topic Re: NATto Remote Desktop Protocol in Network Security

NATto Remote Desktop Protocol

yong khang NG — Mon, 11 Mar 2019 18:42:22 GMT

Hi, I am new to ASA, especially to ASDM 8.3.1

As the topology show, I would like to setup a rule and NAT for user at public IP remote to the dedicate machine, using port 3389 (RDP)

Pubic network (int outside 202,152,80.34 ) ->STATIC NAT --> 10.10.100.100, port 3389

What’s the step I should deal with it? I am confuse with GUI setting, is it compulsory ask to create network object for doing NATTING? (very different from previous GUI setting)

So for my case, how likely I can use the GUI to do on it. While if it’s success I can console and check on the CLI for the configuration made and learn on it

thanks

Re: NATto Remote Desktop Protocol

Jennifer Halim — Mon, 20 Sep 2010 06:48:54 GMT

Here is how you would configure it:

Via ASDM:

Please see attached word screen shot.

Via CLI:

object network obj-RDP-10.10.100.100

host 10.10.100.100

nat (inside,outside) static interface service tcp 3389 3389

Hope that helps.

Re: NATto Remote Desktop Protocol

August Ritchie — Mon, 20 Sep 2010 09:19:00 GMT

In addition to the NAT you will need to make sure that you add an access-list to the outside interface to the REAL IP. (This is new in 8.3 as before you created an access-list to the MAPPED IP)

With normal outside interface naming conventions, it will usually look like this:

access-list outside_access_in permit tcp host 10.10.100.100 eq 3389

Hope this helps

Re: NATto Remote Desktop Protocol

yong khang NG — Mon, 20 Sep 2010 09:19:51 GMT

Hi halijenn,

thanks for the reply, i will test it out after hour (cannot conduct any testing on production time...) but anyhow, i never do the attemp same like what you showing on the screenshot do...

i hope you can give more idea on how to do on ASA - NAT. (i'm ok with fundamental routing & switching part, but i am still very fresh with ASA, esp ASDM GUI..)

(1) normal practice doing firewalling, first is it need to define the network object and service object, so that these element can let for re-use on either ACL or NAT section,rite? then only we go for ACL, for lower security-level interface would like go inside interface etc etc...then come to NAT

(2) assuming this topology, 2 interface (inside, outside). i just wonder why once i create NAT then it will auto treat my source and destination network be part of any new object ? it seems like defeat my (1) step action, making duplicated on the network object.

(3) for firewall > NAT rules, how to configure on "Add NAT Rulebefore /after network onect NAT rules.." mean? (attachment)

It just confuse me why original packet with soure and destination address, then action:translate packet also with source and destination address..

(4) once i do in CLI, natting now seem only can do on network object..i am more on old school like static (inside, outside)...

confuse..hope u can guide

Re: NATto Remote Desktop Protocol

Jennifer Halim — Mon, 20 Sep 2010 09:40:38 GMT

NAT from ASA version 8.3 onwards has completely changed, it has changed to the following 2 NAT concepts:

1) Network object NAT

2) Twice NAT

If you are familiar with NAT on ASA on the previous version, you might need to read the following documentation for version 8.3 onwards for NAT order of operation:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

Network object NAT: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Twice NAT: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html