Static command

Unanswered Question
Nov 26th, 2009
User Badges:

Hi,


Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:


static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0


Then have an access-list on the inside interface to only allow access to 3389


or should I run something like:


static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389


What's the best way here? And why wouldn't you use the other option?


Thanks

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 11/26/2009 - 04:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dan_track wrote:


Hi,


Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:


static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0


Then have an access-list on the inside interface to only allow access to 3389


or should I run something like:


static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389


What's the best way here? And why wouldn't you use the other option?


Thankse

Dan


Dan


It depends on the existing rules to some extent eg. with the 2nd static command you still need to allow the traffic with an acl unless of course you have a permit ip any any inbound on the dmz interface.


I have always followed the general rule that NAT is not in itself a security tool. So i tend to use port translation when the availability of addresses is limited. If there is no such limitation i tend to use the first type of static in your example.


Others may disagree


Jon

Kureli Sankar Thu, 11/26/2009 - 06:29
User Badges:
  • Cisco Employee,

Dan,

State PAT is used when you only have one public IP address and you have many services (IPs) hosted on the inside that listen on diff. ports.


What you are doing is identity translation so, you can just do 1-1 NAT. Which is your first option.


Now,


Think about this. Does this RDC server ever initiate traffic to the DMZ? If so, what translation do you give it? Because when you restrict it to tcp port 3389 it will not allow the server to source traffic as the source port may be any high port. Unless you have some other nat/global configured.


This is the reason I had suggested to add the response traffic in the nat 0 acl in my response to your previous thread.


I hope I am not confusing you.

Actions

This Discussion

Related Content