Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static command

Hi,

Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:

static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0

Then have an access-list on the inside interface to only allow access to 3389

or should I run something like:

static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389

What's the best way here? And why wouldn't you use the other option?

Thanks

Dan

2 REPLIES
Hall of Fame Super Blue

Re: Static command

dan_track wrote:

Hi,

Following on from my previous conversation market "NAT on ASA not working" I've got another question. I've got vpn clients that only need to access rdp to the servers, at least for now. Shoud I run static commands as follows:

static (inside,dmz) 10.50.50.0 10.50.50.0 netmask 255.255.255.0

Then have an access-list on the inside interface to only allow access to 3389

or should I run something like:

static (inside,dmz) tcp 10.50.50.0 3389 10.50.50.0 3389

What's the best way here? And why wouldn't you use the other option?

Thankse

Dan

Dan

It depends on the existing rules to some extent eg. with the 2nd static command you still need to allow the traffic with an acl unless of course you have a permit ip any any inbound on the dmz interface.

I have always followed the general rule that NAT is not in itself a security tool. So i tend to use port translation when the availability of addresses is limited. If there is no such limitation i tend to use the first type of static in your example.

Others may disagree

Jon

Cisco Employee

Re: Static command

Dan,

State PAT is used when you only have one public IP address and you have many services (IPs) hosted on the inside that listen on diff. ports.

What you are doing is identity translation so, you can just do 1-1 NAT. Which is your first option.

Now,

Think about this. Does this RDC server ever initiate traffic to the DMZ? If so, what translation do you give it? Because when you restrict it to tcp port 3389 it will not allow the server to source traffic as the source port may be any high port. Unless you have some other nat/global configured.

This is the reason I had suggested to add the response traffic in the nat 0 acl in my response to your previous thread.

I hope I am not confusing you.

675
Views
0
Helpful
2
Replies
CreatePlease login to create content