NAT / Access Lists

I have a small network set up. I need to allow an outside user to RDP into one of the servers on my network.

I have created an access list to allow the RDP traffic into the network:
access_list remote extended permit tcp host x.x.x.x host y.y.y.y eq 3389

How can I get to the server if it is inside the network though? Do I need to create a NAT translation?

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Pash

mzinz wrote:

I have a small network set up. I need to allow an outside user to RDP into one of the servers on my network.

I have created an access list to allow the RDP traffic into the network:
access_list remote extended permit tcp host x.x.x.x host y.y.y.y eq 3389

How can I get to the server if it is inside the network though? Do I need to create a NAT translation?

Thanks!

You need a device somewhere inbetween your router/PIX or whatever holds your acl, and your target server....that maps anything from your originating host IP to target the server IP and use port 3389 for RDP. For juniper we can use a VIP (Virtual IP) for example.

mzinz

Pash wrote:

mzinz wrote:

I have a small network set up. I need to allow an outside user to RDP into one of the servers on my network.

I have created an access list to allow the RDP traffic into the network:
access_list remote extended permit tcp host x.x.x.x host y.y.y.y eq 3389

How can I get to the server if it is inside the network though? Do I need to create a NAT translation?

Thanks!

You need a device somewhere inbetween your router/PIX or whatever holds your acl, and your target server....that maps anything from your originating host IP to target the server IP and use port 3389 for RDP. For juniper we can use a VIP (Virtual IP) for example.

Thanks for the reply. There are other devices between the ASA/Server, but no Juniper device. What statement do you use to "tell it" that any RDP traffic coming inbound goes to that specific local IP?

Netstudent

perhaps ip nat inside source static 192.168.1.1 200.1.1.1 3389

where 192.168.1.1 is your internal rdp server and 200.1.1.1 is the public IP used to get there.

mzinz

Netstudent wrote:

perhaps ip nat inside source static 192.168.1.1 200.1.1.1 3389

where 192.168.1.1 is your internal rdp server and 200.1.1.1 is the public IP used to get there.

Perhaps?

So if they only have one external IP, 200.1.1.1, all RDP traffic directed at 200.1.1.1 will be redirected to 192.168.1.1?

Netstudent

It should as long as your firewall and your access-lists are allowing rdp.

mzinz

I just created the NAT statement and it gave me an error saying there was an overlap. I attempted to RDP and got in, but it took me to the wrong host!

I went and looked at the config, and noticed that there was already an NAT created for RDP connections, which lead to a different IP. I'm a little surprised, though, because I thought the lines I put in should have made it so that any RDP connections from MY external IP, would always go to that specific server. Maybe the other NAT statement is so broad that "ANY incoming RDP connections will go to x.x.x.x"

Pre-Existing RDP NAT statement:
static (Internal-201,ELI-External) tcp interface 3389 USERS_PC_IP 3389 netmask 255.255.255.255

My new RDP NAT statement:
static (Internal-201,ELI-External) tcp MY_EXTERNAL_IP 3389 SERVER_INTERNAL_IP 3389 netmask 255.255.255.255

Is the first statement just so broad? What exactly does 'interface' mean in the first case? "Any requests coming from the outbound INTERFACE will be redirected to USERS_PC_IP?"

nice343

wrong info

mzinz

nice343 wrote:

ip nat inside source static tcp "private IP" 3389 "public IP" 3389

I don't think you read my last post...

Netstudent

Does it get translated correctly after you remove the old nat statement? Maybe you could leave the old NAT statement and just change the private IP to the desired server IP.

Pash

WoW, forgot you could NAT with ports in the mix, wd NS. So does this work mzinz?