Re: Allow multiple WAN-IPs to inside RDS 3389

Tim Roelands · ‎03-10-2012

Hi!

I'm trying to get my ASA 5505 (IOS 8.4) to work, but got stuck on NAT because I would like to allow 3389 access for just a couple of WAN IP's.

This is what I found sofar:

(config)# object network Internal_RDS
(config-network-object)# host 192.168.1.10

(config-network-object)# nat (inside,outside) static interface service tcp 3389 3389
(config-network-object)# exit

(config)# access-list inbound permit tcp any object Internal_RDS eq 3389

(config)# access-group inbound in interface outside

But this will allow all WAN IPs to access 192.168.1.10 over port 3389 I guess? I would like to allow only some WAN IP's.. Any help?

icenterhq · ‎03-13-2012

Use at outside interface

Access-list permit tcp host xxxxx host yyyyy eq 3389

Or use object group for more simple management

Sent from Cisco Technical Support iPhone App

Tim Roelands · ‎03-16-2012

Hmm, do I have to maintain my code or do I have to replace rule:

(config)#access-list inbound permit tcp any object Internal_RDS eq 3389

with

(config)#access-list permit tcp host xxxxx host yyyyy eq 3389

Because the line above won't work...

Thanks again!

icenterhq · ‎03-16-2012

My rule isn't solution for copy-paste into the config. It's a sample. Just think what this rule do and write your own

Sent from Cisco Technical Support iPad App

llamaw0rksE · ‎03-16-2012

Okay lets take it one step at a time. I use port 3381 not to conflict with my rules. If you create your own rdp port as a service object. Make sure you fill in just the destination port (should look like all the other default ports). Note my inside lan is called main-lan.

Assumes single WANIP on the outside interface.

Assume you already have a default route for next hop to isp gateway 0 0 gatewayIPaddress 1

Assume you already have dynamic pat rule for users on the lan (not needed for this but still useful).

(1) Go to FIREWALL and OBjects: Create necessary objects for wan users and for PC hosting rdp server,

(2) Create nat object (which is static nat rule, which creates the host part as well)

- dont use NAT Rules in ADSM to make this, but you can view your rules in NAT rules as per jpeg 5

- can be confusing because you identify the host computer again but think of this as more like a port forwarding rule and name and not the host..

(3) Go to FIREWALL and Access Rules: Create acl rule (to allow wan users access).

- use access rules at the top (not acl manager) to make your rules

- select ipv4 at the bottom to simplify view

- find the outside rules sub menu selection highlight and add, as we are putting in rules under that.

ASDM solution. (6..4) Entries are in pictures.

output in Runtime configs below

(1)

object network rdpuser1
 host 23.244.135.220
object network rdpuser2
 host 10.234.224.34

object-group network rdp-group
 network-object object rdpuser1
 network-object object rdpuser2

object network rdp-host-pc
 host 192.168.10.1
object service newRDP  service tcp destination eq 3381

(2a)object network internal_RDS_NAT
 host 192.168.10.1

(2b)
object network internal_RDS_NAT
 nat (main-lan,outside) static interface service tcp 3381 3381
(3)
access-list outside_access_in extended permit object newRDP object-group rdp-group object rdp-host-pc

1 rdp pc (server)

1 new rdp port

1 wanuser

1 wangroup

2 nat rule embedded in object

2

3 firewall rule

3

Just for giggles threw in a packet trace from one of the new rdp users and simulating your public IP.

Enjoy