Terminal service port forwarding

Similar Messages

• Windows 7 redirecting LPT ports to Terminal Services is broken compaired to Vista and XP

  Hello forum
  We have encountered an issue with mapping LPT1 ports from any terminal server be it 2003 or 2008, the problem is the same.
  Our XP clients and Vista clients works fine. Seems this issue is only present on Windows 7.
  We have a program that requires printing to be done on the LPT1 port. The Printer connected to the client is driver less, it uses the raw output from the LPT port. So try not to think of it as a normal printer. We do not require drivers to be installed on
  the server or client.
  Our XP and Vista clients works perfectly by using: net use LPT1:
  \\tsclient\lpt1:
  And then printing to the LPT1 port.
  When using Windows 7 clients to print, only 512 bytes are forwarded to the printer and the rest of the job is missing. If we print directly to
  \\tsclient\lpt1: the print job is working and all is forwarded. But our program cannot print to UNC paths.
  So what has changed in between Vista/XP and Windows 7 on the LPT port forwarding subject?
  Our printer is a STAR TSP if you would like to know. The Win 7 Clients prints fine to the printer locally to the LPT port when not connected to the Terminal session.
  Thanks for your time.

  Hello Mobay,
  Here are the conclusion about this situation:
  Symptom:
  The Win7 client could not re-direct LPT port to a local printer when connecting through a terminal server/remote desktop session.
  Cause:
  This is an known product issue of Win7, no QFE available yet.
  Resolution:
  Possible workaround with Windows XP SP3, RDP 6.1 (and Hotfix 972828).
  Win7/Win2k8r2
  Vista/Win2k8
  WinXP/Win2k3
  RDC 5.2
  Succeed to redirect
  RDC 6.1
  Fail to redirect
  Succeed to redirect
  RDC 7.0
  Fail to redirect
  Fail to redirect
  Succeed to redirect
  So it's by design that you can't use LPT port through RDP on Win 7 client machine.
  Best Regards
  Darith Iv
  Core System Analyst
  Microsoft Product Services and Support

• LRT214 Accessing Web Services with Port Forwarding & Port Translation

  Good afternoon to all,
  Purchased the LRT214 yesterday afternoon and it was a breeze to configure the internet settings and get back online. But after the initial configuration, I ran into some trouble getting the router to do port translation together with port forwarding.
  The port forwarding setup is straighforward and works perfectly, the same cannot be said for the port translation which does not seem to work. I programmed the following,
  1) external port 88 forwarded to internal port 80 for 192.169.1.12
  2) external port 89 forwarded to internal port 80 for 192.169.1.13
  Can someone point me in the correct direction to achieve the above?
  Router Model : LRT214
  Firmware Revision : 1.0.2.06
  Working Mode : Gateway

  Port Address Translation => Service Management
  Add two Services for the port translations and then add the translations to the list. Let us know if you get any errors.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• RV320 Bug - Service Management Table (Port Forwarding)

  I'm unable to add more than 16 entries for port forwarding.
  It's a RV320 on v1.1.1.06 (newest to date) and it doesn't accept more than 16 entries in the "Service Management Table" required for port forwarding. As soon as I try to enter number 17 and hit save the window closes like it always does but you can see for a short time it says "Critical failure. Please contact support." Everything else works, except for the entry in the Service Management Table. I'm also unable to use it in the port forwarding section, it just doesn't save the entry. I'm unable to add any services to the list unless I delete others but it only works again until number 16.
  Actually the "limit" is 37 because it comes with 21 services entered out of the box.
  I couldn't find any bug reporting website that I could use without a contract. So I seek for help here.
  Anybody else having this issue or is it just my device?

  10 days ago a post was made in https://supportforums.cisco.com/discussion/12353771/cannot-manage-service-list-all-waited-unacceptably-long-fix  indicating there is a new firmware in beta test, I've contacted support to try to get a copy.
  I'm moving off Draytek, have a 2830 with latest firmware and various weird issues that they've confirmed are bugs but cannot provide a due date for fix. DHCP randomly giving out wrong DNS server addresses, tagged VLAN support flaky and giving out DHCP details from wrong VLAN (worked around using 1 cable from switch per VLAN and using port based VLAN rather than tagged), App Enforcement for IM blocking causing SMTP and Live.com login issues. And that's just what cropped up last week with the unit at work here. Still using it for our live router as we can't put the RV320 in place until we can configure all the required ACLs which needs more than 16 service entries.

