cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
17
Replies

Multiple NAT statements which direct to unique IP's, depending on source?

tylerlucas
Level 1
Level 1

I need to create two NAT statements and allow RDP connectivity.

One user needs to RDP to a particular computer inside the network (.114), and another user needs to RDP to a different computer (.177). Each user will be RDP'ing from their home locations.

How can I create NAT statements to automatically re-direct, depending on source IP? Both are on their own private networks, so I'm guessing overloading is required.

ie:

User1 was already able to RDP:

access-list ACL1 extended permit tcp host USER1_EXT_IP host 192.168.201.114 object-group RDPGroup

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255

Now I need to add the new user, who wants to RDP to a different IP:

access-list ACL2 extended permit tcp host USER2_EXT_IP host 192.168.201.177 object-group RDPGroup

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255

Obviously, this wouldn't work, because the two NAT statements would clash. What alternatives do I have? (VPN isn't an option)

17 Replies 17

acomiskey
Level 10
Level 10

I'm confused how your acl's work as is..shouldn't it be...

access-list ACL1 extended permit tcp host USER1_EXT_IP inteface outside object-group RDPGroup

Anyway, you won't be able to achieve what you want with the pix/asa. One option would be to change the port that the rdp server listens on, on the second computer.

http://support.microsoft.com/kb/306759

In that case then you could do...

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.114 3389 netmask 255.255.255.255

static (Internal-201,ELI-External) tcp interface xxxx 192.168.201.177 xxxx netmask 255.255.255.255

Thanks for the reply, and yes, I made a typo on my ACL.

Would this be possible if I had two different external IPs? That way, each person could connect to a different IP and be routed properly...

I'm experimenting with it, but for some reason, the following doesn't work:

access-list ELI-External_access_in extended permit tcp host MY_EXT_IP host THEIR_EXT_IP#1 eq 3389

static (Internal-201,ELI-External) tcp THEIR_EXT_IP#1 3389 192.168.201.114 3389 netmask 255.255.255.255

"Would this be possible if I had two different external IPs?"

-Yes. That would be the easy solution. You could then have...

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask 255.255.255.255

static (Internal-201,ELI-External) tcp THEIR_EXT_IP#1 3389 192.168.201.114 3389 netmask 255.255.255.255

access-list ACL1 extended permit tcp host USER1_EXT_IP interface outside object-group RDPGroup

access-list ACL1 extended permit tcp host USER1_EXT_IP host THEIR_EXT_IP#1 object-group RDPGroup

Thanks for the fast replies.

I'm a little confused -- The first NAT uses overloading with 'interface'... I guess I don't understand why you need that, if you already have another static NAT below it...

Same thing for the ACL's... you have a static ACL from me to them, but you also have one from me to the outside interface... aren't those doing the exact same thing?

Thanks in advance, this is really helping.

Tyler,

I was under the impression from your post that you wanted to remote desktop to 2 different machines from the outside. You initially were attempting to rdp to both using 1 ip address (the outside interface address), which won't work. You then said you had another public ip you could use. So the first static will allow you to rdp to .177 and the other static will allow you to rdp to .114. Do I have this right?

Yes, you have the situation right.

There is one main location, where two users need to RDP into. At this location, they each need to RDP into a unique host (not the same one). One is .177, and the other is .114.

Both users will RDP from their individual home locations.

The location they are trying to RDP INTO has more than one external IP.

Assuming that I have the RDP port open properly for both users via ACL's, why won't this work??

User1 would connect to EXT_IP#1:

static (Internal-201,ELI-External) tcp HQ_EXT_IP#1 3389 192.168.201.177 3389 netmask 255.255.255.255

User2 would connect to EXT_IP#2:

static (Internal-201,ELI-External) tcp HQ_EXT_IP#2 3389 192.168.201.114 3389 netmask 255.255.255.255

Thanks again :)

If you have the acl's right it should work.

access-list ACL1 extended permit tcp host USER1_EXT_IP host HQ_EXT_IP#1 eq 3389

access-list ACL1 extended permit tcp host USER2_EXT_IP host HQ_EXT_IP#2 eq 3389

Yeah, very strange.

The ACL's seem to be doing fine, the problem is with NAT.

This works:

static (Internal-201,ELI-External) tcp interface 3389 192.168.201.177 3389 netmask

This doesn't:

static (Internal-201,ELI-External) tcp HQ_EXT_IP 3389 192.168.201.177 3389 netmask 255.255.255.255

And "interface" and "HQ_EXT_IP" are different ip addresses right?

No... :)

So for HQ_EXT_IP I need to use a different external IP, other than the one assigned to the interface?

Ah, we've finally hit on something here.

Yes. You need two different ip addresses. You can use the one assigned to the interface, and one other.

What is the benefit of using the word 'interface' in a NAT translation, rather than just typing the IP?

You have to do that when the IP is the IP of the interface. There is no benefit, that's just the syntax.

Ok, that makes sense.

I think the EXT_IP I was using may not have been good. I'm gonna try to find a working external IP and report back :)

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: