs.. So, the router will not forward the packets to the inside...
do the following:
leave the PAT as it is, since it is only the traffic going from inside to outside.. for the traffic to come in, configure a seperate static statement with some other free IP..
ip nat inside source static 172.16.5.2 192.168.10.100
clear the nat tables and try accessing 10.100.. it should work..
Hope this helps.. all the best. rate replies if found useful.
Raj
12-14-2006 05:00 PM
It should work when natting to 192.168.10.70 or ethernet1
use Internetface ethernet1 when natting instead of 192.168.10.70 in your original config and it should work.
12-14-2006 09:25 PM
can you try putting an extended access-list instead of a standard one and check out if there are hits occuring while accessing form the 192.168.10.100
access-list 101 permit ip 172.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
12-13-2006 03:40 PM
hello,
why do you want to do overloads/statics etc on the same IP?? This isnt the right way of doing, since once you overload, u will have the same IP (10.70) seen on the outside with various internal IPs.. So, the router will not forward the packets to the inside...
do the following:
leave the PAT as it is, since it is only the traffic going from inside to outside.. for the traffic to come in, configure a seperate static statement with some other free IP..
ip nat inside source static 172.16.5.2 192.168.10.100
clear the nat tables and try accessing 10.100.. it should work..
Hope this helps.. all the best. rate replies if found useful.
Raj
12-13-2006 09:45 PM
Thank you for th ereply. Hwever, I still can't access the ST using IP 192.168.10.71 aftre added "ip nat inside source static 172.16.5.2 192.168.10.71".
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 831
!
logging buffered 52000 debugging
clock timezone America/Chicago -6
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip domain name cisco.com
ip name-server 4.2.2.1
ip dhcp excluded-address 172.16.5.1 172.16.5.9
ip dhcp excluded-address 172.16.5.51 172.16.5.254
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 4.2.2.1
!
!
no ip bootp server
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.10.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect sdm_ins_in_100 in
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static 172.16.5.2 192.168.10.71
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 permit 172.0.0.0 0.255.255.255
no cdp run
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end
12-13-2006 10:32 PM
hello
where are u accessing this from? is it through another private network?? if from public u cannot access, and u need to do a nat onto a public IP then...
config seems OK..take care if the routing is fine.. do a trace and post the result if possible.. do a show ip nat trans and see if the entry is there...
Raj
12-14-2006 07:19 AM
I am accessing the 172.16.5.2 from 192.168.10.100 that is in other LAN (192.168.10.0/24). I am not access it from the Internet. Here are ip nat translation and ping.
831#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 192.168.10.71 172.16.5.2 --- ---
831#
ping 192.168.10.70 (note: from 192.168.10.100)
Pinging 192.168.10.70 with 32 bytes of data:
Reply from 192.168.10.70: bytes=32 time=4ms TTL=255
Reply from 192.168.10.70: bytes=32 time=5ms TTL=255
Reply from 192.168.10.70: bytes=32 time=3ms TTL=255
Reply from 192.168.10.70: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.10.70:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 5ms, Average = 3ms
ping 192.168.10.71 (note: from 192.168.10.100)
Pinging 192.168.10.71 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.71:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
12-14-2006 05:00 PM
It should work when natting to 192.168.10.70 or ethernet1
use Internetface ethernet1 when natting instead of 192.168.10.70 in your original config and it should work.
12-14-2006 06:47 PM
1. I have two Windows 2003 servers in the 172 subnet. They can access each other using TS.
2. I also try another server which ip is 172.16.5.10. This is the command line I just changed:
ip nat inside source static tcp 172.16.5.10 3389 interface Ethernet1 3389.
3. Here is the ip nat translation.
831#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.10.70:3389 172.16.5.10:3389 --- ---
tcp 192.168.10.70:3389 172.16.5.10:3389 192.168.10.100:3523 192.168.10.100:352
3
12-14-2006 07:01 PM
Can you try TS from some other machine on 192.168.10.x?
Muhammad
12-14-2006 09:41 PM
Sure, I have another windows 2003 in 192 subnet. It is 192.168.10.10. It can't access the 172.16.5.10. Here is the ip nat translation.
831#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.10.70:3389 172.16.5.10:3389 --- ---
icmp 192.168.10.70:2619 172.16.5.10:2619 4.2.2.1:53 4.2.2.1:53
udp 192.168.10.70:2619 172.16.5.10:2619 4.2.2.1:53 4.2.2.1:53
udp 192.168.10.70:2621 172.16.5.10:2621 4.2.2.1:53 4.2.2.1:53
tcp 192.168.10.70:3389 172.16.5.10:3389 192.168.10.11:1195 192.168.10.11:1195
831#
12-14-2006 09:25 PM
can you try putting an extended access-list instead of a standard one and check out if there are hits occuring while accessing form the 192.168.10.100
access-list 101 permit ip 172.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
12-14-2006 09:53 PM
Still the same problem. This is the result of configuration and ip nat translation.
Thank you.
12-14-2006 10:16 PM
Sorry, forgot the configuration
hostname 831
!
logging buffered 52000 debugging
clock timezone America/Chicago -6
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip domain name cisco.com
ip name-server 4.2.2.1
ip dhcp excluded-address 172.16.5.1 172.16.5.9
ip dhcp excluded-address 172.16.5.51 172.16.5.254
!
ip dhcp pool sdm-pool1
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 4.2.2.1
!
!
no ip bootp server
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 172.16.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ETH-WAN$
ip address 192.168.10.70 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect sdm_ins_in_100 in
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 172.16.5.10 3389 interface Ethernet1 3389
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent
ip http server
ip http authentication local
ip http secure-server
!
access-list 10 permit 172.16.5.2
access-list 101 permit ip 172.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
no cdp run
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
end
831#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 192.168.10.70:3389 172.16.5.10:3389 --- ---
tcp 192.168.10.70:3389 172.16.5.10:3389 192.168.10.11:1247 192.168.10.11:1247
831#
12-14-2006 10:28 PM
Can you try to use "ip nat outside static 192.168.10.71 172.16.5.2" instead of "ip nat inside static..." and test again.
If you use the original NAT rule, can you access from 172.16.5.2 to 192.168.10.x network ?
Can you confirm all the default gateway in hosts are configured correctly ? inside point to 172.16.5.1 & outside point 192.168.10.70.
Hope this helps.
12-15-2006 08:22 AM
1. tried "ip nat outside static 192.168.10.71 172.16.5.2". No differnt.
2. from 172.16.5.2 and 10, I can access any computers in 192 subnet and internet.
3. The gateway of all computers in 172 point to 172.16.5.1 and they can access the Internet without issue.
FYI. originally, I re-set this router to the factoru settings. Since I could not make it work for TS. I restore it from the backup that worked for TS access before. Shouls I re-do it?
12-15-2006 09:36 PM
OK, finally fixed it. It is no thing wrong with the Cisco configuration. It is because the TS is multihomed computer. Disable one NIC and keeps 172 subnet only. It works. Thank you very much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: