How to use NAT commands?? - Urgent request

vintan1801 · ‎10-31-2008

Hi,

I need to configure following:

Source: 10.1.0.0/16, 10.3.0.0/16 and 10.8.0.0/16(NAT to 192.168.2.1)

Destination: 172.16.2.2

Service: RDP

Could you please help me out by giving me the exact commands to run.

Thanks

Vin

Brent Rockburn · ‎10-31-2008

global (outside) 1 192.168.2.1

nat (inside) 1 10.1.0.0 255.255.0.0

nat (inside) 1 10.3.0.0 255.255.0.0

nat (inside) 1 10.8.0.0 255.255.0.0

I'm guessing on the interfaces here and the device but I think it's something like this.

vintan1801 · ‎10-31-2008

Thanks for your quick reply. But you did not say anything about the destination address??

Jon Marshall · ‎10-31-2008

Vin

Just a quick update on Brent's post. If you want to only NAT these networks if the destination is 172.16.2.2 and RDP

access-list 101 permit tcp 10.1.0.0 255.255.0.0 host 172.16.2.2 eq rdp

access-list 101 permit tcp 10.3.0.0 255.255.0.0 host 172.16.2.2 eq rdp

access-list 101 permit tcp 10.8.0.0 255.255.0.0 host 172.16.2.2 eq rdp

nat (inside) 2 access-list 101

global (outside) 2 192.168.2.1

Jon

acomiskey · ‎10-31-2008

access-list policy_nat extended permit tcp 10.1.0.0 255.255.0.0 host 172.16.2.2 eq 3389

access-list policy_nat extended permit tcp 10.3.0.0 255.255.0.0 host 172.16.2.2 eq 3389

access-list policy_nat extended permit tcp 10.8.0.0 255.255.0.0 host 172.16.2.2 eq 3389

edit:

nat (inside) 1 access-list policy_nat

global (outside) 1 192.168.2.1

Brent Rockburn · ‎10-31-2008

Sorry,

My bad .. was too quick on the draw, didn't even think of using the acl ..

My better way.

vintan1801 · ‎10-31-2008

All together i have to write the following commands: (am i right)

nat (inside) 1 10.1.0.0 255.255.0.0

nat (inside) 1 10.3.0.0 255.255.0.0

nat (inside) 1 10.8.0.0 255.255.0.0

access-list policy_nat extended permit tcp 10.1.0.0 255.255.0.0 host 172.16.2.2 eq 3389

access-list policy_nat extended permit tcp 10.3.0.0 255.255.0.0 host 172.16.2.2 eq 3389

access-list policy_nat extended permit tcp 10.8.0.0 255.255.0.0 host 172.16.2.2 eq 3389

nat (inside) 1 access-list policy_nat

global (outside) 1 192.168.2.1

question here: RDP protocol is already configured but i need to change the port number (So how to find the rdp port and how to change it to some other port)???

Brent Rockburn · ‎10-31-2008

If you are going to do this

access-list policy_nat extended permit tcp 10.1.0.0 255.255.0.0 host 172.16.2.2 eq 3389

access-list policy_nat extended permit tcp 10.3.0.0 255.255.0.0 host 172.16.2.2 eq 3389

access-list policy_nat extended permit tcp 10.8.0.0 255.255.0.0 host 172.16.2.2 eq 3389

nat (inside) 1 access-list policy_nat

global (outside) 1 192.168.2.1

Then I believe you don't need this.

nat (inside) 1 10.1.0.0 255.255.0.0

nat (inside) 1 10.3.0.0 255.255.0.0

nat (inside) 1 10.8.0.0 255.255.0.0

vintan1801 · ‎10-31-2008

HI,

I need to use another port number for RDP protocol

- if i use rdp protocol in access list but before using it - want to change the port number from 3389 to some other?

how can i do that??

acomiskey · ‎10-31-2008

no nat (inside) 1 10.1.0.0 255.255.0.0

no nat (inside) 1 10.3.0.0 255.255.0.0

no nat (inside) 1 10.8.0.0 255.255.0.0

I assumed you wanted rdp, remote desktop protocol, which is tcp 3389. If you want something else, just change 3389 to whatever you want.

vintan1801 · ‎10-31-2008

there is a RDP object-group exists in the config. i want to either change it to some other port number or want to create a another rdp group and assign new port number -pls tell me how to write commands for that?