topic Portforwarding (PAT) RDP to multiple inside hosts with one publi in Network Security

Portforwarding (PAT) RDP to multiple inside hosts with one public address

joshking1 — Mon, 11 Mar 2019 23:52:36 GMT

Hi Everyone,

Please I need a clarification on configuring a PAT (or portforwarding) of RDP to 14 pcs
using a single public ip address on my ASA version 8.4. Please any info or example config will
be appreciated as I am still geting used to 8.4 from my old version 7.2.

Let us say my inside host PCs are 10.10.10.2 to 10.10.10.15 and I need to connect from the outside interface.
Since I am not using the outside interface address, I have chosen to use 2.2.2.2 as my PAT for the forwarding.

Let us say the RDP forwarded ports on the machines for this example are ports 2001 - 2014

Following some of the literatures and examples i have read, will this sample config work ok?

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
object network obj-10.10.10.1

host 10.10.10.1

object network obj-10.10.10.2

host 10.10.10.2
.
.
.

object network obj-10.10.10.15

host 10.10.10.15

object network obj-2.2.2.2

host 2.2.2.2

object service obj-serviceTCP3389

service tcp source eq 3389

nat (inside,outside) source static obj-10.10.10.2 obj-2.2.2.2 service obj-serviceTCP3389 2001

nat (inside,outside) source static obj-10.10.10.3 obj-2.2.2.2 service obj-serviceTCP3389 2002

.
.
.
nat (inside,outside) source static obj-10.10.10.15 obj-2.2.2.2 service obj-serviceTCP3389 2014
!
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-group outside_access_in in interface outside

Thanks

Portforwarding (PAT) RDP to multiple inside hosts with one publi

Julio Carvajal — Tue, 11 Sep 2012 16:42:51 GMT

Hello,

You are on the right track but you are missing some key concepts of 8.3

I would say you have created the object service for the fake RDP ports

object service obj-service 2014

service tcp source eq 2014

If that is correct then you are 100% correct on the NAT stuff.

Now the ACL, that is the problem you have.

After 8.3 the order of operations changes on the ASA and know the ASA performs the NAT or Un-NAT first and afterwards he checks the ACL. That is why you need to point to the Un-Natted IP. In your case the real RDP PC's IP.

access-list outside_access_in extended permit tcp any 10.10.10.2 eq 3389

Remember to rate all of the posts, that is as important as a thanks,

Julio

Portforwarding (PAT) RDP to multiple inside hosts with one publi

joshking1 — Tue, 11 Sep 2012 16:58:21 GMT

Hi Julio,

Thanks for your quick response and for taking a look at this issue.

So you are saying that I need to create a service object for all the static ports that I am going to be redirecting the rdp on (i.e 15 service group for the 15 PCs)?

Also, from the point you made about the ACL, so I need to also specify the ip address of the PCs on the outside interface ACL even though they are all inside private address ranges (10.10.10.2 - 10.10.10.14)?

I just want to be sure I understood your suggestion above.

Thanks.

Portforwarding (PAT) RDP to multiple inside hosts with one publi

Julio Carvajal — Tue, 11 Sep 2012 17:06:45 GMT

Hello,

Sure..........

That is correct, one object service for each port!

Correct, Point to the private.

https://supportforums.cisco.com/docs/DOC-12690

Remember to rate all of the posts, that is as important as a thanks!!!

Portforwarding (PAT) RDP to multiple inside hosts with one publi

joshking1 — Wed, 12 Sep 2012 09:58:25 GMT

Hi Julio,

If I want to implement thesame portforwarding solution on another site but with ASA version 8.2, will this same ACL and NAT object group principle work?

I will be testing it out this weekend, first on ASA 8.2, then later next week on ASA 8.4.

Thanks.

Re: Portforwarding (PAT) RDP to multiple inside hosts with one p

joshking1 — Wed, 12 Sep 2012 11:35:37 GMT

Hi,

Here is the sample config that I plan to use for my ASA version 8.2 RDP portforwarding to inside PCs using ports 3389 - 3408. I will apply it by this weekend and confirm if it all works ok.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 2.2.2.2 3389 10.10.10.21 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3390 10.10.10.22 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3391 10.10.10.23 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3392 10.10.10.24 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3393 10.10.10.25 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3394 10.10.10.26 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 339510.10.10.27 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3396 10.10.10.28 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3397 10.10.10.29 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3398 10.10.10.30 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3399 10.10.10.31 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3400 10.10.10.32 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3401 10.10.10.33 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3402 10.10.10.34 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3403 10.10.10.35 3389netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3404 10.10.10.36 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3405 10.10.10.37 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3406 10.10.10.38 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3407 10.10.10.39 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3408 10.10.10.40 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 2.2.2.2 eq 3389

access-group outside_access_in in interface outside

Thanks

Portforwarding (PAT) RDP to multiple inside hosts with one publi

Julio Carvajal — Wed, 12 Sep 2012 15:00:42 GMT

Hello Josh,

Sweet. It is perfect. On 8.2 you need to point to the public IP so you are ready to go.

Remember to rate all of the answers.

Julio

Re: Portforwarding (PAT) RDP to multiple inside hosts with one p

joshking1 — Wed, 12 Sep 2012 15:04:11 GMT

Thanks Julio,

I really appreciate the help and will confirm by next tomorrow and also rate the answer !

Re: Portforwarding (PAT) RDP to multiple inside hosts with one p

Julio Carvajal — Wed, 12 Sep 2012 15:07:30 GMT

Sure.