• Terminal Services licensing firewall ports

  I have been searching the internet for an informative network\firewall drawing for the Terminal Services Licensing traffic when it comes to firewall ports requirements etc 
  Does someone have a detailed description or a (visio) drawing showing the ports required for WTS Licensing?
  We have the following Citrix based Terminal Server environment:
  - Windows 2008 R2 running XenApp6
  - Clients come from internal (LAN) and external connections (Citrix Access Gateway)
  - There is a firewall between the Citrix XenApp WTS farm and the MS Terminal Services Licensing server (Win 2008 R2)
  Can someone explain how the TSCAL\RDCAL "traffic" flows and the ports required from A-Z ?
  /Tord Bergset

  I believe the correct random ports used for for Windows Server 2008 are 49152-65535, not 1024-65535
  I am looking for a visio or something showing this...
  For Citrix solutions one have no problem finding network drawing showing firewall ports etc, but fro MS WTS licensing I jsut cannot find anything showing ports required etc
  Lot of designd docs\drawings regarding RDP traffic etc, but not anything for the RDCAL\TSCAL licensing traffic
  Scenario below:
  Need all WTS Licensing ports listed for the solution to work for external and internal clients
  External clients   using 2 factor auth
  Firewall
  Citrix Web Interface
  Server
  Firewall
  Citrix Licensing server
  Firewall
  Citrix WTS
  Farm
  Internal Clients
  Citrix Secure Gatway
  MS Terminal server Licensing server
  /Tord Bergset

• Port Forwarding for Filemaker Pro on Airport Extreme

  I really don't know what I'm doing - I'm trying to get my Instant Web for Filemaker to work - It was set up on my MacBook Pro and then I moved everything to this iMac and now it's not working. I do know that the port for FM Pro is 591. I have it set up in FM Pro sharing and it gives me an IP address that should work. Which, by the way, it does inside my network, but not from outside. So, I need to know how to set up the Port Forwarding on my Apple Extreme to make this work.

  I don't use FM, but do port forwards on AE for my private website using DynDNS
  Go to Applications >> Utilities >> AirPort Utility >> pick your AE and click Manual Setup button
  Go to Advanced >> Port Mapping >> click the PLUS to add a new port fwd
  Leave the Service drop down as is
  Set public TCP and private TCP fields to 591
  Set the private IP to the IP address of your iMac as your AE assigned it - I assume that your AE will have 10.0.1.1 and your iMac will be 10.0.1.X - not sure whether you use DHCP and let AE do the work or manually assign private IPs yourself
  Give it a description in the next window. Not sure about advertising via Bonjour - I'd try both.
  If you don't know what private IP your iMac has, go to applications >> utilities >> Terminal app and type this command: ifconfig
  You'll see something like this. In my case, since I use Ethernet to connect my mac to AE router, the en0 is my active connection and my private IP is 10.0.1.12 as shown below. If you use WiFi, you'r main connection will be en1
  Last login: Sun Mar 13 20:52:12 on console
  Mac-mini:~ jiri$ ifconfig
  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  inet6 fd75:7419:92a9:cab8:226:4aff:fe15:f970 prefixlen 128
  gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
  stf0: flags=0 mtu 1280
  en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  ether 00:26:4a:15:f9:70
  inet6 fe80::226:4aff:fe15:f970%en0 prefixlen 64 scopeid 0x4
  *inet 10.0.1.12* netmask 0xffffff00 broadcast 10.0.1.255
  media: autoselect (1000baseT <full-duplex,flow-control>)
  status: active
  en1: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
  ether 00:26:08:ec:4f:fa
  media: autoselect (<unknown type>)
  status: inactive
  fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
  lladdr 00:26:4a:ff:fe:15:f9:70
  media: autoselect <full-duplex>
  status: inactive
  utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
  inet6 fe80::226:4aff:fe15:f970%utun0 prefixlen 64 scopeid 0x7
  inet6 fd00:6587:52d7:85:226:4aff:fe15:f970 prefixlen 64
  Mac-mini:~ jiri$
  Let me know, if it works...

