Multiple NAT statements which direct to unique IP's, depending on source?

Unanswered Question
Oct 25th, 2007

I need to create two NAT statements and allow RDP connectivity.

One user needs to RDP to a particular computer inside the network (.114), and another user needs to RDP to a different computer (.177). Each user will be RDP'ing from their home locations.

How can I create NAT statements to automatically re-direct, depending on source IP? Both are on their own private networks, so I'm guessing overloading is required.

ie:

User1 was already able to RDP:

access-list ACL1 extended permit tcp host USER1_EXT_IP host 192.168.201.114 object-group RDPGroup

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255

Now I need to add the new user, who wants to RDP to a different IP:

access-list ACL2 extended permit tcp host USER2_EXT_IP host 192.168.201.177 object-group RDPGroup

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255

Obviously, this wouldn't work, because the two NAT statements would clash. What alternatives do I have? (VPN isn't an option)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
acomiskey Thu, 10/25/2007 - 16:16

I'm confused how your acl's work as is..shouldn't it be...

access-list ACL1 extended permit tcp host USER1_EXT_IP inteface outside object-group RDPGroup

Anyway, you won't be able to achieve what you want with the pix/asa. One option would be to change the port that the rdp server listens on, on the second computer.

http://support.microsoft.com/kb/306759

In that case then you could do...

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255

static (Internal-201,ELI-External) tcp interface xxxx 192.168.201.177 xxxx netmask 255.255.255.255

tylerlucas Fri, 10/26/2007 - 08:01

Thanks for the reply, and yes, I made a typo on my ACL.

Would this be possible if I had two different external IPs? That way, each person could connect to a different IP and be routed properly...

I'm experimenting with it, but for some reason, the following doesn't work:

access-list ELI-External_access_in extended permit tcp host MY_EXT_IP host THEIR_EXT_IP#1 eq 3389

static (Internal-201,ELI-External) tcp THEIR_EXT_IP#1 3389 192.168.201.114 3389 netmask 255.255.255.255

acomiskey Fri, 10/26/2007 - 08:15

"Would this be possible if I had two different external IPs?"

-Yes. That would be the easy solution. You could then have...

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255

static (Internal-201,ELI-External) tcp THEIR_EXT_IP#1 3389 192.168.201.114 3389 netmask 255.255.255.255

access-list ACL1 extended permit tcp host USER1_EXT_IP interface outside object-group RDPGroup

access-list ACL1 extended permit tcp host USER1_EXT_IP host THEIR_EXT_IP#1 object-group RDPGroup

tylerlucas Fri, 10/26/2007 - 08:23

Thanks for the fast replies.

I'm a little confused -- The first NAT uses overloading with 'interface'... I guess I don't understand why you need that, if you already have another static NAT below it...

Same thing for the ACL's... you have a static ACL from me to them, but you also have one from me to the outside interface... aren't those doing the exact same thing?

Thanks in advance, this is really helping.

acomiskey Fri, 10/26/2007 - 08:32

Tyler,

I was under the impression from your post that you wanted to remote desktop to 2 different machines from the outside. You initially were attempting to rdp to both using 1 ip address (the outside interface address), which won't work. You then said you had another public ip you could use. So the first static will allow you to rdp to .177 and the other static will allow you to rdp to .114. Do I have this right?

tylerlucas Fri, 10/26/2007 - 08:41

Yes, you have the situation right.

There is one main location, where two users need to RDP into. At this location, they each need to RDP into a unique host (not the same one). One is .177, and the other is .114.

Both users will RDP from their individual home locations.

The location they are trying to RDP INTO has more than one external IP.

Assuming that I have the RDP port open properly for both users via ACL's, why won't this work??

User1 would connect to EXT_IP#1:

static (Internal-201,ELI-External) tcp HQ_EXT_IP#1 3389 192.168.201.177 3389 netmask 255.255.255.255

User2 would connect to EXT_IP#2:

static (Internal-201,ELI-External) tcp HQ_EXT_IP#2 3389 192.168.201.114 3389 netmask 255.255.255.255

Thanks again :)

acomiskey Fri, 10/26/2007 - 09:18

If you have the acl's right it should work.

access-list ACL1 extended permit tcp host USER1_EXT_IP host HQ_EXT_IP#1 eq 3389

access-list ACL1 extended permit tcp host USER2_EXT_IP host HQ_EXT_IP#2 eq 3389

tylerlucas Fri, 10/26/2007 - 09:20

Yeah, very strange.

The ACL's seem to be doing fine, the problem is with NAT.

This works:

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask

This doesn't:

static (Internal-201,ELI-External) tcp HQ_EXT_IP 3389 192.168.201.177 3389 netmask 255.255.255.255

acomiskey Fri, 10/26/2007 - 09:23

And "interface" and "HQ_EXT_IP" are different ip addresses right?

tylerlucas Fri, 10/26/2007 - 09:27

No... :)

So for HQ_EXT_IP I need to use a different external IP, other than the one assigned to the interface?

acomiskey Fri, 10/26/2007 - 09:38

Ah, we've finally hit on something here.

Yes. You need two different ip addresses. You can use the one assigned to the interface, and one other.

tylerlucas Fri, 10/26/2007 - 09:48

What is the benefit of using the word 'interface' in a NAT translation, rather than just typing the IP?

acomiskey Fri, 10/26/2007 - 09:54

You have to do that when the IP is the IP of the interface. There is no benefit, that's just the syntax.

tylerlucas Fri, 10/26/2007 - 10:04

Ok, that makes sense.

I think the EXT_IP I was using may not have been good. I'm gonna try to find a working external IP and report back :)

Thanks.

tylerlucas Fri, 10/26/2007 - 09:26

Yeah, very strange.

The ACL's seem to be doing fine, the problem is with NAT.

This works:

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask

This doesn't:

static (Internal-201,ELI-External) tcp HQ_EXT_IP 3389 192.168.201.177 3389 netmask 255.255.255.255

jaravinthan Thu, 10/25/2007 - 22:05

To make things clearr, i assume you have only one Public IP which shd be used for both servers. You use the public assigned to the outside interface.

This could be achieved if the Source Public IP is static.

By having NAT bound with ACL's.

tylerlucas Fri, 10/26/2007 - 08:08

The destination has more than one public IP.

The source IP is static. How exactly would I bind the NAT/ACL?

Actions

Login or Register to take actions

This Discussion

Posted October 25, 2007 at 2:05 PM
Stats:
Replies:17 Avg. Rating:
Views:165 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446