08-16-2012 01:49 PM - edited 03-11-2019 04:43 PM
Please let me preface this by saying I have not worked deep in networking in years and do not know much about firewalls in general. So please do no assume facts not in evidence.
I have a Cisco ASA 5505 running ASA Ver 8.4 and ASDM Ver 6.4. Firewall mode is set to Routed.
My goal is very simple. I want to allow RDP from the internet to a management server I have setup in my internal network. I know RDP is TCP port 3389. My internal network is a 176.128.1.x network. My external network is on a 42.199.102.2-6 range. The end-client that is initiating the RDP session could be coming in from any IP address on the internet.
I've looked through the GUI to try and determine how to configure this, but for the life of me I can't figure this out. I am looking under Configuration > NAT Rules > +Add This is the screen I get to, I just have no idea what data goes in what fields.
Any and all constructive assistance is appreciated.
Matt
Solved! Go to Solution.
08-17-2012 12:35 AM
here is the CLI configuration:
Assuming that the server is: 176.128.1.100, and you woud like to NAT it to 42.199.102.5
object network obj-176.128.1.100
host 176.128.1.100
nat (inside,outside) static 42.199.102.5
Then you would need to add access-list on the outside interface to allow the RDP access. If you already have an existing ACL on the outside, just add to the existing ACL as follows:
access-list
If you are sharing the public ip address with other services and servers, then here is the config:
object network obj-176.128.1.100
host 176.128.1.100
nat (inside,outside) static 42.199.102.5 service tcp 3389 3389
Hope that helps.
08-17-2012 12:35 AM
here is the CLI configuration:
Assuming that the server is: 176.128.1.100, and you woud like to NAT it to 42.199.102.5
object network obj-176.128.1.100
host 176.128.1.100
nat (inside,outside) static 42.199.102.5
Then you would need to add access-list on the outside interface to allow the RDP access. If you already have an existing ACL on the outside, just add to the existing ACL as follows:
access-list
If you are sharing the public ip address with other services and servers, then here is the config:
object network obj-176.128.1.100
host 176.128.1.100
nat (inside,outside) static 42.199.102.5 service tcp 3389 3389
Hope that helps.
08-17-2012 01:36 PM
Jennifer thanks!
Yes this does help. I have an outside IP (42.199102.5) that is dedicated just for the purpose of letting RDP traffic into a single server (176.128.1.100) on my LAN. As such I went with the last option you provided which seems to specificaly allow 3389 in and out. Does this mean I do not need to create an ACL or do I still need to do that?
So far this ASA is setup only to allow traffic out of my internal network and back in. No VPN, or anything else to this point. My next step was enabling RDP access. So, with that said, as far as I know I have not created an ACL yet. Not sure how I would go about that exactly. I will poke around on the system to try and figure it out, but if you (or anyone else) has any pointers they would be appreciated.
As an FYI...while I may be new to this, the IPs I provided are not my real IP addresses. Don't want anyone worrying that I would provide such info on a public forum. :-)
Matt
08-17-2012 04:08 PM
Even if you configure port specific static translation statement, you still need to create the ACL.
If you haven't had anything inbound towards your ASA, most probably you don't have an access-list, so this is how you would apply it:
The actual ACL:
access-list
Applying it on outside interface:
access-group
08-19-2012 07:46 AM
I tried running the first command as specified and received the following error:
Result of the command: "access-list
ERROR: specified object
Usage:
Extended access list:
NOTE: In looking at the GUI under Network Objects it does in fact look to be created. I am not against deleting what is there and readding via cmd line, but would need direction.
Matt
08-19-2012 07:08 PM
Have you configured the actual object yet for the NAT translation?
You would need to configure the object first before applying the object to the access-list.
object network obj-176.128.1.100
host 176.128.1.100
nat (inside,outside) static 42.199.102.5 service tcp 3389 3389
access-list RDPtoMngmt-on-outside permit tcp any object obj-176.128.1.100 eq 3389
12-06-2018 02:58 PM
I have a similar issue but with an extra hop. I have a comcast business modem/router 71.194.1.31 (public) with internal address of 10.1.10.1. My firewall "PIX" outside interface is 10.1.10.3 with all routes going to 10.1.10.1.
interface Ethernet0
description outside interface
nameif outside
security-level 0
ip address 10.1.10.3 255.255.255.0
ospf cost 10
interface Ethernet1
description inside interface
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
ospf cost 10
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
I am trying to figure our how I can route RDP traffic to a server of 10.1.2.243? So I need the public address "71.194.1.31" to NAT to 10.1.2.243 with out affecting anything else. My PIX does not support PAT, its old.
RDP 3389 - 71.194.1.31 "public" --> 10.1.10.3 "PIX" --> 10.1.2.243 "server"
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide