ASA 5505 add 2 internal computers to 1 external IP address

S

scottatwittenberg

2[H]4U
Joined
Apr 10, 2002
Messages
3,306
I can't think of a better way to phrase this.

We have 5 static IP addresses
One is taken by the Cisco ASA 5505 itself, and is used for VPN
One is used by our domain controller that has some Antivirus software that remote computers connect to.
One is used by our remote support appliance (Bomgar)
One is used by our Exchange server.
The last one is used by my computer for RDP.

I want to be able to RDP directly to another computer, (or more).
So how can I take an external IP address that is used for another device and just forward port 3389 to the 2nd computer I need RDP access to?
(it could share an IP with the remote support appliance which does not and would not ever need port 3389 for example)

Thanks
Scott
 
Change the rdp port of the other device and forward that port to it.
 
NAT say port 3390 to x.x.x.x:3389. Don't even need to change the PC port that way.

Also, why are people connecting to your DC over the internet? Why not through the VPN?
 
scottatwittenberg said:
I can't think of a better way to phrase this.

We have 5 static IP addresses
One is taken by the Cisco ASA 5505 itself, and is used for VPN
One is used by our domain controller that has some Antivirus software that remote computers connect to.
One is used by our remote support appliance (Bomgar)
One is used by our Exchange server.
The last one is used by my computer for RDP.

I want to be able to RDP directly to another computer, (or more).
So how can I take an external IP address that is used for another device and just forward port 3389 to the 2nd computer I need RDP access to?
(it could share an IP with the remote support appliance which does not and would not ever need port 3389 for example)

Thanks
Scott
Click to expand...

ok when you say static IP, i'm assuming you mean public... if so... why do you have your PC on a public IP?

do you not use NAT/PAT? we have to know where this "other computer, (or more)" is...

really really difficult to answer this question as your setup is..... unorthodox...
 
Dont change the rdp port on the windows box, that is one of my biggest pet peeves. Simply use port address translation on the asa to map 3391 external to 3389 internal for the new server
 
You should be using PAT. Assuming you're on a newer IOS image:

object network FTP01
host 192.168.1.101
object network FTP01-FTP-CONTROL_W1
host 192.168.1.101
nat (DMZ,WAN1) static 1.1.1.1 service tcp ftp-data ftp-data
object network FTP01-FTP-DATA_W1
host 192.168.1.101
nat (DMZ,WAN1) static 1.1.1.1 service tcp ftp ftp

object-group service FTP01-FTP tcp
port-object eq ftp
port-object eq ftp-data

access-list WAN1_access_in extended permit tcp any object FTP01 object-group FTP01-FTP
Click to expand...

Just change the host IPs to your internal IPs, change 1.1.1.1 to whatever your public IP is that you want it mapped to. This is an example for FTP but you should get the point how to do it for other services. The line you want to look at is: service tcp ftp ftp
You can change that to redirect from any port to 3389, so you'll have to RDP to a different port but that's not that difficult.
 
Last edited:
I will try again.
We have 5 public IP addresses.
We have 4 NATs set up
The Device IP uses one public IP
So I can't create another NAT from a Public IP to the other internal computer I want RDP access to.

How can I get RDP access to this computer without a 1 to 1 NAT, and by using the Public IP address that is already assigned to something else, but on different ports?
 
Standup another server. Install RDWeb and RD Gateway roles on it. Then you can connect to any other machine on the network securely through the RD Gateway. It will provide proper SSL over the net and then RDP protocol internally as the last hop to the host vs. using straight up RDP protocols over the net.

This also solves the problem of you connecting and running other services on your DC which is a big no-no....
 
scottatwittenberg said:
I will try again.
We have 5 public IP addresses.
We have 4 NATs set up
The Device IP uses one public IP
So I can't create another NAT from a Public IP to the other internal computer I want RDP access to.

How can I get RDP access to this computer without a 1 to 1 NAT, and by using the Public IP address that is already assigned to something else, but on different ports?
Click to expand...

In most cases having a 1:1 mapping is WAY over-kill. Why do you need a 1:1? Can you not simply remove the 1:1 and use PAT for the ports you need?

Grentz idea would work to, setup an RDP gateway of some sort. I use a linux box with Guacamole installed for RDP over HTML5.

Anyway, if you have a 1:1 mapping you cannot use PAT on that static mapping. The only way would be to setup the server that has the 1:1 NAT to forward some random port to the RDP port of the device you want to get to.
 
MysticRyuujin said:
In most cases having a 1:1 mapping is WAY over-kill. Why do you need a 1:1? Can you not simply remove the 1:1 and use PAT for the ports you need?
Click to expand...
I can do this. But I don't know how. I can remove some of the 1:1 NATs.

Can someone send me a example of how I can take 1 public IP address and point to the following:
Point ports 80 and 443 to 10.1.10.20
Point port 3389 to 10.1.10.25
And port 8080 to 10.1.10.30 ?
 
scottatwittenberg said:
I can do this. But I don't know how. I can remove some of the 1:1 NATs.

Can someone send me a example of how I can take 1 public IP address and point to the following:
Point ports 80 and 443 to 10.1.10.20
Point port 3389 to 10.1.10.25
And port 8080 to 10.1.10.30 ?
Click to expand...

