RDP Port 3389 NAT

[Nazgulero]

Hello,

I am trying to access my LAN workstations from the Internet through RDP, for some reason, it does not work. I have the following NAT statement configured:

ip nat inside source tcp 172.16.0.1 3389 interface Dialer1 3389

I have seen working configurations where the statement was:

ip nat inside source tcp 172.16.0.1 3389 82.16.23.34 3389 extendable

I wonder if that is the problem, that I cannot add the keyword 'extendable' to an interface, but only to a static IP address. Has anybody made this work, that is, static port mappings with dynamic IP ?

Thanks in advance for your help.

Regards,

GP

 

[ADB100]

The statement looks correct although it is missing the keyword 'static' - I assume you have this?

I run various services behind my negotiated IP address, for example my FTP service looks like:

ip nat inside source static tcp 10.1.1.1 21 interface Dialer1 21

Is it likely you also have an ACL and/or Firewalling (IP Inspection) configured that is preventing your static NAT working?

Andy

 

[Nazgulero]

Hello Andy,

I got it working, thanks for your assistance. Do you know how to configure the Cisco now in conjunction with an ISA server, that is, having the RDP requests going through an ISA server ? Also, is there a way to forward requests from a specific URL to the ISA server ?
Thanks again for your help.

Regards,

Naz

 

[ADB100]

I have a similar setup - Cisco DSL Router to internet, Ethernet to outside interface of MS ISA Server and then the Inside network.

You need to set up a publishing rule to publish your internal server on the ISA Servers outside interface, then allow this protocol in your rules on ISA. Add that to the static NAT statement and you should be away.

Andy

 

[Nazgulero]

Hello Andy,

thanks again for your help and quick response - would you be able to post the configuration of your Cisco DSL router in the above mentioned setup ?
Thanks in advance.

Regards,

Naz

 

[ADB100]

It is pretty much as the previous post, the inside NAT address is the outside interface IP address of the ISA Server. It works like a 'double port forward' - i.e. the router NAT's anything coming into its DSL IP address on port X (21 FTP in my case) and rewrites the destination IP address as the outside IP address of the ISA Server. ISA does the same thing to the inside device.

Andy

 

[SQL2KDBA69]

How did u get the RDP to work? im having the same problem everything works fine but can access anything behind the router. please help

 

[Nazgulero]

Hello,

as I remember it, you need a statement like this:

ip nat inside source static tcp 192.168.1.1 3389 interface Dialer1 3389 extendable

and exclude that I address from the source list:

ip nat inside source list 1 interface Dialer0 overload
access-list 1 deny 192.168.1.1
access-list 1 permit 192.168.1.0 0.0.0.255

Can you try and see if this works for you ?

Regards,

Naz

 

[SQL2KDBA69]

this is what i have :

ip nat inside source static tcp 192.168.0.3 3389 interface e0 3389

ip nat source list 1 interface e0 overload

access-list 1 permit 192.168.0.0 0.0.0.255

but it does not work

i have a 1605-R IOS ver 12.2(31)

 

[Nazgulero]

Hello,

can you try:

ip nat inside source static tcp 192.168.0.3 3389 interface e0 3389

ip nat source list 1 interface e0 overload

-->access-list 1 deny host 192.168.0.3
access-list 1 permit 192.168.0.0 0.0.0.255

and see if that makes a difference ?

Regards,

GP

 

[SQL2KDBA69]

I got it working but thanks from the info

 

[Nazgulero]

Hello,

out of curiosity, what did you do to get it working ?

Regards,

Naz

 

[SQL2KDBA69]

nothing my config was corect i just remember with NAT You have to connect to the outside ip of the router and not the internal terminal server ip.