Static command

Unanswered Question
Nov 26th, 2009

Hi,

Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:

static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0

Then have an access-list on the inside interface to only allow access to 3389

or should I run something like:

static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389

What's the best way here? And why wouldn't you use the other option?

Thanks

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 11/26/2009 - 04:34

dan_track wrote:

Hi,

Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:

static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0

Then have an access-list on the inside interface to only allow access to 3389

or should I run something like:

static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389

What's the best way here? And why wouldn't you use the other option?

Thankse

Dan

Dan

It depends on the existing rules to some extent eg. with the 2nd static command you still need to allow the traffic with an acl unless of course you have a permit ip any any inbound on the dmz interface.

I have always followed the general rule that NAT is not in itself a security tool. So i tend to use port translation when the availability of addresses is limited. If there is no such limitation i tend to use the first type of static in your example.

Others may disagree

Jon

Kureli Sankar Thu, 11/26/2009 - 06:29

Dan,

State PAT is used when you only have one public IP address and you have many services (IPs) hosted on the inside that listen on diff. ports.

What you are doing is identity translation so, you can just do 1-1 NAT. Which is your first option.

Now,

Think about this. Does this RDC server ever initiate traffic to the DMZ? If so, what translation do you give it? Because when you restrict it to tcp port 3389 it will not allow the server to source traffic as the source port may be any high port. Unless you have some other nat/global configured.

This is the reason I had suggested to add the response traffic in the nat 0 acl in my response to your previous thread.

I hope I am not confusing you.

Actions

This Discussion

Related Content