Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT config for Remote Access To PC over the Internet

 

Hi Everyone,

I need to config NAT to allow one of our Vendors PC to remote desktop to PC in our  Network.

Here  is step up

 

Vendor PC--------Firewall1 ------Internet --------Firewall2 -------PC(192.168.50.10)

This connection is over the Internet.

Our PC has IP 192.168.50.10 it is behind the Firewall 2.

Firewall2 is doing the NAT.

Firewall2 is doing PAT overload and all the Internal IP addresses are translated to single public IP say 200.x.x.x

Firewall2 has version 8.2.

Vendor PC is using Port 5222 to remote desktop to PC 192.168.50.10.

Need help on NAT config so that Vendor PC say remote desktop to Public IP 200.x.x.x and it gets translated to 192.168.50.10 on Firewall2?

 

Regards

Mahesh

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

You need a static translation

You need a static translation for that port:

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 5222 netmask 255.255.255.255

And that traffic needs to be allowed on the outside ACL:

access-list NAME-OF-ACL ext permit tcp REMOTE-IP host 200.x.x.x eq 5222

More on that in this config-example:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63872-pix70-asa-portredir.html#t10

More on NAT in general is in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Hi, You want to translate

Hi,

 

You want to translate with 5222 as it is to reach your RDP PC or vendor will try with port 5222 and you wanna that to translate it to 3389....

 

if so your NAT should be like this

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 3389 netmask 255.255.255.255

If you are using same port at both cases, then karsten's command will do....

 

make sure your acl is updated at any cases.

 

Regards

Karthik

 

4 REPLIES

Hi Mahesh ,        What is

Hi Mahesh ,

        What is your ASA code version ?? . Share me your Firewall 2 config . 

 

HTH

Sandy

 

VIP Purple

You need a static translation

You need a static translation for that port:

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 5222 netmask 255.255.255.255

And that traffic needs to be allowed on the outside ACL:

access-list NAME-OF-ACL ext permit tcp REMOTE-IP host 200.x.x.x eq 5222

More on that in this config-example:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63872-pix70-asa-portredir.html#t10

More on NAT in general is in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

 Thanks for help

 

Thanks for helping me out.

Regards

MAhesh

Hi, You want to translate

Hi,

 

You want to translate with 5222 as it is to reach your RDP PC or vendor will try with port 5222 and you wanna that to translate it to 3389....

 

if so your NAT should be like this

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 3389 netmask 255.255.255.255

If you are using same port at both cases, then karsten's command will do....

 

make sure your acl is updated at any cases.

 

Regards

Karthik

 

92
Views
0
Helpful
4
Replies
CreatePlease login to create content