• Port Forward in Cisco series 800

  Dear Support
  below the configuration of Cisco Series 800 Router that Has VDSL  port of internet , the configuration as below : 
  i add three command
  what is required in order to make port forward
  ip nat inside source static tcp  8000 10.10.10.10 8000 dilar 0
  ip nat inside source static tcp 554  10.10.10.10 554 dilar 0
  ip access list extended 100
  permit ip any any
  what is required to make port forward to the local ip address 10.10.10.10 from outside interface that is VDSL port ?
  ! Last configuration change at 10:47:44 KSA Wed Apr 22 2015 by aamalsup
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime
  service password-encryption
  hostname AamalNet
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret level 2 5 $1$Y4PF$K6TQ5wf0gcHiO5IxvLZba0
  enable secret level 5 5 $1$WZeO$BzTCl0C0e1078CWxExJK0/
  enable secret 5 $1$plq6$P5HVL/tR81cs0GFDrD.0V/
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authentication login sdm_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa session-id common
  clock timezone KSA 3 0
  crypto pki trustpoint TP-self-signed-1682106276
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1682106276
   revocation-check none
   rsakeypair TP-self-signed-1682106276
  crypto pki certificate chain TP-self-signed-1682106276
   certificate self-signed 02
    30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31363832 31303632 3736301E 170D3032 30333031 30303038
    35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383231
    30363237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C2F3 49897460 71FEB259 7794B7C6 D398958A 2D338F0F C69F0E75 1137B16C
    C261A275 8416DAF6 FC19AA6E 50024019 66CE4DB8 3AFAB6FE CE892B42 86A93490
    97259E47 D740B2F4 9AA2D307 7B676841 2CAAA879 D945A6FD 717B507F 77399332
    1644CEDE 884BF133 ACFBBC80 9869A104 54CC3EEE 9D521378 EC762D86 C3F0ABC9
    CA990203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
    551D1104 1C301A82 18417761 6C416D61 6C792E61 77616C6E 65742E6E 65742E73
    61301F06 03551D23 04183016 80149ADD A651C9F9 F8369354 5C904777 090FEB75
    72E0301D 0603551D 0E041604 149ADDA6 51C9F9F8 3693545C 90477709 0FEB7572
    E0300D06 092A8648 86F70D01 01040500 03818100 50ACCA98 1A5FCCAD FC61D703
    A8589B02 AFB8CD47 BD1CC7B0 B095C97F AA0604A8 F8495053 C8A9CBB9 644F5674
    318A7AA0 873250AD 1DE28CE2 BE21ED19 BF212CF7 E2A97CFB FFA62F1E 643CEDFE
    90D02109 719FD4D3 98E6C40B D61CE89C D2426C1E 3CBD9FBE 397F7F7C F1DD279E
    14F8BB2D ABFA784B 6E04274B EDCBFC8F A805E91D
        quit
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 10.10.11.1
  ip dhcp pool lan
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 212.93.192.4 212.93.192.5
   lease 0 2
  ip dhcp pool wireless
   import all
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1
   dns-server 212.93.192.4 212.93.192.5
   lease 0 2
  no ip domain lookup
  ip domain name aamal.net.sa
  ip name-server 212.93.192.4
  ip name-server 212.93.192.5
  no ipv6 cef
  cwmp agent
   enable download
   enable
   session retry limit 10
   management server password 7 094D4308151612001D05072F
   management server url http://aamalservice.aamal.net.sa:9090
  license udi pid C887VA-W-E-K9 sn FCZ17459018
  archive
   log config
    hidekeys
  username k privilege 15 password 7 020D
  username admin privilege 15 password 7 14161606050A
  controller VDSL 0
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp client configuration group aamalnet
   key aamalnet
   dns 212.93.192.4 212.93.192.5
   include-local-lan
   dhcp server 10.10.10.1
   max-users 10
   netmask 255.255.255.0
  crypto isakmp profile sdm-ike-profile-1
     match identity group aamalnet
     client authentication list sdm_vpn_xauth_ml_2
     isakmp authorization list sdm_vpn_group_ml_1
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
   mode tunnel
  crypto ipsec profile SDM_Profile1
   set security-association idle-time 60
   set transform-set ESP-3DES-SHA
   set isakmp-profile sdm-ike-profile-1
  bridge irb
  interface ATM0
   no ip address
   no atm ilmi-keepalive
  interface ATM0.1 point-to-point
   pvc 0/35
    pppoe-client dial-pool-number 1
  interface Ethernet0
   no ip address
   shutdown
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Virtual-Template1 type tunnel
   ip unnumbered Dialer0
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile SDM_Profile1
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
   switchport mode trunk
   no ip address
  interface wlan-ap0
   description Embedded Service module interface to manage the embedded AP
   ip unnumbered Vlan1
  interface Vlan1
   description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
   ip address 10.10.10.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1452
  interface Vlan2
   no ip address
   bridge-group 2
  interface Dialer0
   ip address negotiated
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap callin
   ppp chap hostname [email protected]
   ppp chap password 7 0007145E2E5A05522E1858
   no cdp enable
  interface BVI2
   ip address 10.10.11.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 1 permit 10.10.11.0 0.0.0.255
  access-list 23 permit 212.93.196.0 0.0.0.255
  access-list 23 permit 212.93.192.0 0.0.0.255
  access-list 23 permit 212.93.193.0 0.0.0.255
  access-list 23 permit 10.10.10.0 0.0.0.255
  access-list 23 permit 10.10.11.0 0.0.0.255
  dialer-list 1 protocol ip permit
  no cdp run
  snmp-server community private RW
  snmp-server community public RO
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  bridge 2 route ip
  privilege interface level 5 encapsulation
  privilege interface level 5 description
  privilege interface level 5 no encapsulation
  privilege interface level 5 no description
  privilege interface level 5 no
  privilege configure level 5 ip route
  privilege configure level 5 interface
  privilege configure level 5 controller
  privilege configure level 5 ip
  privilege exec level 5 copy running-config tftp
  privilege exec level 5 copy running-config
  privilege exec level 5 copy
  privilege exec level 5 write memory
  privilege exec level 5 write
  privilege exec level 5 configure terminal
  privilege exec level 5 configure
  privilege exec level 5 show processes cpu
  privilege exec level 5 show processes
  privilege exec level 2 show running-config
  privilege exec level 5 show configuration
  privilege exec level 2 show
  privilege exec level 5 clear counters
  privilege exec level 5 clear
  banner exec
  CC
  % Password expiration warning.
  Cisco Router and Security Device Manager (SDM) is installed on this device and
  it provides the default username "cisco" for  one-time use. If you have already
  used the username "cisco" to login to the router and your IOS image supports the
  "one-time" user option, then this username has already expired. You will not be
  able to login to the router with this username after you exit this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you want to
  use.
  banner login
  CC
  ********STC AamalNet Service****************************************
  ********Authorize Access Only. For more Support Call 909************
  line con 0
   privilege level 15
   no modem enable
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport input all
   stopbits 1
  line vty 0 4
   access-class 23 in
   privilege level 2
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler allocate 20000 1000
  end

