Thanks a lot, I'll give it a try tomorrow and let you know how it goes.

This is just one server that they want to access from 2 different machines over the Internet on different ports and they don't have a DMZ. Would I just change the static to this then:

static (inside,outside) TCP 10.0.0.3 3391 11.0.0.3 3389

static (inside,outside) TCP 10.0.0.3 3397 11.0.0.3 3389

Or is that wrong?

I already have a static for this server since it's going to be the FTP site shortly also.

Thanks

yup , you can give this a try and see if it works .

regards.

Since I already have a static for this IP address it won't let me post the additional statics for the NAT on the ports. What am I missing?

Thanks

Hi ,

as Mike Said ,

if you have one for one translation then all the requests on that ip address will hit that line , you can consider :

1- using another ip address

2-making the line more specific and do a static PAT instead of mapping the whole ip address.

cheers.

Any chance you're still online for the last question?

Thanks

Aaron,

If you already have a 1 to 1 translation, then you may need delete the entry and create only port forwardings for everyone.

Lets say you had this

static (inside,outside) x.x.x.x y.y.y.y

and you want to add this

static (inside,outside) tcp x.x.x.x 3389 z.z.z.z 3389

That you cannot do, you will need to do this

no

static (inside,outside) x.x.x.x y.y.y.y

static (inside,outside) tcp x.x.x.x 3389 z.z.z.z 3389

Then for the services that you had on IP Y... lets say FTP, you will need to create a port forward for that...

static (inside,outside) tcp x.x.x.x 21 y.y.y.y. 21

Let me know if you have doubts.

Mike

So if I'm understanding this correctly I can't have these 2 statics for the same IP like I have below correct?

static (inside,outside) TCP 12.15.15.183 3391 192.168.100.38 3389

static (inside,outside) TCP 12.15.15.183 3397 192.168.100.38 3389

They want to have 2 different machines access this one server but on different redirected ports but it sounds like it's not possible which is fine I just need to be able to tell them that and know that I'm correct. We don't have anymore available public IP's to use at this point but they may buy another block in the future. Will I also be able to run my FTP on this server and still allow access from the Internet?

Thanks again guys.

Hi,

Nope, that will conflict.... since the port 3389 is already mapped to 3391.... you cannot add a new translation for the same port.

You should be able to grab that same static and have something like this

static (inside,outside) TCP 12.15.15.183 3391 192.168.100.38 3389

static (inside,outside) TCP 12.15.15.183 21 192.168.100.38 21

What you cannot do is try to map port 3389 to two different ports.

Hope this helps.

Mike

It appears I have everything correct but I'm still not able to RDP into the server. I don't have an A record or anything else registered which I don't think is needed correct? Since I'm just using it for 2 systems owned by a sister company to access it and I don't want it to be easily found.

Thanks

Aaron

Hi Aaron,

You should just need the static pat statement along with an access-list to allow inbound connection on the outside interaface, if you ahve it but still not working, I would advise, to follow the below stes:

1. Take logs on the ASA, when the connection drops.

2. Take captures on the firewall interfaces.

3. Take packet-tracer.

For capture yolu can use this:

https://supportforums.cisco.com/docs/DOC-1222

For packet-tracer:

packet-tracer input outside tcp 1.1.1.1 2345 12.15.15.183 3389 detailed.

These outputs shoudl tell where the issue lies. If you need any help with captures, do let me know.

Thanks,

Varun