10-25-2007 02:05 PM - edited 03-11-2019 04:30 AM
I need to create two NAT statements and allow RDP connectivity.
One user needs to RDP to a particular computer inside the network (.114), and another user needs to RDP to a different computer (.177). Each user will be RDP'ing from their home locations.
How can I create NAT statements to automatically re-direct, depending on source IP? Both are on their own private networks, so I'm guessing overloading is required.
ie:
User1 was already able to RDP:
access-list ACL1 extended permit tcp host USER1_EXT_IP host 192.168.201.114 object-group RDPGroup
static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255
Now I need to add the new user, who wants to RDP to a different IP:
access-list ACL2 extended permit tcp host USER2_EXT_IP host 192.168.201.177 object-group RDPGroup
static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255
Obviously, this wouldn't work, because the two NAT statements would clash. What alternatives do I have? (VPN isn't an option)
10-25-2007 04:16 PM
I'm confused how your acl's work as is..shouldn't it be...
access-list ACL1 extended permit tcp host USER1_EXT_IP inteface outside object-group RDPGroup
Anyway, you won't be able to achieve what you want with the pix/asa. One option would be to change the port that the rdp server listens on, on the second computer.
http://support.microsoft.com/kb/306759
In that case then you could do...
static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255
static (Internal-201,ELI-External) tcp interface xxxx 192.168.201.177 xxxx netmask 255.255.255.255
10-26-2007 08:01 AM
Thanks for the reply, and yes, I made a typo on my ACL.
Would this be possible if I had two different external IPs? That way, each person could connect to a different IP and be routed properly...
I'm experimenting with it, but for some reason, the following doesn't work:
access-list ELI-External_access_in extended permit tcp host MY_EXT_IP host THEIR_EXT_IP#1 eq 3389
static (Internal-201,ELI-External) tcp THEIR_EXT_IP#1 3389 192.168.201.114 3389 netmask 255.255.255.255
10-26-2007 08:15 AM
"Would this be possible if I had two different external IPs?"
-Yes. That would be the easy solution. You could then have...
static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255
static (Internal-201,ELI-External) tcp THEIR_EXT_IP#1 3389 192.168.201.114 3389 netmask 255.255.255.255
access-list ACL1 extended permit tcp host USER1_EXT_IP interface outside object-group RDPGroup
access-list ACL1 extended permit tcp host USER1_EXT_IP host THEIR_EXT_IP#1 object-group RDPGroup
10-26-2007 08:23 AM
Thanks for the fast replies.
I'm a little confused -- The first NAT uses overloading with 'interface'... I guess I don't understand why you need that, if you already have another static NAT below it...
Same thing for the ACL's... you have a static ACL from me to them, but you also have one from me to the outside interface... aren't those doing the exact same thing?
Thanks in advance, this is really helping.
10-26-2007 08:32 AM
Tyler,
I was under the impression from your post that you wanted to remote desktop to 2 different machines from the outside. You initially were attempting to rdp to both using 1 ip address (the outside interface address), which won't work. You then said you had another public ip you could use. So the first static will allow you to rdp to .177 and the other static will allow you to rdp to .114. Do I have this right?
10-26-2007 08:41 AM
Yes, you have the situation right.
There is one main location, where two users need to RDP into. At this location, they each need to RDP into a unique host (not the same one). One is .177, and the other is .114.
Both users will RDP from their individual home locations.
The location they are trying to RDP INTO has more than one external IP.
Assuming that I have the RDP port open properly for both users via ACL's, why won't this work??
User1 would connect to EXT_IP#1:
static (Internal-201,ELI-External) tcp HQ_EXT_IP#1 3389 192.168.201.177 3389 netmask 255.255.255.255
User2 would connect to EXT_IP#2:
static (Internal-201,ELI-External) tcp HQ_EXT_IP#2 3389 192.168.201.114 3389 netmask 255.255.255.255
Thanks again :)
10-26-2007 09:18 AM
If you have the acl's right it should work.
access-list ACL1 extended permit tcp host USER1_EXT_IP host HQ_EXT_IP#1 eq 3389
access-list ACL1 extended permit tcp host USER2_EXT_IP host HQ_EXT_IP#2 eq 3389
10-26-2007 09:20 AM
Yeah, very strange.
The ACL's seem to be doing fine, the problem is with NAT.
This works:
static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask
This doesn't:
static (Internal-201,ELI-External) tcp HQ_EXT_IP 3389 192.168.201.177 3389 netmask 255.255.255.255
10-26-2007 09:23 AM
And "interface" and "HQ_EXT_IP" are different ip addresses right?
10-26-2007 09:27 AM
No... :)
So for HQ_EXT_IP I need to use a different external IP, other than the one assigned to the interface?
10-26-2007 09:38 AM
Ah, we've finally hit on something here.
Yes. You need two different ip addresses. You can use the one assigned to the interface, and one other.
10-26-2007 09:48 AM
What is the benefit of using the word 'interface' in a NAT translation, rather than just typing the IP?
10-26-2007 09:54 AM
You have to do that when the IP is the IP of the interface. There is no benefit, that's just the syntax.
10-26-2007 10:04 AM
Ok, that makes sense.
I think the EXT_IP I was using may not have been good. I'm gonna try to find a working external IP and report back :)
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide