Hi and thanks for your response.

I created the rule to the WAN_ destination as a test.  There also already exists a rule with Destination outside.  I was trying to mirror the rules that were already in place for Port 3389 (default listening port). 

All of these rules are "outside" incoming rules" which would explain needing to use a Destination interface of "outside".  Are rules required for outgoing (to the WAN) traffic or are these port  rules bi-directional?

As far as the router, I do have port  forwarding configured for ports 3389, 3395 and 3396.  I eventually want to stop using 3389 to allow two different people to log in to two different machines (COTEDECO-1 and  COTEDECO-2) with ports 3395 and 3396.

Static NAT is bidirectional and dynamic nat is unidirectional.  

You will also need to add access-list entries to allow the traffic from WAN interface to the inside host you are setting this up for.

--

Please remember to select a correct answer and rate helpful posts

Thank  you Marius.  I appreciate the NAT information.  I am using Static NAT's.  

You mention that I need to add access-list entires to allow traffice from WAN Interface to the inside host.  I think that these already exist.  

I have attached the ACL for your review.  

Aren't rules 2, 7 and 8 what I need to cover any of the three RDP Ports?    I created rules 9 and 10 an experiment to test the rues.  

Thanks again and I look forward to hearing back from you.

Chuck

Well as mentioned earlier you one NAT rule is not correct. You need to change the original source to 3389 and keep the translated source to 3396.  Your access list looks correct.

Unless you change the port which the server is listening to it will not respond on 3396, but if you NAT 3389 to 3396 then you should be able to access the server using port 3396 from a PC located on the WAN interface.

Thanks for  your patience on this.  I now see what you are saying.  The NAT must be to the Windows  Server machine which will have port 3389 (not to each individual machine).  This  then allows any port to be used externally (remotely) and the "server/local network" doesn't care as it will always look like 3389.

I will try this later tonight.  I have to run out again.

Thanks.

Hello Francesco.  Thanks again for your help on this.

I did as you suggested and it worked.  To further test it, I created another rule for one of the other computers and it worked as expected.

I can't thank you enough.....but if you don't mind, can I ask another question or two?

For the NAT rules, why is the "Original" "Source" an inside device?  From the terminology, I would have  thought that this  should be from the network (WAN) so it would read "any" - because we don't know who will be RDP's in.  My guess is that "Original" has nothing to do with the direction of the communication but purely relative to the port that you are wanting to translate.  Can  you confirm this (and please embellish if you feel up to it).

Secondly, I have revised (removed several of) the Access Rules.  I first removed two of the rules (#9 and #10) which had pc's as destinations, not outside.

Again, my confusion is over terminology.  The Source and Destination for these rules was Any and Outside respectively.  It seems like the Destination should have been "inside".   Further confusing me is that this is an Outside rule based on the Outside interface.  So, it seems contradictory that the Source is any but also outside and the Destination is Outside.  See my attached Access Rules  screen shot. Can you offer any guidance on this terminology.

One more related to access rules - Are they bidirectional?  They seem to be.

My final question is can you offer any literature to read where I can learn this stuff better.  I already have the Cisco online documentation but it would be nice to have another source to help me resolve conflicts (in my mind -- and I know they will occur).

Thank you again for your help.  I understand if you don't want to take the time to reply to all of my questions.  Have a great day.

Chuck

Hi

For books, you can have a look on all Cisco Press books and specially the CCNA Security and Cisco ASA All-in-one.

For NAT, you need to think the other way, it looks like strange but let me explain:

• Your internal host is natted on a public IP with a port x
• This explain that original are everything internal (IP + PORT SOURCE)
• And Natted is (PUBLIC + PORT DESTINATION) ==> This will be the information facing internet and be accessible from outside.

For ACL, on old version (before 8.3), the destination on acl for outside acl was the Public IP of the natted object. Since 8.3, the source is IP coming from internet (anyone for example) and destination will be the real IP of the object (Inside object).

Hope this more clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thank you. It does help.  I will be putting in some time on this as it is important.

My next project is to setup VPN for this same customer so you may see more posts from me then.

Cheers.

You're very welcome

Hi,

Thanks for  your response.  My original config did have both ports 3389 and 3395 intentionallyl NAT'd to COTEDECO-1.  My thought was that, as an experiment, I could just change the listening port on COTEDECO-1 and then  be able to remote in with either  port (as a test).  Currently I can remotely access COTEDECO-1 and was trying to figure out how to access it with a different port. 

I have since changed the  rules to NAT port 3396 to a different machine COTEDECO-2.  My thought was that I could use 3396 to get into COTEDECO-2.  This does not work. 

Can you please help me understand what affect an Access Rule has what  I am trying to do?