09-11-2012 06:32 AM - edited 03-11-2019 04:52 PM
Hi Everyone,
Please I need a clarification on configuring a PAT (or portforwarding) of RDP to 14 pcs
using a single public ip address on my ASA version 8.4. Please any info or example config will
be appreciated as I am still geting used to 8.4 from my old version 7.2.
Let us say my inside host PCs are 10.10.10.2 to 10.10.10.15 and I need to connect from the outside interface.
Since I am not using the outside interface address, I have chosen to use 2.2.2.2 as my PAT for the forwarding.
Let us say the RDP forwarded ports on the machines for this example are ports 2001 - 2014
Following some of the literatures and examples i have read, will this sample config work ok?
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.248
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
object network obj-10.10.10.1
host 10.10.10.1
object network obj-10.10.10.2
host 10.10.10.2
.
.
.
object network obj-10.10.10.15
host 10.10.10.15
object network obj-2.2.2.2
host 2.2.2.2
!
object service obj-serviceTCP3389
service tcp source eq 3389
!
nat (inside,outside) source static obj-10.10.10.2 obj-2.2.2.2 service obj-serviceTCP3389 2001
nat (inside,outside) source static obj-10.10.10.3 obj-2.2.2.2 service obj-serviceTCP3389 2002
.
.
.
nat (inside,outside) source static obj-10.10.10.15 obj-2.2.2.2 service obj-serviceTCP3389 2014
!
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-group outside_access_in in interface outside
Thanks
09-11-2012 09:42 AM
Hello,
You are on the right track but you are missing some key concepts of 8.3
I would say you have created the object service for the fake RDP ports
object service obj-service 2014
service tcp source eq 2014
If that is correct then you are 100% correct on the NAT stuff.
Now the ACL, that is the problem you have.
After 8.3 the order of operations changes on the ASA and know the ASA performs the NAT or Un-NAT first and afterwards he checks the ACL. That is why you need to point to the Un-Natted IP. In your case the real RDP PC's IP.
access-list outside_access_in extended permit tcp any 10.10.10.2 eq 3389
Remember to rate all of the posts, that is as important as a thanks,
Julio
09-11-2012 09:58 AM
Hi Julio,
Thanks for your quick response and for taking a look at this issue.
So you are saying that I need to create a service object for all the static ports that I am going to be redirecting the rdp on (i.e 15 service group for the 15 PCs)?
Also, from the point you made about the ACL, so I need to also specify the ip address of the PCs on the outside interface ACL even though they are all inside private address ranges (10.10.10.2 - 10.10.10.14)?
I just want to be sure I understood your suggestion above.
Thanks.
09-11-2012 10:06 AM
Hello,
Sure..........
That is correct, one object service for each port!
Correct, Point to the private.
https://supportforums.cisco.com/docs/DOC-12690
Remember to rate all of the posts, that is as important as a thanks!!!
09-12-2012 02:58 AM
Hi Julio,
If I want to implement thesame portforwarding solution on another site but with ASA version 8.2, will this same ACL and NAT object group principle work?
I will be testing it out this weekend, first on ASA 8.2, then later next week on ASA 8.4.
Thanks.
09-12-2012 04:35 AM
Hi,
Here is the sample config that I plan to use for my ASA version 8.2 RDP portforwarding to inside PCs using ports 3389 - 3408. I will apply it by this weekend and confirm if it all works ok.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
static (inside,outside) tcp 2.2.2.2 3389 10.10.10.21 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3390 10.10.10.22 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3391 10.10.10.23 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3392 10.10.10.24 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3393 10.10.10.25 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3394 10.10.10.26 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 339510.10.10.27 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3396 10.10.10.28 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3397 10.10.10.29 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3398 10.10.10.30 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3399 10.10.10.31 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3400 10.10.10.32 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3401 10.10.10.33 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3402 10.10.10.34 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3403 10.10.10.35 3389netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3404 10.10.10.36 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3405 10.10.10.37 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3406 10.10.10.38 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3407 10.10.10.39 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3408 10.10.10.40 3389 netmask 255.255.255.255
!
access-list outside_access_in extended permit tcp any host 2.2.2.2 eq 3389
access-group outside_access_in in interface outside
Thanks
09-12-2012 08:00 AM
Hello Josh,
Sweet. It is perfect. On 8.2 you need to point to the public IP so you are ready to go.
Remember to rate all of the answers.
Julio
09-12-2012 08:04 AM
Thanks Julio,
I really appreciate the help and will confirm by next tomorrow and also rate the answer !
09-12-2012 08:07 AM
Sure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide