Solved: Re: Static NAT to allow RDP through my firewall

wvdarlington · ‎08-16-2012

Please let me preface this by saying I have not worked deep in networking in years and do not know much about firewalls in general. So please do no assume facts not in evidence.

I have a Cisco ASA 5505 running ASA Ver 8.4 and ASDM Ver 6.4. Firewall mode is set to Routed.

My goal is very simple. I want to allow RDP from the internet to a management server I have setup in my internal network. I know RDP is TCP port 3389. My internal network is a 176.128.1.x network. My external network is on a 42.199.102.2-6 range. The end-client that is initiating the RDP session could be coming in from any IP address on the internet.

I've looked through the GUI to try and determine how to configure this, but for the life of me I can't figure this out. I am looking under Configuration > NAT Rules > +Add This is the screen I get to, I just have no idea what data goes in what fields.

Any and all constructive assistance is appreciated.

Matt

Jennifer Halim · ‎08-17-2012

here is the CLI configuration:

Assuming that the server is: 176.128.1.100, and you woud like to NAT it to 42.199.102.5

object network obj-176.128.1.100

host 176.128.1.100

nat (inside,outside) static 42.199.102.5

Then you would need to add access-list on the outside interface to allow the RDP access. If you already have an existing ACL on the outside, just add to the existing ACL as follows:

access-list permit tcp any object obj-176.128.1.100 eq 3389

If you are sharing the public ip address with other services and servers, then here is the config:

object network obj-176.128.1.100

host 176.128.1.100

nat (inside,outside) static 42.199.102.5 service tcp 3389 3389

Hope that helps.

View solution in original post

Jennifer Halim · ‎08-17-2012

here is the CLI configuration:

Assuming that the server is: 176.128.1.100, and you woud like to NAT it to 42.199.102.5

object network obj-176.128.1.100

host 176.128.1.100

nat (inside,outside) static 42.199.102.5

Then you would need to add access-list on the outside interface to allow the RDP access. If you already have an existing ACL on the outside, just add to the existing ACL as follows:

access-list permit tcp any object obj-176.128.1.100 eq 3389

If you are sharing the public ip address with other services and servers, then here is the config:

object network obj-176.128.1.100

host 176.128.1.100

nat (inside,outside) static 42.199.102.5 service tcp 3389 3389

Hope that helps.

wvdarlington · ‎08-17-2012

Jennifer thanks!

Yes this does help. I have an outside IP (42.199102.5) that is dedicated just for the purpose of letting RDP traffic into a single server (176.128.1.100) on my LAN. As such I went with the last option you provided which seems to specificaly allow 3389 in and out. Does this mean I do not need to create an ACL or do I still need to do that?

So far this ASA is setup only to allow traffic out of my internal network and back in. No VPN, or anything else to this point. My next step was enabling RDP access. So, with that said, as far as I know I have not created an ACL yet. Not sure how I would go about that exactly. I will poke around on the system to try and figure it out, but if you (or anyone else) has any pointers they would be appreciated.

As an FYI...while I may be new to this, the IPs I provided are not my real IP addresses. Don't want anyone worrying that I would provide such info on a public forum. :-)

Matt

Jennifer Halim · ‎08-17-2012

Even if you configure port specific static translation statement, you still need to create the ACL.

If you haven't had anything inbound towards your ASA, most probably you don't have an access-list, so this is how you would apply it:

The actual ACL:

access-list permit tcp any object obj-176.128.1.100 eq 3389

Applying it on outside interface:

access-group in interface outside

wvdarlington · ‎08-19-2012

I tried running the first command as specified and received the following error:

Result of the command: "access-list permit tcp any object obj-176.128.1.100 eq 3389

ERROR: specified object does not exist

Usage:

Extended access list:

NOTE: In looking at the GUI under Network Objects it does in fact look to be created. I am not against deleting what is there and readding via cmd line, but would need direction.

Matt

Jennifer Halim · ‎08-19-2012

Have you configured the actual object yet for the NAT translation?

You would need to configure the object first before applying the object to the access-list.

object network obj-176.128.1.100

host 176.128.1.100

nat (inside,outside) static 42.199.102.5 service tcp 3389 3389

access-list RDPtoMngmt-on-outside permit tcp any object obj-176.128.1.100 eq 3389

cljennings25 · ‎12-06-2018

I have a similar issue but with an extra hop. I have a comcast business modem/router 71.194.1.31 (public) with internal address of 10.1.10.1. My firewall "PIX" outside interface is 10.1.10.3 with all routes going to 10.1.10.1.

interface Ethernet0
description outside interface
nameif outside
security-level 0
ip address 10.1.10.3 255.255.255.0
ospf cost 10

interface Ethernet1
description inside interface
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
ospf cost 10

route outside 0.0.0.0 0.0.0.0 10.1.10.1 1

I am trying to figure our how I can route RDP traffic to a server of 10.1.2.243? So I need the public address "71.194.1.31" to NAT to 10.1.2.243 with out affecting anything else. My PIX does not support PAT, its old.

RDP 3389 - 71.194.1.31 "public" --> 10.1.10.3 "PIX" --> 10.1.2.243 "server"

Thank you.