Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Forward RDP to 2 different internal IP's

Right now the ASA 5505 is setup to let through 3389/RDP to 192.168.1.4.  I'm going to setup another computer to be a terminal server of sorts and would like to be able to use RDP to connect to this machine as well.  Can this be accomplished by adding a new network object with the IP of the terminal server machine and by adding a new static NAT with PAT to forward 3389 to the port of my choosing on the terminal server?  I'm doing this all via the ASDM.  I'm not familiar with the console.  Any help is greatly appreciated.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Forward RDP to 2 different internal IP's

Ryan

If I am understanding correctly you have configured your 5505 with a static translation so that packets coming to the public address for destination port 3389 are forwarded to 192.168.1.4. And now you want the 5505 to also forward RDP to another inside/private address. It is not possible to have two translations that would forward the incoming RDP packet to 2 different inside hosts. There are a couple of ways in which you might get this to work:

- if you have a second public address available you could configure another translation so that RDP to the second address was forwarded to the second inside host.

- if you could get them to send the RDP traffic to a different destination port then you could configure a second translation using the public interface address, and forward the alternate destination port number to the second inside host on port 3389.

HTH

Rick

Hall of Fame Super Silver

Forward RDP to 2 different internal IP's

Ryan

I am glad that you got it going and are using a solution very close to what I had suggested. Thank you for posting back to the thread indicating that you have it working and how you got it working. Now that this is the case perhaps you can mark the question as resolved. This would signal to other readers that they would find a working solution here.

HTH

Rick

4 REPLIES
Hall of Fame Super Silver

Forward RDP to 2 different internal IP's

Ryan

If I am understanding correctly you have configured your 5505 with a static translation so that packets coming to the public address for destination port 3389 are forwarded to 192.168.1.4. And now you want the 5505 to also forward RDP to another inside/private address. It is not possible to have two translations that would forward the incoming RDP packet to 2 different inside hosts. There are a couple of ways in which you might get this to work:

- if you have a second public address available you could configure another translation so that RDP to the second address was forwarded to the second inside host.

- if you could get them to send the RDP traffic to a different destination port then you could configure a second translation using the public interface address, and forward the alternate destination port number to the second inside host on port 3389.

HTH

Rick

New Member

Forward RDP to 2 different internal IP's

Thank you for your reply.  I was able to get it working.  I already had 3389 in my access list and a static nat with pat to an internal IP.  I created another rule for 3390 and added a static nat with pat to the other internal IP using port 3390.  Then the PC that will be accessed via RDP on 3390 I edited the registry to accept RDP on that port and added that port as an exception in the firewall.  So, when I want to connect to the PC using 3390 i use the external IP as such x.x.x.x:3390 and it is working great.

Hall of Fame Super Silver

Forward RDP to 2 different internal IP's

Ryan

I am glad that you got it going and are using a solution very close to what I had suggested. Thank you for posting back to the thread indicating that you have it working and how you got it working. Now that this is the case perhaps you can mark the question as resolved. This would signal to other readers that they would find a working solution here.

HTH

Rick

New Member

Re: Forward RDP to 2 different internal IP's

I would like to bite on that suggestioni assuming 8.4 firmware or later and a single static WANIP.........

NAT RULES (embedded in network object rules).

object network NAT4RDP1-PC nat (main-lan,outside) static interface service tcp 3389 3389 

object network NAT4RDP2-SecondPC nat (main-lan,outside) static interface service tcp 3389 3390 

ACL RULE - RDP-FWrule

ACE's

(1) access-list RDP-FWrule extended permit object-group RDP-PortGroup interface outside object-group RDP-PCs

(2) access-list RDP-FWrule extended permit object RDP1 object-group authorized-usergroup1 object first-PC

(3) access-list RDP-FWrule extended permit object RDP2 object-group authorized-usergroup2 object second-PC 

network object RDP-PCs consists of:

-object first-PC is 192.168.1.4

-object second-PC is 192.168.1.x 

network object RDP-PortGroup consists of:  

object RDP1 is service tcp port 3389

object RDP2 is service tcp port 3390 

authorized usergroups 1, 2  could be an object group or simply object depending on which users are to be permitted....... 

Since, ACL is executed first, one has to make a rule that includes both 3389 and 3390 hitting the outside interface.  After passing thru ACL, they hit the NAT rules.  I think this is right??

602
Views
0
Helpful
4
Replies