Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Port forwarding and multiple public IP addresses

Hello,

Our office has a Cisco ISA 570W.  Up until recently we had a dynamic public IP address and had about 10 different ports forwarded to different servers/computers on the network.  We now have 5 static IP addresses and I am trying to figure out how to use just one of those public IPs to forward just the remote desktop ports to the correct PC. 

Each PC has a different RDP port configured (3400, 3401, etc.).  How can I setup just one of the public IPs to forward a range of ports to the correct internal IP address using just one of the static IPs?

I can get it setup to forward just one port to a specific computer but I have been unable to get it setup to forward to multiple computers based on the incoming port number.  This has to be possible since I was doing this before when we had only one IP address.

I have found in the manual how to forward a range of ports but the settings only seem to allow you to forward those ports to one internal IP address.

Any ideas?

Thank you,

Steve

9 REPLIES

Re: Port forwarding and multiple public IP addresses

Stephen,
You will use a number of items in the ISA to set this up.

1) For each RDP port, create a Service Object which is in the Networking section (i.e. RDP_3400...3401...3402...)

2) For each computer, create an Address Object which is in the Networking section (i.e. PC1...2...3...)

3) For public IP you wish to use, create an Address Object which is in the Networking Section (i.e. RDP_IP)

4) In the Firewall section, create one Advanced NAT rule for each PC. The Translated Source Address will be the RDP_IP. The Original Source Address will be the PC IP (i.e. PC1). The Original and Translated Destination Services will be the RDP port (i.e. RDP_3400). From is LAN and To is WAN. Everything else is Any.

5) Finally, in the Firewall section, create one ACL Rule for each PC. An example would be From WAN to LAN, Services RDP_3400, Source Any, Destination PC1, Match Action Permit.

A word of caution. If you're going to allow RDP access to internal PCs, it would be highly advisable to limit where those connections can be made from. If you can identify the source addresses that will be connecting, you can create Address Objects/Groups with those IPs and the add them to the Source section of your ACL Rule instead of using Any. Using Any means that I can port scan you, see the open port, try to connect, and then you're depending on Microsoft for security...which hasn't been shown to be a good practice. I hope this is helpful.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

Port forwarding and multiple public IP addresses

Shawn,

Thank you for the respone and sorry for the duplicate posting.

I had most of these steps done already.  I did not however setup the Advanced NAT.  That being said, I have since started over and followed your steps but i am unable to access any of the computers using the public IP address and the port number. 

The only thing I notice that is different from your steps is that in step 4, the from should be from LAN.  I do not have LAN as a choice.  I only have WAN1, Guest, Voice, and Default.  I have tried it with Default and with Any selected but neither have worked.

Is there somewhere to create the LAN?  I have looked in the Zones settings and LAN already exists there.

If that is not it, then what else could I be missing?

Thank you!

Re: Port forwarding and multiple public IP addresses

Stephen,
Sorry to confuse the situation. Default is the correct VLAN, not LAN, assuming Default is the VLAN the PCs are on. Did you ensure that your new ACL Rules came before any Block rules?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

Re: Port forwarding and multiple public IP addresses

Shawn,

I have it set to Default which is the only VLAN setup.  The ACL rule is at the top.  Here are a couple of screen shots.

Server1 points the internal IP of the server, RDP-Server1 is the port number used for RDP on Server1, and Public2 is one of our public IP addresses.

So far I have only created the one ACL rule for RDP until I can get it to work.  Do you see anything wrong in these pics?

I have the Pubic2 Address Object created as a Host with the IP/Subnet of x.x.x.x/255.255.255.255.  This is how I have it setup for another Public IP that I am using for a 1-1 NAT to our web server and it is working so I am guessing that it is correct.  Is it?

Re: Port forwarding and multiple public IP addresses

Yes that all looks correct. If it's not working, from that server try telnetting out to a random public IP on its associated RDP port and then try to RDP to it again from outside. Sometimes the IP has to initialize at the ISP before it starts working. If it still doesn't work, change the service on the NAT to port 80 and go to www.myipaddress.com and ensure it is returning the correct Public2 IP. If it does, switch it back to the RDP port and try to RDP to it again.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

Re: Port forwarding and multiple public IP addresses

I have tried both of your suggestions and it is still not working.  The public IP always returns the default IP of the router, not one of the static IP addresses.

If I setup a 1-1 NAT, then it works but I am unable to route to other internal computers based on the port number

This is a fairly new device.  Does Cisco offer any kind of telephone support?

Or do you have any other suggestions?

Thank you.

Re: Port forwarding and multiple public IP addresses

Stephen,

Without digging into it, it's going to be hard to troubleshoot.  You can contact Cisco SMB support via this link.

http://www.cisco.com/cisco/web/solutions/small_business/small_business_support_and_resources.html

Alternatively, if you feel comfortable giving me temporary remote access and letting me take a look, send me a private message and we can talk through those details offline.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Community Member

Re: Port forwarding and multiple public IP addresses

Shawn,

Thank you for your help.  I called Cisco today and we have gotten it resolved.  It was pretty simple actually. 

We merely setup Port Forwarding to forward the incoming traffic from the desired Public IP to the correct internal IP address based on its port number.  ACL Rules were also created for each port forwarding rule created.

I thought the Advanced NAT settings were the way to go but apparently that was overcomplicating the matter.

Thank you, I really appreciate the help and the offer.

Steve

Re: Port forwarding and multiple public IP addresses

I'm glad you got it worked out. Thank you as well for updating the thread with the fix.

Sent from Cisco Technical Support iPad App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
2786
Views
0
Helpful
9
Replies
CreatePlease to create content