|
|
|
Question : Problem: Assistance Needed with Cisco 1721 Configuration VPN/Terminal Services
|
|
I'll start out by saying I'm still relatively new to EE, and I just today paid for a monthly subscription here so that I can ask questions, give out points, etc. Please forgive me in advance if my question format/methodology is incorrect.
I have a client that has a Cisco 1721 modular router. I downloaded Cisco's "gui" software for this device, to see if I could simplify the configuration of this device for myself, since I'm not that experienced with these routers.
The Cisco has two regular ethernet ports... once connected to the LAN, the other connected to a DSL router. The DSL is commercial service, and they've provided a public IP address specifically for the WAN interface on this router. Right now, the LAN has fully functional Internet access, but I cannot make any inbound traffic work at all, and I'm also concerned that the router may not be locked down as well as it should be.
My goal is to simply set up this router so that it is very secure, but allows several services. For now, I'd like to get just the following services on the LAN up and running through this router, out to the internet:
-- Terminal Services - inbound 3389
-- Inbound VPN
-- I think MY client needs to connect to one of THEIR clients using VPN, and that client required the installation of this router in the first place.
I read at least one thread here on how to set this router up to allow access to the LAN terminal server from the Internet. I read it, and followed the directions exactly, using telnet... and it didn't work. Then, as I said, I used Cisco's "Secure Device Manager" software (SDM), which runs in a browser using a Java application. That software can see the router, and it appears that I can even make NAT and/or firewall changes to the device. But nothing I tried worked at all.
For a person that works with these things regularly, this is probably not very difficult... other than figuring out why the things I've tried still don't work (I think I'm fairly smart, and I've configured other routers, so I really thought that I'd be able to handle this one... and I'm thinking there's something else going on that I've just never run into before).
Here's the problem... I kinda need to "schedule" the assistance that I might receive from EE, because the client's site is about a half hour away from my office, and right now I have NO remote access to their network at all. Is it possible to get this kind of "scheduled" assistance with any of you? I won't be back at the client site until Wednesday April 27th, at around 2 or 3pm Eastern Time.
Please let me know if you need more information... and if I have to make a visit up there sooner, I will definitely post to this thread saying when, so that maybe we can work together sooner...
|
Answer : Problem: Assistance Needed with Cisco 1721 Configuration VPN/Terminal Services
|
|
>I'm confident that the DHCP server on the router is NOT active
Correct..
Actually, let's start acl 102 all over....
\\-- start by removing it from the interface...
interface Ethernet0
no ip access-group 102 in
\\-- delete the acl completeley
no access-list 102
\\-- re-built from scratch
access-list 102 remark permit RDP for Term Services
access-list 102 permit tcp any host x.x.x.102 eq 3389
access-list 102 remark permit 1723 for VPN
access-list 102 permit tcp any host x.x.x.102 eq 1723
\\-- re-apply to the interface
interface Ethernet 0
ip access-group 102 in
\\-- create some static NAT port-forwarding
\\-- you must delete the existing static, else ONLY that host can go out at all..
no ip nat inside source static 10.0.0.5 {xxx.xxx.xxx.102 public ip} extendable
ip nat inside source static tcp 10.0.0.5 3389 x.x.x.102 3389
ip nat inside source static tcp 10.0.0.5 3389 x.x.x.102 1723
That "should" (famous last words, eh?) get you working with access to the internet, and ability to reach server 10.0.0.5 via RDP/Terminal Services...
|
|
|
|
|
