Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
798
Views
0
Helpful
5
Replies

Cisco 5505 in routed mode - how to translate port 8888 to 3389 (Not NAT)

kevin.bonney
Level 1
Level 1

‎01-27-2015 01:56 AM - edited ‎03-11-2019 10:24 PM

Hi there,

I have a Cisco 5505 ASDM7.1 and cannot find an article on how to allow a connection from the outside world to a RDS Server I want to allow any connections to example remote desktop to 78.78.78.78:8888 and want it translated to 78.78.78.78 on port 3389

Could anyone help please?

Kind regards,

Kevin Bonney.

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎01-27-2015 02:49 AM

You probably want to translate it to a inside private IP?

The NAT-config could look like the following:

object network RDP-SERVER
 host 10.10.10.10
 nat (inside,outside) static 78.78.78.78 service tcp 3389 8888

More on this topic in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1106703

0 Helpful

kevin.bonney
Level 1
Level 1
In response to Karsten Iwen

‎01-27-2015 06:44 AM

Hi Karsten,

No we are not using NAT all servers have public IP's

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎01-27-2015 02:57 AM

Hi,

 

Are you saying that the actual host on the LAN has a public IP address directly configured to it and it uses that IP address also to connect to the Internet?

 

I need a clarification on the actual NAT on the port. Do you want the public/mapped port to be 3389 or 8888? If I understood correctly then you want the public/mapped port to be TCP/8888 and the local port to be TCP/3389

 

I am not sure what actual ASA software version you are using. The ASDM does not really define what functionalities the ASA has. I presume that you might have  a newer software level on the actual firewall (8.3 or newer) which means we need to use a new NAT configuration format.

 

You can check the software levels with the command

 

show version

 

One simple configuration to NAT the port would be

 

object network RDP-PORT-NAT
 host 78.78.78.78
 nat (inside,outside) static 78.78.78.78 servce tcp 3389 8888

 

In the above I have just used example interfaces names "inside" and "outside". In the Static PAT configuration we only change the local port 3389 to mapped port 8888. If there is no other NAT configuration that applies to this IP address 78.78.78.78 then it should be accessible normally with different ports

 

If you happen to use ASA with software level 8.2 or below then the NAT configuration format will be different. It would be something like this

 

static (inside,outside) tcp 78.78.78.78 8888 78.78.78.78 3389 netmask 255.255.255.255

 

- Jouni

 

 

 

0 Helpful

kevin.bonney
Level 1
Level 1
In response to Jouni Forss

‎01-27-2015 06:33 AM

Hi,

ASA Version 9.1(2)

ASDM Version 7.1(3)

Firewall Mode: Routed

All Servers have Public IP's so we are not using NAT

 

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to kevin.bonney

‎01-27-2015 07:14 AM

Hi,

 

So you have a pretty new software level so the configuration below should be valid.

 

object network RDP-PORT-NAT
 host 78.78.78.78
 nat (inside,outside) static 78.78.78.78 servce tcp 3389 8888

 

Naturally you have to make sure you allow the traffic to this server from the external network. I would assume you have an ACL already configured on your interface already. Notice that in this case you will have to allow the traffic to destination port TCP/3389 in the external interfaces ACL (because the new software level always uses real/local IP addresses and ports in the ACL rules). In a typical situation you would also allow traffic the local IP address but as in this case the local IP address is public there is no confusion really (in the case of NATed public IP address the traffic is allowed to the real/local IP address)

 

So the ACL statement would be

 

access-list <acl name> permit tcp any object RDP-PORT-NAT eq 3389

or

access-list <acl name> permit tcp any host 78.78.78.78 eq 3389

 

Or naturally if you need to limit the traffic then you could replace the "any" with some specific IP address or an "object-group" containing the subnets/IP addresses you want to allow.

 

Hope this helps :)

 

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top