10-28-2013 04:17 AM - edited 03-04-2019 09:25 PM
Hi all,
I have a requirement to set up PAT from the outside , through my Cisco 5505 firewall to seperate machines on the inside.
Here is the scenario:
We have an external IP address , lets call it : 81.17.xx.xx (Where xx is always the same number , but hidden for security)
Internally , we have a range of VMs as follows: 172.16.1.1 - 172.16.1.254
We wish to be able to do the following:
81.17.xx.xx:2001 maps to 172.16.1.1:3389
81.17.xx.xx:2002 maps to 172.16.1.2:3389
81.17.xx.xx:2003 maps to 172.16.1.3:3389
Basically , all the servers interanlly are RDP servers , and we wish to use PAT to limit the amount of routable addresses used over NAT.
In the future , we will bind a FQDN to our IP address for ease of use.
I also wish to set this up within the ASDM console.
I have been looking at doing the folloiwng:
Creating the IP range in the network objects section , under IP range.
Binding that range to the outside interface of the cisco firewall.
Im not sure on how to get the same address all be it with a different port , to map to a sepearte IP address in the range , explicitly .
What i mean is that 81.17.xx.xx:2001 HAS to map to 172.16.1.1:3389
and 81.17.xx.xx:2002 HAS to map to 172.16.1.2:3389
Any help would be greatly appreciated.
Thanks
Matthew
10-28-2013 05:39 AM
This depends on if you're using pre 8.3 code or 8.3+ code.
To do this on 8.2 code, you will need to do the following.
static (inside,outside) tcp 81.17.xx.xx 2001 172.16.1.1 3389 netmask 255.255.255.255
static (inside,outside) tcp 81.17.xx.xx 2002 172.16.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp 81.17.xx.xx 2003 172.16.1.3 3389 netmask 255.255.255.255
To do this on 8.3 code, you will need to do the following.
object network obj-172.16.1.1
host 172.16.1.1
nat (inside,outside) static interface 2001 3389
object network obj-172.16.1.2
host 172.16.1.1
nat (inside,outside) static interface 2002 3389
object network obj-172.16.1.3
host 172.16.1.1
nat (inside,outside) static interface 2003 3389
Obviously change the interface names if need be.
10-28-2013 06:23 AM
Also, be sure to configure the appropriate ACL rules to allow traffic in. This will also depend on the version of code you are using.
If you are using 8.2 or lower, than you will need to specify the external IP in the ACL rule, if you're using 8.3 or above, you will need to specify the private aka untranslated IP address in the ACL rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide