Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Static NAT to allow RDP through my firewall

Please let me preface this by saying I have not worked deep in networking in years and do not know much about firewalls in general.  So please do no assume facts not in evidence. 

I have a Cisco ASA 5505 running ASA Ver 8.4 and ASDM Ver 6.4.  Firewall mode is set to Routed.

My goal is very simple.  I want to allow RDP from the internet to a management server I have setup in my internal network.  I know RDP is TCP port 3389.  My internal network is a 176.128.1.x network.  My external network is on a 42.199.102.2-6 range.  The end-client that is initiating the RDP session could be coming in from any IP address on the internet.

I've looked through the GUI to try and determine how to configure this, but for the life of me I can't figure this out.   I am looking under Configuration > NAT Rules > +Add  This is the screen I get to, I just have no idea what data goes in what fields.



Any and all constructive assistance is appreciated.

Matt

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Static NAT to allow RDP through my firewall

here is the CLI configuration:

Assuming that the server is: 176.128.1.100, and you woud like to NAT it to 42.199.102.5

object network obj-176.128.1.100

   host  176.128.1.100

   nat (inside,outside) static 42.199.102.5

Then you would need to add access-list on the outside interface to allow the RDP access. If you already have an existing ACL on the outside, just add to the existing ACL as follows:

access-list permit tcp any object obj-176.128.1.100 eq 3389

If you are sharing the public ip address with other services and servers, then here is the config:

object network obj-176.128.1.100

   host  176.128.1.100

   nat (inside,outside) static 42.199.102.5 service tcp 3389 3389

Hope that helps.

5 REPLIES
Cisco Employee

Static NAT to allow RDP through my firewall

here is the CLI configuration:

Assuming that the server is: 176.128.1.100, and you woud like to NAT it to 42.199.102.5

object network obj-176.128.1.100

   host  176.128.1.100

   nat (inside,outside) static 42.199.102.5

Then you would need to add access-list on the outside interface to allow the RDP access. If you already have an existing ACL on the outside, just add to the existing ACL as follows:

access-list permit tcp any object obj-176.128.1.100 eq 3389

If you are sharing the public ip address with other services and servers, then here is the config:

object network obj-176.128.1.100

   host  176.128.1.100

   nat (inside,outside) static 42.199.102.5 service tcp 3389 3389

Hope that helps.

New Member

Static NAT to allow RDP through my firewall

Jennifer thanks!

Yes this does help.  I have an outside IP (42.199102.5) that is dedicated just for the purpose of letting RDP traffic into a single server (176.128.1.100) on my LAN.  As such I went with the last option you provided which seems to specificaly allow 3389 in and out.  Does this mean I do not need to create an ACL or do I still need to do that?

So far this ASA is setup only to allow traffic out of my internal network and back in.  No VPN, or anything else to this point.  My next step was enabling RDP access.  So, with that said, as far as I know I have not created an ACL yet.  Not sure how I would go about that exactly. I will poke around on the system to try and figure it out, but if you (or anyone else) has any pointers they would be appreciated.

As an FYI...while I may be new to this, the IPs I provided are not my real IP addresses.  Don't want anyone worrying that I would provide such info on a public forum.  :-)

Matt

Cisco Employee

Static NAT to allow RDP through my firewall

Even if you configure port specific static translation statement, you still need to create the ACL.

If you haven't had anything inbound towards your ASA, most probably you don't have an access-list, so this is how you would apply it:

The actual ACL:

access-list permit tcp any object obj-176.128.1.100 eq 3389

Applying it on outside interface:

access-group in interface outside

New Member

Static NAT to allow RDP through my firewall

I tried running the first command as specified and received the following error:

Result of the command: "access-list permit tcp any object obj-176.128.1.100 eq 3389

ERROR: specified object does not exist

Usage:

Extended access list:

NOTE:  In looking at the GUI under Network Objects it does in fact look to be created.  I am not against deleting what is there and readding via cmd line, but would need direction.

Matt

Cisco Employee

Static NAT to allow RDP through my firewall

Have you configured the actual object yet for the NAT translation?

You would need to configure the object first before applying the object to the access-list.

object network obj-176.128.1.100

   host  176.128.1.100

   nat (inside,outside) static 42.199.102.5 service tcp 3389 3389

access-list RDPtoMngmt-on-outside permit tcp any object obj-176.128.1.100 eq 3389

10344
Views
0
Helpful
5
Replies
CreatePlease to create content