Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5969
Views
0
Helpful
8
Replies

Portforwarding (PAT) RDP to multiple inside hosts with one public address

joshking1
Level 1
Level 1

‎09-11-2012 06:32 AM - edited ‎03-11-2019 04:52 PM

Hi Everyone,

Please I need a clarification on configuring a PAT (or portforwarding) of RDP to 14 pcs
using a single public ip address on my ASA version 8.4. Please any info or example config will
be appreciated as I am still geting used to 8.4 from my old version 7.2.

Let us say my inside host PCs are 10.10.10.2 to 10.10.10.15 and I need to connect from the outside interface.
Since I am not using the outside interface address, I have chosen to use 2.2.2.2 as my PAT for the forwarding.

Let us say the RDP forwarded ports on the machines for this example are ports 2001 - 2014

Following some of the literatures and examples i have read, will this sample config work ok?

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
object network obj-10.10.10.1

   host 10.10.10.1

object network obj-10.10.10.2

   host 10.10.10.2
.
.
.

object network obj-10.10.10.15

   host 10.10.10.15

object network obj-2.2.2.2

   host 2.2.2.2

!

object service obj-serviceTCP3389

    service tcp source eq 3389

!

nat (inside,outside) source static obj-10.10.10.2 obj-2.2.2.2 service obj-serviceTCP3389 2001

nat (inside,outside) source static obj-10.10.10.3 obj-2.2.2.2 service obj-serviceTCP3389 2002

.
.
.
nat (inside,outside) source static obj-10.10.10.15 obj-2.2.2.2 service obj-serviceTCP3389 2014
!
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-group outside_access_in in interface outside


Thanks

Labels:
0 Helpful
8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-11-2012 09:42 AM

Hello,

You are on the right track but you are missing some key concepts of 8.3

I would say you have created the object service for the fake RDP ports

object service obj-service 2014

    service tcp source eq 2014

If that is correct then you are 100% correct on the NAT stuff.

Now the ACL, that is the problem you have.

After 8.3 the order of operations changes on the ASA and know the ASA performs the NAT or Un-NAT first and afterwards he checks the ACL. That is why you need to point to the Un-Natted IP. In your case the real RDP PC's IP.

access-list outside_access_in extended permit tcp any 10.10.10.2 eq 3389

Remember to rate all of the posts, that is as important as a thanks,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

joshking1
Level 1
Level 1
In response to Julio Carvajal

‎09-11-2012 09:58 AM

Hi Julio,

Thanks for your quick response and for taking a look at this issue.

So you are saying that I need to create a service object for all the static ports that I am going to be redirecting the rdp on (i.e 15 service group for the 15 PCs)?

Also, from the point you made about the ACL, so I need to also specify the ip address of the PCs on the outside interface ACL even though they are all inside private address ranges (10.10.10.2 - 10.10.10.14)?

I just want to be sure I understood your suggestion above.

Thanks.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to joshking1

‎09-11-2012 10:06 AM

Hello,

Sure..........

That is correct, one object service for each port!

Correct, Point to the private.

https://supportforums.cisco.com/docs/DOC-12690

Remember to rate all of the posts, that is as important as a thanks!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

joshking1
Level 1
Level 1
In response to Julio Carvajal

‎09-12-2012 02:58 AM

Hi Julio,

If I want to implement thesame portforwarding solution on another site but with ASA version 8.2, will this same ACL and NAT object group principle work?

I will be testing it out this weekend, first on ASA 8.2, then later next week on ASA 8.4.

Thanks.

0 Helpful

joshking1
Level 1
Level 1
In response to joshking1

‎09-12-2012 04:35 AM

Hi,

Here is the sample config that I plan to use for my ASA version 8.2 RDP portforwarding to inside PCs using ports 3389 - 3408. I will apply it by this weekend and confirm if it all works ok.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

!

static (inside,outside) tcp 2.2.2.2 3389 10.10.10.21 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3390 10.10.10.22 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3391 10.10.10.23 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3392 10.10.10.24 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3393 10.10.10.25 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3394 10.10.10.26 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 339510.10.10.27 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3396 10.10.10.28 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3397 10.10.10.29 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3398 10.10.10.30 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3399 10.10.10.31 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3400 10.10.10.32 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3401 10.10.10.33 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3402 10.10.10.34 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3403 10.10.10.35 3389netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3404 10.10.10.36 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3405 10.10.10.37 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3406 10.10.10.38 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3407 10.10.10.39 3389 netmask 255.255.255.255

static (inside,outside) tcp 2.2.2.2 3408 10.10.10.40 3389 netmask 255.255.255.255

!

access-list outside_access_in extended permit tcp any host 2.2.2.2 eq 3389

access-group outside_access_in in interface outside

Thanks

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to joshking1

‎09-12-2012 08:00 AM

Hello Josh,

Sweet. It is perfect. On 8.2 you need to point to the public IP so you are ready to go.

Remember to rate all of the answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

joshking1
Level 1
Level 1
In response to Julio Carvajal

‎09-12-2012 08:04 AM

Thanks Julio,

I really appreciate the help and will confirm by next tomorrow and also rate the answer !

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to joshking1

‎09-12-2012 08:07 AM

Sure.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card