https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611790#M559749 <HTML><HEAD></HEAD><BODY><P>Good call, that's always one of the tricks <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 18 Mar 2011 07:20:15 GMT Jennifer Halim 2011-03-18T07:20:15Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611783#M559738 <P>Hi,</P><P></P><P>I want to allow RDP into a machine behind a DSL router/modem and the DSL route/modem is behind Cisco PIX firewall, I am not sure if it's possible.</P><P></P><P>The DSL is obviously doing nat inside and outside.</P><P></P><P>My config:</P><P></P><P>Cisco PIX:</P><P></P><P>access-list outside_access_in extended permit tcp any interface outside eq 63389</P><P></P><P>static (inside,outside) tcp interface 63389 192.168.1.51 63389 netmask 255.255.255.255</P><P></P><P>Cisco router:</P><P></P><P>Dialer0 192.168.1.51</P><P>int fa0 192.168.2.1/24</P><P></P><P>ip nat ouside source static tcp 192.168.1.51 63389 192.168.2.101 3389</P><P></P><P>So far my tests are failing, any ideas?</P><P></P><P>thanks</P> Mon, 11 Mar 2019 20:08:12 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611783#M559738 hadisharifi 2019-03-11T20:08:12Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611784#M559739 <HTML><HEAD></HEAD><BODY><P>Can you please advise if your PIX outside interface is assigned a public ip address as it changes the NAT that you would need to do.</P><P></P><P>NATing needs to be done for the RDP server, not for the router interface ip address.</P><P></P><P>Please kindly provide a copy of the PIX configuration, the server ip address and assuming that you would like to NAT it to the PIX outside interface IP so we can help accordingly.</P></BODY></HTML> Thu, 17 Mar 2011 06:54:18 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611784#M559739 Jennifer Halim 2011-03-17T06:54:18Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611785#M559740 <HTML><HEAD></HEAD><BODY><P>Hi, I knew it was going to be&nbsp; a confusing one but I will try to explain it a bit better hopefully <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>The DSL router is behind the PIX firewall and the PIX doesn't know about the LAN on the DSL router, it only knows the DSL port (dialer0) ip address. Remeber that DSL router is natting everyting on it's inside to the dialer0 IP address (192.168.1.51) and that is what the PIX knows.</P><P></P><P>The 192.168.1.51 is the dialer0 ip address of the DSL router that PIX can reach, the RDP server 192.168.2.101 that PIX doesn't know&nbsp; and is hidden behind the dialer0 and gets natted.</P><P></P><P>The PIX outside interface does have a public IP address and packet tracer shows that packet from outside destined to the outside interface of the PIX on port 63389 is allowed, but obviously it doesn't work end to end.</P><P></P><P>Could it be that because the nat happens twice once on the PIX to the dialer0 ip address of the DSL router which is already natting/patting the LAN on the DSL router.</P><P></P><P>Please let me know if it doesn't make sense and I will draw a diagram.</P></BODY></HTML> Thu, 17 Mar 2011 11:51:18 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611785#M559740 hadisharifi 2011-03-17T11:51:18Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611786#M559742 <HTML><HEAD></HEAD><BODY><P>Here is the diagram as per your description:</P><P></P><P>RDP (192.168.2.101) -- router (192.168.1.51) -- (inside) PIX (outside) -- internet</P><P></P><P>Please confirm if that is correct.</P><P></P><P>If it is, then the NAT configured is incorrect. You currently have:</P><P>ip nat ouside source static tcp 192.168.1.51 63389 192.168.2.101 3389</P><P></P><P>It should be:</P><P>ip nat inside source static tcp 192.168.2.101 3389 192.168.1.51 63389</P><P></P><P>Clear the nat translation after the above config.</P><P></P><P>Alternatively, you can configure route on the PIX for 192.168.2.0/24 network to point to 192.168.1.51, and directly NAT it to 192.168.2.101 on the PIX.</P></BODY></HTML> Thu, 17 Mar 2011 12:14:55 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611786#M559742 Jennifer Halim 2011-03-17T12:14:55Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611787#M559744 <HTML><HEAD></HEAD><BODY><P>Hi, the diagram is correct. I changed the translation as you suggested but it doesn't make any difference, given that the DSL router is already patting everyting, isn't this going to break the static nat?</P><P></P><P>I have also tried adding a route to 192.168.2.101 on the PIX but I can't reach this IP from the pix because it gets patted?</P><P></P><P>BTW, this is the debug output on the DSL router.</P><P></P><P>*Apr&nbsp; 6 22:17:52.536: NAT - SYSTEM PORT for 192.168.1.51: allocated port 0, refcount 42, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 42, proto 6</P><P></P><P>Thanks</P></BODY></HTML> Fri, 18 Mar 2011 00:46:38 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611787#M559744 hadisharifi 2011-03-18T00:46:38Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611788#M559745 <HTML><HEAD></HEAD><BODY><P>Static NAT takes precedence over dynamic PAT, so that should work.</P><P></P><P>For the second option, you would need to configure deny for traffic between the server to anything on port 3389.</P><P></P><P>BTW, to keep it simple, can you try without changing the port first, just use the default port 3389 on the NAT/PAT statement.</P><P></P><P>Also pls share the config of both router and PIX after the changes. Thanks.</P></BODY></HTML> Fri, 18 Mar 2011 00:54:35 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611788#M559745 Jennifer Halim 2011-03-18T00:54:35Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611789#M559747 <HTML><HEAD></HEAD><BODY><P>Thanks for your help. It's all good and working, a reboot of the router might have done the trick but don't know. I didn't change anything <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 18 Mar 2011 07:17:47 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611789#M559747 hadisharifi 2011-03-18T07:17:47Z https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611790#M559749 <HTML><HEAD></HEAD><BODY><P>Good call, that's always one of the tricks <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 18 Mar 2011 07:20:15 GMT https://community.cisco.com/t5/network-security/port-forwarding/m-p/1611790#M559749 Jennifer Halim 2011-03-18T07:20:15Z