Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
0
Helpful
7
Replies

Port Forwarding

Go to solution
hadisharifi
Level 1
Level 1

‎03-16-2011 10:43 PM - edited ‎03-11-2019 01:08 PM

Hi,

I want to allow RDP into a machine behind a DSL router/modem and the DSL route/modem is behind Cisco PIX firewall, I am not sure if it's possible.

The DSL is obviously doing nat inside and outside.

My config:

Cisco PIX:

access-list outside_access_in extended permit tcp any interface outside eq 63389

static (inside,outside) tcp interface 63389 192.168.1.51 63389 netmask 255.255.255.255

Cisco router:

Dialer0 192.168.1.51

int fa0 192.168.2.1/24

ip nat ouside source static tcp 192.168.1.51 63389 192.168.2.101 3389

So far my tests are failing, any ideas?

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to hadisharifi

‎03-17-2011 05:54 PM

Static NAT takes precedence over dynamic PAT, so that should work.

For the second option, you would need to configure deny for traffic between the server to anything on port 3389.

BTW, to keep it simple, can you try without changing the port first, just use the default port 3389 on the NAT/PAT statement.

Also pls share the config of both router and PIX after the changes. Thanks.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-16-2011 11:54 PM

Can you please advise if your PIX outside interface is assigned a public ip address as it changes the NAT that you would need to do.

NATing needs to be done for the RDP server, not for the router interface ip address.

Please kindly provide a copy of the PIX configuration, the server ip address and assuming that you would like to NAT it to the PIX outside interface IP so we can help accordingly.

0 Helpful

Go to solution
hadisharifi
Level 1
Level 1
In response to Jennifer Halim

‎03-17-2011 04:51 AM

Hi, I knew it was going to be  a confusing one but I will try to explain it a bit better hopefully

The DSL router is behind the PIX firewall and the PIX doesn't know about the LAN on the DSL router, it only knows the DSL port (dialer0) ip address. Remeber that DSL router is natting everyting on it's inside to the dialer0 IP address (192.168.1.51) and that is what the PIX knows.

The 192.168.1.51 is the dialer0 ip address of the DSL router that PIX can reach, the RDP server 192.168.2.101 that PIX doesn't know  and is hidden behind the dialer0 and gets natted.

The PIX outside interface does have a public IP address and packet tracer shows that packet from outside destined to the outside interface of the PIX on port 63389 is allowed, but obviously it doesn't work end to end.

Could it be that because the nat happens twice once on the PIX to the dialer0 ip address of the DSL router which is already natting/patting the LAN on the DSL router.

Please let me know if it doesn't make sense and I will draw a diagram.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to hadisharifi

‎03-17-2011 05:14 AM

Here is the diagram as per your description:

RDP (192.168.2.101) -- router (192.168.1.51) -- (inside) PIX (outside) -- internet

Please confirm if that is correct.

If it is, then the NAT configured is incorrect. You currently have:

ip nat ouside source static tcp 192.168.1.51 63389 192.168.2.101 3389

It should be:

ip nat inside source static tcp 192.168.2.101 3389 192.168.1.51 63389

Clear the nat translation after the above config.

Alternatively, you can configure route on the PIX for 192.168.2.0/24 network to point to 192.168.1.51, and directly NAT it to 192.168.2.101 on the PIX.

0 Helpful

Go to solution
hadisharifi
Level 1
Level 1
In response to Jennifer Halim

‎03-17-2011 05:46 PM

Hi, the diagram is correct. I changed the translation as you suggested but it doesn't make any difference, given that the DSL router is already patting everyting, isn't this going to break the static nat?

I have also tried adding a route to 192.168.2.101 on the PIX but I can't reach this IP from the pix because it gets patted?

BTW, this is the debug output on the DSL router.

*Apr  6 22:17:52.536: NAT - SYSTEM PORT for 192.168.1.51: allocated port 0, refcount 42, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 42, proto 6

Thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to hadisharifi

‎03-17-2011 05:54 PM

Static NAT takes precedence over dynamic PAT, so that should work.

For the second option, you would need to configure deny for traffic between the server to anything on port 3389.

BTW, to keep it simple, can you try without changing the port first, just use the default port 3389 on the NAT/PAT statement.

Also pls share the config of both router and PIX after the changes. Thanks.

0 Helpful

Go to solution
hadisharifi
Level 1
Level 1
In response to Jennifer Halim

‎03-18-2011 12:17 AM

Thanks for your help. It's all good and working, a reboot of the router might have done the trick but don't know. I didn't change anything

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to hadisharifi

‎03-18-2011 12:20 AM

Good call, that's always one of the tricks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card