  Hello,
  Sure.
  What version are you running?
  Regards,

• Port forwarding, NAT, SSH and Transmission.

  A couple of days ago I decided to setup the Transmission daemon, along with automatization for my downloads. Recently, however, to put a layer of security around my laptop, I set up a wireless router I had lying around that is now connected with a wire to my laptop. The reason for this is that I have no idea how iptables work yet, and until then I decided this will suffice for the moment. One of the problems though (yes, problems seems to come in twenty-fold where my luck is concerned), is that when I rewire my laptop directly to the internet, without the router, NetworkManager or Archlinux doesn't reset the ip address, which for some reason jumps to 192.168.1.122, which it never uses otherwise. I haven't yet tried reinstalling networkmanager, but when I did turn it off, dhcpdcd assigned the same address... The problem here being that it shouldn't assign a LAN-address, I'm directly connected to the internet. Sidenote here though; my internet connection is just a plug in the wall, the operators here (I live on a kind of campus), probably only use a network-switch to relay the traffic to the socket.
  That's that, my wired network doesn't work directly, only via the wireless router, wired or wireless. Because of this, I have to use port-forwarding for SSH (to test if the port forwarding works), and the Transmission daemon with an rcmp port of 9091., which was my intention in the first place. I have no idea if logging into my.ip.address.here:9091 in a browser would work, I just used localhost:9091.
  Now for the results:
  $ nmap -sT xx.xxx.xx.xx
  Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-14 19:42 CEST
  Nmap scan report for xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Host is up (0.038s latency).
  Not shown: 996 closed ports
  PORT STATE SERVICE
  22/tcp filtered ssh
  53/tcp open domain
  80/tcp open http
  9091/tcp filtered unknown
  Here it shows that the ports are actually not closed, but they're not exactly opened either, from what I gathered from the internet.
  SSH shows the true problem:
  $ ssh neal@xxxxxxxx
  ssh: connect to host xxxxxxxx port 22: Connection timed out
  SSH-ing to 192.168.0.102 (my internal ip) works, as does to localhost, same for Transmission webGUI. Before I used port-forwarding ssh would correctly say that it couldn't get traffic from the router.
  My router is a cheap solution to another problem I had, but it should work like any router. It's a Sitecom WL-607. I disabled login authentication for the moment. Also, there is no filtering going on in the firewall. Like I said earlier, I don't get iptables, so that's not being used. The hosts file allows all and denies nothing.
  TLDR version; I'm using port-forwarding on my Sitecom WL-607, but all ports except http and the 53 port are being blocked.
  Is there something I'm missing here?
  Thanks in advance,
  Neal van Veen.

