We have a cisco 1941 router with two internet interfaces, one a cable modem, the other a T1 interface.
When employees try to RDP to a local machine on the network from outside the network using cable internet (same provider as office cable) they are unable to attach either using the cable or the T1 IP address.
If we unplug the cable connection from the router, so it switches over to the T1 service as primary, they are able to then RDP to the IP address of the T1. With both interfaces connected they are unable to RDP to either.
From DSL service in the same area they are able to RDP to both interfaces. From cable service from a different provider they are able to RDP to both interfaces. I think this is a problem the cable provider. but to be sure I wanted to see if anyone had any other ideas on why this would happen. Below is the config of the 1941 router.
Current configuration : 6572 bytes ! ! Last configuration change at 12:34:40 Arizona Thu Sep 9 2010 by integra ! NVRAM config last updated at 10:05:44 Arizona Fri Aug 20 2010 by integra ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname IASROUTER ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model clock timezone Arizona -7 ! no ipv6 cef ip source-route ip cef ! ! ip dhcp excluded-address 10.0.1.1 10.0.1.30 ip dhcp excluded-address 10.0.1.101 10.0.1.254 ! ip dhcp pool MainIP import all network 10.0.1.0 255.255.255.0 domain-name inlandmarketing dns-server 126.96.36.199 default-router 10.0.1.1 lease 5 ! ! ip domain name yourdomain.com ip name-server 10.0.1.202 ip name-server 188.8.131.52 multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-1898501780 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1898501780 revocation-check none rsakeypair TP-self-signed-1898501780 ! ! crypto pki certificate chain TP-self-signed-1898501780 certificate self-signed 01 3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31383938 35303137 3830301E 170D3130 30373036 32313538 33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393835 30313738 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A813 4AABB729 D95BBFFB C2DD6AFE DA1BB3A0 29F34E96 F009A973 35EEF9F5 3760CE30 A8C8CA51 95677605 7162372D 59408F0A F7CE98D3 B16F1DF6 E3C00939 904518F6 D3EE5AA5 B309D264 866FDB40 97353318 9CDBE89A F994BADC 0CB6257A E6DDA7C0 AFCAC4AB 3E7022C5 22319B04 F267D638 0DDFE44B 541B3528 8A4604AA 5CAD0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 14CFDF66 9F74E57E F3B5CD64 24433E17 C3581543 7D301D06 03551D0E 04160414 CFDF669F 74E57EF3 B5CD6424 433E17C3 5815437D 300D0609 2A864886 F70D0101 04050003 8181002B 4D5CAB31 ECAFE35A 24DFF2FA B14E4583 0C298A75 14D67E8D D0308FD4 55C2E664 E8F009DE EAC52961 B9054FA7 86DE2D10 BCCFC3F2 366086C1 46D25722 9A16EA0D ADC7EC83 3AA48B0A E66F7CD5 2978A904 AEB58DD4 7218393A 15F0CB4B 9CC5FF73 CBE0647C 9F2E3732 F39B3DB9 19F0AD8A B2728764 49EF3451 4C1BA1B1 156DC5 quit license udi pid CISCO1941/K9 sn FTX1428809G ! ! username integra privilege 15 secret 5 $1$ZO6x$wbqTFrX2KHgh8lGXW8ZKs/ username admin privilege 15 secret 5 $1$.eRH$lsruSvjOa9cgBLXyszy4t1 ! ! ! ! ! ! interface GigabitEthernet0/0 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-LAN$ ip address 10.0.1.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Cable-Modem0/0/0 ip address dhcp ip nat outside ip virtual-reassembly no fair-queue ! interface Serial0/1/0 ip address 000.000.000.000 255.255.255.248 ip nat outside ip virtual-reassembly encapsulation ppp no clock rate 2000000 service-module t1 fdl ansi ! ip forward-protocol nd ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source route-map cable-modem interface Cable-Modem0/0/0 overload ip nat inside source route-map t1 interface Serial0/1/0 overload ip nat inside source static tcp 10.0.1.201 3389 CableIP 3389 extendable ip nat inside source static tcp 10.0.1.23 5631 CableIP 5631 extendable ip nat inside source static udp 10.0.1.23 5632 CableIP 5632 extendable ip nat inside source static tcp 10.0.1.201 3389 T1IP 3389 extendable ip nat inside source static tcp 10.0.1.23 5631 T1IP 5631 extendable ip nat inside source static udp 10.0.1.23 5632 T1IP 5632 extendable ip route 0.0.0.0 0.0.0.0 Serial0/1/0 50 ip route 0.0.0.0 0.0.0.0 dhcp ! access-list 1 permit 10.0.1.0 0.0.0.255 access-list 2 permit 10.0.1.0 0.0.0.255 access-list 23 permit 10.0.1.0 0.0.0.255 ! route-map cable-modem permit 10 match ip address 1 match interface Cable-Modem0/0/0 route-map t1 permit 10 match ip address 2 match interface Serial0/1/0 ! !
! control-plane !! line con 0 login local line aux 0 line vty 0 4 access-class 23 in privilege level 15 login local transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 --More-- login local transport input telnet ssh ! scheduler allocate 20000 1000
It may be that your cable provider has an 'anti-spoofing' ACL facing you that blocks you as a customer from sourcing IP addresses they haven't allocated you. From their perspective should never source another ISP's public address. Of course this doesn't explain why it fails when your user tries to connect to the cable modem address.
To troubleshoot try this:
Have the user with the failure scenario discover their public IP address and reveal it to you. Then enable netflow on the interfaces.
int cable 0/0/0 ip flow ingress exit
int ser 0/1/0 ip flow ingress exit
int g0/0 ip flow ingress exit
Ask the user to attempt the RDP session.
execute a 'show ip cache flow'
Do you see an entry from the user PC? If so you know the packet got to your router.
If the packet got there take a look at the NAT. Try a 'show ip nat translations' to determine if it's translating the way you intend it too.
Next check to see if the return packet from the server is getting to the router, once again with the 'show ip cache flow' command. Is the packet being routed out the interface you expect it to be? Does it have the correct pubic address as it get's routed out?
Keep in mind that the output of the 'show ip cache flow' command contains port information in hexadecimal. For instance 3389 will look like 0D3D.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...