Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
2
Replies

Help needed for setting up PAT on Cisco 5505

AbemanUK1
Level 1
Level 1

‎10-28-2013 04:17 AM - edited ‎03-04-2019 09:25 PM

Hi all,

I have a requirement to set up PAT from the outside , through my Cisco 5505 firewall to seperate machines on the inside.

Here is the scenario:

We have an external IP address , lets call it : 81.17.xx.xx (Where xx is always the same number , but hidden for security)

Internally , we have a range of VMs as follows: 172.16.1.1 - 172.16.1.254

We wish to be able to do the following:

81.17.xx.xx:2001 maps to 172.16.1.1:3389

81.17.xx.xx:2002 maps to 172.16.1.2:3389

81.17.xx.xx:2003 maps to 172.16.1.3:3389

Basically , all the servers interanlly are RDP servers , and we wish to use PAT to limit the amount of routable addresses used over NAT.

In the future , we will bind a FQDN to our IP address for ease of use.

I also wish to set this up within the ASDM console.

I have been looking at doing the folloiwng:

Creating the IP range in the network objects section , under IP range.

Binding that range to the outside interface of the cisco firewall.

Im not sure on how to get the same address all be it with a different port , to map to a sepearte IP address in the range , explicitly .

What i mean is that 81.17.xx.xx:2001 HAS to map to 172.16.1.1:3389

and 81.17.xx.xx:2002 HAS to map to 172.16.1.2:3389

Any help would be greatly appreciated.

Thanks

Matthew

Labels:
0 Helpful
2 Replies 2

JohnTylerPearce
Level 7
Level 7

‎10-28-2013 05:39 AM

This depends on if you're using pre 8.3 code or 8.3+ code.

To do this on 8.2 code, you will need to do the following.

static (inside,outside) tcp 81.17.xx.xx 2001 172.16.1.1 3389 netmask 255.255.255.255

static (inside,outside) tcp 81.17.xx.xx 2002 172.16.1.2 3389 netmask 255.255.255.255

static (inside,outside) tcp 81.17.xx.xx 2003 172.16.1.3 3389 netmask 255.255.255.255

To do this on 8.3 code, you will need to do the following.

object network obj-172.16.1.1

host 172.16.1.1

nat (inside,outside) static interface 2001 3389

object network obj-172.16.1.2

host 172.16.1.1

nat (inside,outside) static interface 2002 3389

object network obj-172.16.1.3

host 172.16.1.1

nat (inside,outside) static interface 2003 3389

Obviously change the interface names if need be.

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to JohnTylerPearce

‎10-28-2013 06:23 AM

Also, be sure to configure the appropriate ACL rules to allow traffic in. This will also depend on the version of code you are using.

If you are using 8.2 or lower, than you will need to specify the external IP in the ACL rule, if you're using 8.3 or above, you will need to specify the private aka untranslated IP address in the ACL rule.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card