  by default, all routers assign there clients an ip address from there internal pool of addresses, your wireless router is assigning you that address and then NAT's the connection with the WAN side, but even after directly plugging in to the wall socket you still dont get a new ip address, use dhcpcd <mydev> in terminal to reresh dhcp lease. if not then your campus/location/etc may also be using NAT on there own side.
  as for the ports, iptables doesnt block any traffic by default, it allows everything. if there is filtering, it is from your wireless router.
  on the above ssh and nmap scans, did u use your lan ip, or your public ip.

• Port Forwarding in RV220n

  Buenos dias:
  Tenemos un problema  a la hora de redireccionar puertos. en concreto con el puerto de termial 3389
  Hemos creado 2 reglas o custon SERVICE
  1. TERMINAL Type TCP  Start port 3389 finifsh port 3389
  2. Terminal 2  Type TCP SP 4444 FP 4444
  En Port Forwarding permitimos ( allow always ) Service TERMINAL source Any Destination 192.168.20,30 ( ip del equipo ) Frowarding from port same  y F to Pot same
  Esto funciona
  En la segunda entrada Terminal 2 ( allow always ) Service Terminal2 source Any Destination 192.168.20,10 (  ip del equipo ) Frowarding from port same  y F to Pot 3389
  ESTO NO FUNCIONA
  Current Firmware Version:
  1.0.3.5
  LAguien sabe por que pasa??
  Gracias

  Buenos dias Senior Sanchez,
  Mi nombre es David Aguilar, y soy un ingeniero de soporte técnico con el Cisco Small Business Support Center.
  Para reenviar los puertos de la RV220W, debe utilizar un servicio personalizado y una Lista de Control de Acceso. Haga lo siguiente:
  1. En primer lugar, eliminar las reglas de reenvío de puertos que ya ha creado. Usted no necesita los mismos.
  2. Ve a hacer Firewall> Avanzado> Servicios personalizados. Crear dos servicios de los clientes. Ver:
  3. Ir a reglas de acceso y haga clic en Agregar regla. Crear la regla como la siguiente y luego haga clic en Guardar.
  Esto enviará el puerto. Ver:
  Si usted tiene preguntas adicionales, por favor llamar al soporte. Aquí están los números de teléfono de asistencia: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Gracias.

• WEBVPN and Windows Terminal Services

  Does anyone have a copy of a config to set up WEBVPN with Windows Terminal Services? I have opened port 3389, but something does not seem to be working correctly.

  Hi Paul,
  you don´t say exactly what is not working but anyhow here is example config:
  Under Configuration | Tunneling and Security | WebVPN | Port Forwarding you put the following into the fields:
  Name: Terminal Server
  Local TCP Port: 2000
  Remote Server: 10.172.24.100
  Remote TCP Port: 3389
  Now after the user has logged into the WebVPN and click-ed on Application Access he will see a window. In the window there are 6 columns. In the Local column you will see something like 127.0.0.1:2000 and in the Remote column 10.172.24.100:3389. The user will type 127.0.0.1:2000 in the computer field in the Remote Desktop Connection window
  Hope this helps,
  Vidir

