Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
972
Views
0
Helpful
2
Replies

Static command

dan_track
Level 1
Level 1

‎11-26-2009 02:48 AM - edited ‎03-11-2019 09:43 AM

Hi,

Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:

static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0

Then have an access-list on the inside interface to only allow access to 3389

or should I run something like:

static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389

What's the best way here? And why wouldn't you use the other option?

Thanks

Dan

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎11-26-2009 04:34 AM 

dan_track wrote:
Hi,
Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:
static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0
Then have an access-list on the inside interface to only allow access to 3389
or should I run something like:
static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389
What's the best way here? And why wouldn't you use the other option?
Thankse
Dan

Dan

It depends on the existing rules to some extent eg. with the 2nd static command you still need to allow the traffic with an acl unless of course you have a permit ip any any inbound on the dmz interface.

I have always followed the general rule that NAT is not in itself a security tool. So i tend to use port translation when the availability of addresses is limited. If there is no such limitation i tend to use the first type of static in your example.

Others may disagree

Jon

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎11-26-2009 06:29 AM

Dan,

State PAT is used when you only have one public IP address and you have many services (IPs) hosted on the inside that listen on diff. ports.

What you are doing is identity translation so, you can just do 1-1 NAT. Which is your first option.

Now,

Think about this. Does this RDC server ever initiate traffic to the DMZ? If so, what translation do you give it? Because when you restrict it to tcp port 3389 it will not allow the server to source traffic as the source port may be any high port. Unless you have some other nat/global configured.

This is the reason I had suggested to add the response traffic in the nat 0 acl in my response to your previous thread.

I hope I am not confusing you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card