Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
4
Replies

NAT config for Remote Access To PC over the Internet

Go to solution
mahesh18
Level 6
Level 6

‎08-19-2014 07:53 PM - edited ‎03-11-2019 09:39 PM

 

Hi Everyone,

I need to config NAT to allow one of our Vendors PC to remote desktop to PC in our  Network.

Here  is step up

 

Vendor PC--------Firewall1 ------Internet --------Firewall2 -------PC(192.168.50.10)

This connection is over the Internet.

Our PC has IP 192.168.50.10 it is behind the Firewall 2.

Firewall2 is doing the NAT.

Firewall2 is doing PAT overload and all the Internal IP addresses are translated to single public IP say 200.x.x.x

Firewall2 has version 8.2.

Vendor PC is using Port 5222 to remote desktop to PC 192.168.50.10.

Need help on NAT config so that Vendor PC say remote desktop to Public IP 200.x.x.x and it gets translated to 192.168.50.10 on Firewall2?

 

Regards

Mahesh

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-20-2014 12:00 AM

You need a static translation for that port:

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 5222 netmask 255.255.255.255

And that traffic needs to be allowed on the outside ACL:

access-list NAME-OF-ACL ext permit tcp REMOTE-IP host 200.x.x.x eq 5222

More on that in this config-example:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63872-pix70-asa-portredir.html#t10

More on NAT in general is in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-20-2014 12:26 AM

Hi,

 

You want to translate with 5222 as it is to reach your RDP PC or vendor will try with port 5222 and you wanna that to translate it to 3389....

 

if so your NAT should be like this

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 3389 netmask 255.255.255.255

If you are using same port at both cases, then karsten's command will do....

 

make sure your acl is updated at any cases.

 

Regards

Karthik

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎08-19-2014 11:54 PM

Hi Mahesh ,

        What is your ASA code version ?? . Share me your Firewall 2 config . 

 

HTH

Sandy

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-20-2014 12:00 AM

You need a static translation for that port:

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 5222 netmask 255.255.255.255

And that traffic needs to be allowed on the outside ACL:

access-list NAME-OF-ACL ext permit tcp REMOTE-IP host 200.x.x.x eq 5222

More on that in this config-example:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63872-pix70-asa-portredir.html#t10

More on NAT in general is in the config-guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎08-20-2014 07:58 PM

 

Thanks for helping me out.

Regards

MAhesh

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-20-2014 12:26 AM

Hi,

 

You want to translate with 5222 as it is to reach your RDP PC or vendor will try with port 5222 and you wanna that to translate it to 3389....

 

if so your NAT should be like this

static (inside,outside) tcp 200.x.x.x 5222 192.168.50.10 3389 netmask 255.255.255.255

If you are using same port at both cases, then karsten's command will do....

 

make sure your acl is updated at any cases.

 

Regards

Karthik

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card