• Port-forwarding or UPnP on VERIZON FIOS modem/router

  I'm trying to help someone access his home network remotely from another location. he just got the new Verizon FIOS network.
  i'm new to the world of port-forwarding and UPnP forwarding, but have learned a lot in a short period of time.
  I can easily setup port-forwarding and UPnP forwarding (necessary to setup the afp file sharing, screen sharing, etc) on Linksys routers that have those capabilities.
  My friend just got the new Verizon FIOS network installed. It is smoking fast both up and down. We figured out that the box Verizon provided him (it's a fairly huge thing) is an internet modem, a router, and a wireless router all in one.
  And once we accessed its control panel, I definitely saw places where we could configure port-forwarding........
  but it's not quite as straightforward as it is on a Linksys router in that, on a Linksys, if I want to open a specific port, like 5900, for screen sharing, I can easily type in the numbers 5900 and type the IP address of the computer on my LAN that I wish to forward port 5900 traffic to.......or I can do this with UPnP forwarding....either way it is simply and fully controllable.
  But on this Verizon box, it seems to have most standard ports and protocols stored in presets that you must choose from. For example, if I wanted to setup port forwarding for FTP traffic, I would choose FTP from the dropdown menu and then the router would automatically know to forward port 21 to the computer of my choice.
  but we specifically want to turn on AFP for apple file sharing, which is port 548. On the Linksys, i could simply type port 548. But this Verizon router does not show a service called AFP. It has a nice LONG menu of many different pre-set options, but AFP is not one of them. Would it be called something else on a device like this that is obviously not specifically designed to know Apple's file sharing protocol?
  So would anyone know what kind of service I should look for that opens port 548 for file sharing?
  Anyone have experience with these new Verizon routers/modems yet? I'd really love to find a way to type everything in manually, but I dunno if that's possible on this unit.
  i know there's a lot here. thank you to anyone who knows about this and can shed some light

  That doesn't work because applications that initiate outbound connections are given randomly assigned 5-digit port numbers (e.g., 49144) through which the CLIENT communicates. The "well known" port numbers like 548 for afp, 22 for ssh, 80 for web servers, etc., are for the SERVER function to which the server daemon listens. Example: you don't send the request to download your email from your pop 110 (or 995 when using SSL), or from your imap 143 (or 993 when using SSL); that's the port number at the DESTINATION server to where your traffic is delivered, i.e., the port to which that SERVER is listening for incoming traffic. Same for when you send mail, you send from some randomly assigned five-digit port number TO the smtp server's port 25. You can see this by launching Terminal.app from an admin-privileged account and typing sudo tcpdump -i en1 (use en1 for airport, en0 for wired ethernet) and looking at the packet transmissions' headers.

• WEBVPN and Terminal Services Web Connection

  Does ASA WEBVPN support MS Terminal Services Web Connection?? I can reach the first login page but can not go further. I click the "connect" button no any response?!! All other web service running well through webvpn, only MS Terminal Services Web Connection.
  I noticed when I use my local PC to connect web ternimal server, it first use port 80 and then use port 3389. I tried portforwading
  port-forward TSSERVER www 10.1.1.1 3389
  port-forward TSSERVER 3389 10.1.1.1 3389
  still not works, please advise.
  my ASA version:
  Cisco Adaptive Security Appliance Software Version 7.2(1)
  Device Manager Version 5.2(1)
  Thanks.

  This is the kind of thing that you need a sniffer trace on both sides of the CSS to determine what the problem is.

• Time Capsule Does Not Port Forward FTP Ports

  Hey there,
  I recently purchased a Time Capsule, and I found out that while it fixes the NAT-PMP bug found in my previous AirPort Extreme Base Station (Gigabit-N), it introduces a new problem which makes it refuse to forward port 21 properly.
  It seems to me that the Time Capsule has some sort of FTP server built in, and is either enabled but closes connection on client connection, or disabled but still listens for client connection.
  This message is what I get when I connect to my IP via FTP from the WAN side (FTP port forwarded to a local machine with an IP 10.0.0.8):
  421 Service not available, remote server has closed connection.
  When it is accessed from the LAN of course, I can connect to 10.0.0.8 with no problem. However, what is interesting is if I connect to the Time Capsule via FTP I get this as well:
  421 Service not available, remote server has closed connection.
  Thus, I am 100% certain that the FTP message I see when I connect from WAN is from the Time Capsule instead of the machine I port forwarded to.
  Apple needs to fix this annoying problem and at the same time fixes some VPN issues I'm having with my Nortel VPN client (4.68). It was all working when I had the AirPort Extreme Base Station.

