I'm trying to get my ASA 5505 (IOS 8.4) to work, but got stuck on NAT because I would like to allow 3389 access for just a couple of WAN IP's.
This is what I found sofar:
(config)# object network Internal_RDS
(config-network-object)# host 192.168.1.10
(config-network-object)# nat (inside,outside) static interface service tcp 3389 3389
(config)# access-list inbound permit tcp any object Internal_RDS eq 3389
(config)# access-group inbound in interface outside
But this will allow all WAN IPs to access 192.168.1.10 over port 3389 I guess? I would like to allow only some WAN IP's.. Any help?
Use at outside interface
Access-list permit tcp host xxxxx host yyyyy eq 3389
Or use object group for more simple management
Sent from Cisco Technical Support iPhone App
Hmm, do I have to maintain my code or do I have to replace rule:
(config)#access-list inbound permit tcp any object Internal_RDS eq 3389
(config)#access-list permit tcp host xxxxx host yyyyy eq 3389
Because the line above won't work...
My rule isn't solution for copy-paste into the config. It's a sample. Just think what this rule do and write your own
Sent from Cisco Technical Support iPad App
Okay lets take it one step at a time. I use port 3381 not to conflict with my rules. If you create your own rdp port as a service object. Make sure you fill in just the destination port (should look like all the other default ports). Note my inside lan is called main-lan.
Assumes single WANIP on the outside interface.
Assume you already have a default route for next hop to isp gateway 0 0 gatewayIPaddress 1
Assume you already have dynamic pat rule for users on the lan (not needed for this but still useful).
(1) Go to FIREWALL and OBjects: Create necessary objects for wan users and for PC hosting rdp server,
(2) Create nat object (which is static nat rule, which creates the host part as well)
- dont use NAT Rules in ADSM to make this, but you can view your rules in NAT rules as per jpeg 5
- can be confusing because you identify the host computer again but think of this as more like a port forwarding rule and name and not the host..
(3) Go to FIREWALL and Access Rules: Create acl rule (to allow wan users access).
- use access rules at the top (not acl manager) to make your rules
- select ipv4 at the bottom to simplify view
- find the outside rules sub menu selection highlight and add, as we are putting in rules under that.
ASDM solution. (6..4) Entries are in pictures.
output in Runtime configs below
object network rdpuser1 host 220.127.116.11 object network rdpuser2 host 10.234.224.34
object-group network rdp-group network-object object rdpuser1 network-object object rdpuser2
object network rdp-host-pc host 192.168.10.1object service newRDP service tcp destination eq 3381
(2a)object network internal_RDS_NAT host 192.168.10.1(2b)object network internal_RDS_NAT nat (main-lan,outside) static interface service tcp 3381 3381(3)access-list outside_access_in extended permit object newRDP object-group rdp-group object rdp-host-pc
1 rdp pc (server)
1 new rdp port
2 nat rule embedded in object
3 firewall rule
Just for giggles threw in a packet trace from one of the new rdp users and simulating your public IP.