Port forwarding with multiple public IP addresses

Unanswered Question
Sep 20th, 2013

Up until recently we had 1 public IP address.  Port forwarding was configured for about 10 different ports to be forwarded to

10 different servers/computers.  We now have 5 public IP addresses and I am trying to use one of those public IPs for the RDP service on

several computers.

My problem is that I cannot figure out how to forward 5 different ports coming in on 1 public IP to the 5 different computers

on the LAN based on the port number being used.  Each computer is configured with a different port for RDP (3400, 3401, etc.).

I have setup our web server to use one of the public IPs and all traffic that comes in on that public IP is forwarded to the

web server.  I do not want to use just one public IP for each computer nor should I have to since I was able to forwarded all

of these different ports when we had only one public IP before.

How can this device be set to allow a range of ports to be forwarded to different computers based on the incoming port number using just one of the public IP addresses?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
SHAWN EFTINK Sat, 09/21/2013 - 08:02

Stephen,
You will use a number of items in the ISA to set this up.

1) For each RDP port, create a Service Object which is in the Networking section (i.e. RDP_3400...3401...3402...)

2) For each computer, create an Address Object which is in the Networking section (i.e. PC1...2...3...)

3) For public IP you wish to use, create an Address Object which is in the Networking Section (i.e. RDP_IP)

4) In the Firewall section, create one Advanced NAT rule for each PC. The Translated Source Address will be the RDP_IP. The Original Source Address will be the PC IP (i.e. PC1). The Original and Translated Destination Services will be the RDP port (i.e. RDP_3400). From is LAN and To is WAN. Everything else is Any.

5) Finally, in the Firewall section, create one ACL Rule for each PC. An example would be From WAN to LAN, Services RDP_3400, Source Any, Destination PC1, Match Action Permit.

A word of caution. If you're going to allow RDP access to internal PCs, it would be highly advisable to limit where those connections can be made from. If you can identify the source addresses that will be connecting, you can create Address Objects/Groups with those IPs and the add them to the Source section of your ACL Rule instead of using Any. Using Any means that I can port scan you, see the open port, try to connect, and then you're depending on Microsoft for security...which hasn't been shown to be a good practice. I hope this is helpful.

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted September 20, 2013 at 8:41 AM
Stats:
Replies:1 Avg. Rating:4
Views:865 Votes:0
Shares:0

Related Content

 

Discussions Leaderboard