NATto Remote Desktop Protocol

Answered Question
Sep 19th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hi, I am new to ASA, especially to ASDM 8.3.1



As the topology show, I would like to setup a rule and NAT for user at public IP remote to the dedicate machine, using port 3389 (RDP)



Pubic network (int outside 202,152,80.34 ) ->STATIC NAT --> 10.10.100.100, port 3389



What’s the step I should deal with it? I am confuse with GUI setting, is it compulsory ask to create network object for doing NATTING? (very different from previous GUI setting)



So for my case, how likely I can use the GUI to do on it. While if it’s success I can console and check on the CLI for the configuration made and learn on it



thanks

Attachment: 
Correct Answer by Jennifer Halim about 6 years 8 months ago

NAT from ASA version 8.3 onwards has completely changed, it has changed to the following 2 NAT concepts:

1) Network object NAT

2) Twice NAT


If you are familiar with NAT on ASA on the previous version, you might need to read the following documentation for version 8.3 onwards for NAT order of operation:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157


Network object NAT: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Twice NAT: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html

Correct Answer by August Ritchie about 6 years 8 months ago

In addition to the NAT you will need to make sure that you add an access-list to the outside interface to the REAL IP. (This is new in 8.3 as before you created an access-list to the MAPPED IP)


With normal outside interface naming conventions, it will usually look like this:


access-list outside_access_in permit tcp host 10.10.100.100 eq 3389


Hope this helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Sun, 09/19/2010 - 23:48
User Badges:
  • Cisco Employee,

Here is how you would configure it:

Via ASDM:

Please see attached word screen shot.


Via CLI:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

object network obj-RDP-10.10.100.100


        host 10.10.100.100


        nat (inside,outside) static interface service tcp 3389 3389



Hope that helps.

yong khang NG Mon, 09/20/2010 - 02:19
User Badges:

Hi halijenn,


thanks for the reply, i will test it out after hour (cannot conduct any testing on production time...) but anyhow, i never do the attemp same like what you showing on the screenshot do...


i hope you can give more idea on how to do on ASA - NAT. (i'm ok with fundamental routing & switching part, but i am still very fresh with ASA, esp ASDM GUI..)


(1) normal practice doing firewalling, first is it need to define the network object and service object, so that these element can let for re-use on either ACL or NAT section,rite? then only we go for ACL, for lower security-level interface would like go inside interface etc etc...then come to NAT


(2) assuming this topology, 2 interface (inside, outside). i just wonder why once i create NAT then it will auto treat my source and destination network be part of any new object ? it seems like defeat my (1) step action, making duplicated on the network object.


(3) for firewall  > NAT rules, how to configure on "Add NAT Rulebefore /after network onect NAT rules.." mean?  (attachment)

It just confuse me why original packet with soure and destination address, then action:translate packet also with source and destination address..


(4) once i do in CLI, natting now seem only can do on network object..i am more on old school like static (inside, outside)...


confuse..hope u can guide

Attachment: 
Correct Answer
Jennifer Halim Mon, 09/20/2010 - 02:40
User Badges:
  • Cisco Employee,

NAT from ASA version 8.3 onwards has completely changed, it has changed to the following 2 NAT concepts:

1) Network object NAT

2) Twice NAT


If you are familiar with NAT on ASA on the previous version, you might need to read the following documentation for version 8.3 onwards for NAT order of operation:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157


Network object NAT: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Twice NAT: http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html

Correct Answer
August Ritchie Mon, 09/20/2010 - 02:19
User Badges:
  • Bronze, 100 points or more

In addition to the NAT you will need to make sure that you add an access-list to the outside interface to the REAL IP. (This is new in 8.3 as before you created an access-list to the MAPPED IP)


With normal outside interface naming conventions, it will usually look like this:


access-list outside_access_in permit tcp host 10.10.100.100 eq 3389


Hope this helps

Actions

This Discussion