07-16-2013 01:32 PM - edited 03-07-2019 02:26 PM
Hello Fellow Cisco Professionals,
I am looking to grant public access to a private RDP server via RD gateway. Now I have set up the front end of this server but am having difficulties in deciding what I should do about the backend access. I have an 891 Cisco router that is apart of a router on a stick configuration. Right now it is using NAT overloading from the inside to the outside. Along side of a static default route we are able to gain access to the public world.
Here is the configuration for this:
end
Now is the best way to do this using an access list? Or a new NAT command with a preference of my external being translated to my interal private IP? Or a combination of the both?
If I add a new NAT preference point my external address to my internal server address would that compromise the functionality of my network?
Any insight would be appreciated on this.
Thanks,
Eddie
Solved! Go to Solution.
07-16-2013 02:02 PM
A static NAT should work fine and if you know the public IP of the sources that are trying to connect then you can restrict it, otherwise a VPN might be better if your router supports it.
07-16-2013 02:55 PM
Yes it will still work with your existing IP address, you will just need to do a static PAT.
07-16-2013 02:00 PM
Hey Eddie, remove your public IP and passwords. You may want to change your password at this point.
07-16-2013 02:47 PM
These are old configs with old IP addresses, nothing to worry about.
07-16-2013 02:02 PM
A static NAT should work fine and if you know the public IP of the sources that are trying to connect then you can restrict it, otherwise a VPN might be better if your router supports it.
07-16-2013 02:46 PM
What if I want to reuse my public IP address that is assigned to my outside interface? Is that possible or do I need to purchase a second IP address?
07-16-2013 02:55 PM
Yes it will still work with your existing IP address, you will just need to do a static PAT.
07-22-2013 08:49 AM
Ok so I have set up the static NAT to route all incoming traffic on port 443, 80, and 3389 to my inside private address.
I have also opened up ports 443, 80, and 3389 via access list 101. I have applied 101 to my outside interface heading in the inbound direction. I have also enabled CBAC on all interfaces to inspect both inbound and outbound. I am still unable to get to my RDWEB page hosted by my rdconnection server.
This is my current configuration:
service timestamps log datetime msec
service password-encryption
!
hostname ROLIAJ01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 avq1sKoPiePO9fyYwxoCGtXKX9/uitvC9ih8omI4b1.
!
no aaa new-model
!
clock timezone utc 2 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip inspect name GMRA tcp router-traffic
ip inspect name GMRA udp router-traffic
ip inspect name GMRA icmp router-traffic
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FGL161920AW
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description External Interface
ip address 81.x.x.x 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect GMRA in
ip inspect GMRA out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Internal Interface
no ip address
ip nat inside
ip inspect GMRA in
ip inspect GMRA out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.20
description Vlan20 Trunk
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
ip address 10.10.10.1 255.255.255.128
!
interface GigabitEthernet0/1.99
description Vlan99 Trunk
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool GMRA 81.x.x.x 81.x.x.x prefix-length 30
ip nat source static tcp 192.168.20.37 80 81.x.x.x 80 extendable
ip nat source static tcp 192.168.20.37 443 81.x.x.x 443 extendable
ip nat source static udp 192.168.20.37 3389 81.x.x.x 3389 extendable
ip nat inside source list 7 pool GMRA overload
ip nat inside source static tcp 192.168.20.37 3389 81.x.x.x 3389 extendable
ip route 0.0.0.0 0.0.0.0 81.x.x.x
!
access-list 7 permit 192.168.20.0 0.0.0.255
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 3389
!
!
Now I am positive I have done everything properly on the server side. I did a "sheilds up!" test on my external IP anddress and even with my access list applied to the outside interface pointing in. "Sheilds Up!" is reporting port 443 and 80 both as closed.
If anyone see's anyhting wrong on my configs can you please highlight.
Thanks,
Eddie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide