cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
0
Helpful
4
Replies

Forward RDP to 2 different internal IP's

Ryan Palmer
Level 1
Level 1

Right now the ASA 5505 is setup to let through 3389/RDP to 192.168.1.4.  I'm going to setup another computer to be a terminal server of sorts and would like to be able to use RDP to connect to this machine as well.  Can this be accomplished by adding a new network object with the IP of the terminal server machine and by adding a new static NAT with PAT to forward 3389 to the port of my choosing on the terminal server?  I'm doing this all via the ASDM.  I'm not familiar with the console.  Any help is greatly appreciated.

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Ryan

If I am understanding correctly you have configured your 5505 with a static translation so that packets coming to the public address for destination port 3389 are forwarded to 192.168.1.4. And now you want the 5505 to also forward RDP to another inside/private address. It is not possible to have two translations that would forward the incoming RDP packet to 2 different inside hosts. There are a couple of ways in which you might get this to work:

- if you have a second public address available you could configure another translation so that RDP to the second address was forwarded to the second inside host.

- if you could get them to send the RDP traffic to a different destination port then you could configure a second translation using the public interface address, and forward the alternate destination port number to the second inside host on port 3389.

HTH

Rick

HTH

Rick

View solution in original post

Ryan

I am glad that you got it going and are using a solution very close to what I had suggested. Thank you for posting back to the thread indicating that you have it working and how you got it working. Now that this is the case perhaps you can mark the question as resolved. This would signal to other readers that they would find a working solution here.

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Ryan

If I am understanding correctly you have configured your 5505 with a static translation so that packets coming to the public address for destination port 3389 are forwarded to 192.168.1.4. And now you want the 5505 to also forward RDP to another inside/private address. It is not possible to have two translations that would forward the incoming RDP packet to 2 different inside hosts. There are a couple of ways in which you might get this to work:

- if you have a second public address available you could configure another translation so that RDP to the second address was forwarded to the second inside host.

- if you could get them to send the RDP traffic to a different destination port then you could configure a second translation using the public interface address, and forward the alternate destination port number to the second inside host on port 3389.

HTH

Rick

HTH

Rick

Thank you for your reply.  I was able to get it working.  I already had 3389 in my access list and a static nat with pat to an internal IP.  I created another rule for 3390 and added a static nat with pat to the other internal IP using port 3390.  Then the PC that will be accessed via RDP on 3390 I edited the registry to accept RDP on that port and added that port as an exception in the firewall.  So, when I want to connect to the PC using 3390 i use the external IP as such x.x.x.x:3390 and it is working great.

Ryan

I am glad that you got it going and are using a solution very close to what I had suggested. Thank you for posting back to the thread indicating that you have it working and how you got it working. Now that this is the case perhaps you can mark the question as resolved. This would signal to other readers that they would find a working solution here.

HTH

Rick

HTH

Rick

llamaw0rksE
Level 1
Level 1

I would like to bite on that suggestioni assuming 8.4 firmware or later and a single static WANIP.........

NAT RULES (embedded in network object rules).

object network NAT4RDP1-PC nat (main-lan,outside) static interface service tcp 3389 3389 

object network NAT4RDP2-SecondPC nat (main-lan,outside) static interface service tcp 3389 3390 

ACL RULE - RDP-FWrule

ACE's

(1) access-list RDP-FWrule extended permit object-group RDP-PortGroup interface outside object-group RDP-PCs

(2) access-list RDP-FWrule extended permit object RDP1 object-group authorized-usergroup1 object first-PC

(3) access-list RDP-FWrule extended permit object RDP2 object-group authorized-usergroup2 object second-PC 

network object RDP-PCs consists of:

-object first-PC is 192.168.1.4

-object second-PC is 192.168.1.x 

network object RDP-PortGroup consists of:  

object RDP1 is service tcp port 3389

object RDP2 is service tcp port 3390 

authorized usergroups 1, 2  could be an object group or simply object depending on which users are to be permitted....... 

Since, ACL is executed first, one has to make a rule that includes both 3389 and 3390 hitting the outside interface.  After passing thru ACL, they hit the NAT rules.  I think this is right??