  I am having a problem establishing an FTP session that is started with my FTP Client (CuteFTP) on my local network and attempting to connect to an FTP Server with one of my hosting providers. My first few attempts used FTPS (Secure FTP) as that is what I typically use when transferring FTP packets over the net. Well, this didn't work so I thought maybe the Time Capsule had a problem inspecting the encrypted packets so I switched to standard clear-text FTP just to see if the Time Capsule handles FTP session management functions correctly. This didn't work either. I'm using PASV FTP and have never had a problem before with my CISCO Router or with another consumer-based NAT router. I don't believe that the Server on the Internet gets the initial request on port 21 as I believe the Time Capsule is not allowing the packet to pass and my FTP Client spits back an error message : "Couldn't access FTP service " "Connection Failed". I have also used "Terminal" and initiated the ftp utility and attempted to connect to the same server and receive the following error message : "421 Service not available, remote server has closed connection.". I have attempted to put my computer in the DMZ by using the Default Host feature on the Time Capsule but that resulted in the same errors. I believe that I have tried most of the settings available on the Time Capsule to attempt to get this to work but no luck yet. If the packet is getting through to the server and the response back on the current ephemeral port is not getting through the Time Capsule I'm really hoping the solution is not having to port map all ephemeral ports as this is in the tens of thousands. Has anyone successfully established an FTP Session (Secure or Not) from your local client through the Time Capsule to a Server on the Internet. If so, could you help by providing any Time Capsule settings that were required for this to function properly....Thanks in Advance.
  Note: I have attempted to ftp to several different public ftp servers on the Internet and get the same error results. I have no problems ftping to local serverson my local network.

• SSGD vs. Windows Terminal Services

  I'm using one Windows Terminal Services server with 20 clients in my office. My question is, what advantages (ands disasvatages such as serial port forwarding) can I expect from using SSGD?
  Thanks in advance.
  Regards!

  I'm using one Windows Terminal Services server with
  20 clients in my office. My question is, what
  advantages (ands disasvatages such as serial port
  forwarding) can I expect from using SSGD?
  SSGD will also use the Terminal Services. The advantage you get is, that you can deposit the access also from the outside (= Internet) and not only to the inside.
  Markus

• Port Forwarding for RDP 3389 is not working

  Hi,
  I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20).  I have made sure it is not an issue with the servers firewall, its just the cisco.  I highlighted in red to what i thought I need in my config to get this  to work.  I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
  TAMSATR1#show run
  Building configuration...
  Current configuration : 11082 bytes
  version 15.2
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname TAMSATR1
  boot-start-marker
  boot system flash:/c880data-universalk9-mz.152-1.T.bin
  boot-end-marker
  logging count
  logging buffered 16384
  enable secret
  aaa new-model
  aaa authentication login default local
  aaa authentication login ipsec-vpn local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization console
  aaa authorization exec default local
  aaa authorization network groupauthor local
  aaa session-id common
  memory-size iomem 10
  clock timezone CST -6 0
  clock summer-time CDT recurring
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1879941380
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1879941380
  revocation-check none
  rsakeypair TP-self-signed-1879941380
  crypto pki certificate chain TP-self-signed-1879941380
  certificate self-signed 01
    3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
    32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
    34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
    ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
    88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
    E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
    542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  ip dhcp excluded-address 10.20.30.1 10.20.30.99
  ip dhcp excluded-address 10.20.30.201 10.20.30.254
  ip dhcp excluded-address 10.20.30.250
  ip dhcp pool tamDHCPpool
  import all
  network 10.20.30.0 255.255.255.0
  default-router 10.20.30.1
  domain-name domain.com
  dns-server 10.20.30.20 8.8.8.8
  ip domain name domain.com
  ip name-server 10.20.30.20
  ip cef
  no ipv6 cef
  license udi pid CISCO881W-GN-A-K9 sn
  crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
  ip tftp source-interface Vlan1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
    pass
  zone security sslvpn-zone
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp policy 20
  encr aes 192
  authentication pre-share
  group 2
  crypto isakmp key password
  crypto isakmp client configuration group ipsec-ra
  key password
  dns 10.20.30.20
  domain tamgmt.com
  pool sat-ipsec-vpn-pool
  netmask 255.255.255.0
  crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
  crypto ipsec transform-set TSET esp-aes esp-sha-hmac
  crypto ipsec profile VTI
  set security-association replay window-size 512
  set transform-set TSET
  crypto dynamic-map dynmap 10
  set transform-set ipsec-ra
  reverse-route
  crypto map clientmap client authentication list ipsec-vpn
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback0
  ip address 10.20.250.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly in
  interface Tunnel0
  description To AUS
  ip address 192.168.10.1 255.255.255.252
  load-interval 30
  tunnel source
  tunnel mode ipsec ipv4
  tunnel destination
  tunnel protection ipsec profile VTI
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  ip address 1.2.3.4
  ip access-group INTERNET_IN in
  ip access-group INTERNET_OUT out
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache cef
  ip route-cache policy
  ip policy route-map IPSEC-RA-ROUTE-MAP
  duplex auto
  speed auto
  crypto map clientmap
  interface Virtual-Template1
  ip unnumbered Vlan1
  zone-member security sslvpn-zone
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan1
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  switchport mode trunk
  no ip address
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.20.30.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
  ip default-gateway 71.41.20.129
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
  ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
  ip nat inside source static 10.20.30.20 (public ip)
  ip route 0.0.0.0 0.0.0.0 public ip
  ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
  ip access-list extended ACL-POLICY-NAT
  deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
  deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
  deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
  permit ip 10.20.30.0 0.0.0.255 any
  permit ip 10.20.31.208 0.0.0.15 any
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended INTERNET_IN
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  permit icmp any any time-exceeded
  permit esp host 24.153. host 66.196
  permit udp host 24.153 host 71.41.eq isakmp
  permit tcp host 70.123. host 71.41 eq 22
  permit tcp host 72.177. host 71.41 eq 22
  permit tcp host 70.123. host 71.41. eq 22
  permit tcp any host 71..134 eq 443
  permit tcp host 70.123. host 71.41 eq 443
  permit tcp host 72.177. host 71.41. eq 443
  permit udp host 198.82. host 71.41 eq ntp
  permit udp any host 71.41. eq isakmp
  permit udp any host 71.41eq non500-isakmp
  permit tcp host 192.223. host 71.41. eq 4022
  permit tcp host 155.199. host 71.41 eq 4022
  permit tcp host 155.199. host 71.41. eq 4022
  permit udp host 192.223. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit tcp any host 10.20.30.20 eq 3389
  evaluate INTERNET_REFLECTED
  deny   ip any any
  ip access-list extended INTERNET_OUT
  permit ip any any reflect INTERNET_REFLECTED timeout 300
  ip access-list extended IPSEC-RA-ROUTE-MAP
  deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
  deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
  permit ip 10.20.30.208 0.0.0.15 any
  deny   ip any any
  access-list 23 permit 70.123.
  access-list 23 permit 10.20.30.0 0.0.0.255
  access-list 24 permit 72.177.
  no cdp run
  route-map IPSEC-RA-ROUTE-MAP permit 10
  match ip address IPSEC-RA-ROUTE-MAP
  set ip next-hop 10.20.250.2
  banner motd ^C
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
  You must have explicit permission to access or configure this device.  All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
  ^C
  line con 0
  logging synchronous
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0
  access-class 23 in
  privilege level 15
  logging synchronous
  transport input telnet ssh
  line vty 1 4
  access-class 23 in
  exec-timeout 5 0
  privilege level 15
  logging synchronous
  transport input telnet ssh
  scheduler max-task-time 5000
  ntp server 198.82.1.201
  webvpn gateway gateway_1
  ip address 71.41. port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-1879941380
  inservice
  webvpn context TAM-SSL-VPN
  title "title"
  logo file titleist_logo.jpg
  secondary-color white
  title-color #CCCC66
  text-color black
  login-message "RESTRICTED ACCESS"
  policy group policy_1
     functions svc-enabled
     svc address-pool "sat-ipsec-vpn-pool"
     svc default-domain "domain.com"
     svc keep-client-installed
     svc split dns "domain.com"
     svc split include 10.0.0.0 255.0.0.0
     svc split include 192.168.0.0 255.255.0.0
     svc split include 172.16.0.0 255.240.0.0
     svc dns-server primary 10.20.30.20
     svc dns-server secondary 66.196.216.10
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_1
  gateway gateway_1
  ssl authenticate verify all
  inservice
  end

  Hi,
  I didnt see anything marked with red in the above? (Atleast when I was reading)
  I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
  But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
  There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
  - Jouni