Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
5
Helpful
3
Replies

NAT / Port Forward

Go to solution
GRANT3779
Spotlight
Spotlight

‎02-26-2015 07:30 AM - edited ‎03-11-2019 10:33 PM

Hi All,

I have the following config -

object network Server
 nat (inside,outside) static x.x.x.x


access-list OUTBOUND_IN extended permit tcp any object Server eq 3389


object network Server
 host 192.168.10.10

 

Now this allows me to access the "Server" from the Outside on port 3389.

Some clients however try to access the "Server" on a different port, e.g let's just say port 2222.

How do I enable the FW to listen for Inbound requests on port "2222" to my "Server" and then forward them onto port 3389?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-26-2015 04:46 PM

You should be able to do this but you need to modify your configuration.

So firstly you need to change your current static NAT to a static PAT ie. -

object-network Server
host 192.168.10.10
nat (inside,outside) static x.x.x.x service tcp 3389 3389

if you now try to use the same Server object I believe it will overwrite your first statement. You can try it but if it does then create a new object for your second statement -

object-network Server1
host 192.168.10.10
nat (inside,outside) static x.x.x.x service tcp 3389 2222

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-26-2015 04:46 PM

You should be able to do this but you need to modify your configuration.

So firstly you need to change your current static NAT to a static PAT ie. -

object-network Server
host 192.168.10.10
nat (inside,outside) static x.x.x.x service tcp 3389 3389

if you now try to use the same Server object I believe it will overwrite your first statement. You can try it but if it does then create a new object for your second statement -

object-network Server1
host 192.168.10.10
nat (inside,outside) static x.x.x.x service tcp 3389 2222

Jon

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Jon Marshall

‎02-27-2015 04:47 AM

Hi Jon,

I assume the ACL still needs to be on the Outside Interface, allowing the relevant ports, e.g 2222 and 3389?

Could I keep the current static NAT I have then create a new Object for my second one and have a static PAT under that?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to GRANT3779

‎02-27-2015 04:50 AM

Yes, you still need the acl and you need to allow the new port as well.

I'm not sure you can use a static NAT and PAT together although I could be wrong.

If the server is only used for 3389 currently then I would go with two static PAT statements as described.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card