Depends which version of ASA you are running.
 
Off the top of my head, might have to modify it a little. Use your brain...

object network HTTP
host 10.1.10.20
nat (DMZ,WAN1) static 1.1.1.1 service tcp 80 80

object network HTTPS
host 10.1.10.20
nat (DMZ,WAN1) static 1.1.1.1 service tcp 443 443

object network RDP
host 10.1.10.25
nat (DMZ,WAN1) static 1.1.1.1 service tcp 3389 3389

object network NAT8080
host 10.1.10.30
nat (DMZ,WAN1) static 1.1.1.1 service tcp 8080 8080

object-group service WEB tcp
port-object eq 80
port-object eq 443

object-group service RDP tcp
port-object eq 3389

object-group service NAT8080 tcp
port-object eq 8080

access-list WAN1_access_in extended permit tcp any object HTTP object-group WEB
access-list WAN1_access_in extended permit tcp any object RDP object-group RDP
access-list WAN1_access_in extended permit tcp any object NAT8080 object-group NAT8080
 
MysticRyuujin said:
Off the top of my head, might have to modify it a little. Use your brain...

object network HTTP
host 10.1.10.20
nat (DMZ,WAN1) static 1.1.1.1 service tcp 80 80

object network HTTPS
host 10.1.10.20
nat (DMZ,WAN1) static 1.1.1.1 service tcp 443 443

object network RDP
host 10.1.10.25
nat (DMZ,WAN1) static 1.1.1.1 service tcp 3389 3389

object network NAT8080
host 10.1.10.30
nat (DMZ,WAN1) static 1.1.1.1 service tcp 8080 8080

object-group service WEB tcp
port-object eq 80
port-object eq 443

object-group service RDP tcp
port-object eq 3389

object-group service NAT8080 tcp
port-object eq 8080

access-list WAN1_access_in extended permit tcp any object HTTP object-group WEB
access-list WAN1_access_in extended permit tcp any object RDP object-group RDP
access-list WAN1_access_in extended permit tcp any object NAT8080 object-group NAT8080
Click to expand...


I have this:

name 192.168.1.26 Computer3
name 192.168.1.25 MyComputer
name 192.168.1.20 RemoteSupportAppliance
name 192.168.1.5 Server
name 192.168.1.30 Camera
name 192.168.1.14 Exchange
name 192.168.1.27 Computer2

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 123.123.123.123 RemoteSupportAppliance netmask 255.255.255.255
static (inside,outside) 123.123.123.124 MyComputer netmask 255.255.255.255
static (inside,outside) 123.123.123.125 Server netmask 255.255.255.255
static (inside,outside) 123.123.123.126 Exchange netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 123.123.123.127 1

object-group service rdp tcp
description Remote Desktop
port-object range 3389 3389
object-group service w32time tcp-udp
port-object range 123 123
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any object-group w32time
access-list outside_access_in extended permit tcp any host 123.123.123.1250 object-group rdp
access-list outside_access_in extended permit tcp any host 123.123.123.125 eq 7161
access-list outside_access_in extended permit tcp any host 123.123.123.125 eq 7182
access-list outside_access_in extended permit tcp any host 123.123.123.125 eq 7183
access-list outside_access_in extended permit tcp any host 123.123.123.125 eq 7184
access-list outside_access_in extended permit tcp any host 123.123.123.125 eq 7167
access-list outside_access_in extended permit tcp any host 123.123.123.125 eq 7169
access-list outside_access_in extended permit tcp any host 123.123.123.126 eq https
access-list outside_access_in extended permit tcp any host 123.123.123.126 eq www
access-list outside_access_in extended permit tcp any host 123.123.123.126 eq imap4
access-list outside_access_in extended permit tcp any host 123.123.123.126 eq smtp
access-list outside_access_in extended permit tcp any host 123.123.123.126 eq pop3
access-list outside_access_in extended permit tcp any host 123.123.123.126 eq 587
access-list outside_access_in extended permit tcp any host 123.123.123.126 object-group rdp
access-list outside_access_in extended permit tcp any host 123.123.123.124 object-group rdp
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq www
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq https


------------
If you look at the objects above.. I would ideally like to get to 7 devices using 5 external IP addresses.



Also, I would rather use the ASDM GUI if possible.
 
I found this on another forum..

https://supportforums.cisco.com/dis...-rdp-multiple-inside-hosts-one-public-address
Here is the sample config that I plan to use for my ASA version 8.2 RDP portforwarding to inside PCs using ports 3389 - 3408. I will apply it by this weekend and confirm if it all works ok.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
static (inside,outside) tcp 2.2.2.2 3389 10.10.10.21 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3390 10.10.10.22 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3391 10.10.10.23 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3392 10.10.10.24 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3393 10.10.10.25 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3394 10.10.10.26 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 339510.10.10.27 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3396 10.10.10.28 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3397 10.10.10.29 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3398 10.10.10.30 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3399 10.10.10.31 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3400 10.10.10.32 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3401 10.10.10.33 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3402 10.10.10.34 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3403 10.10.10.35 3389netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3404 10.10.10.36 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3405 10.10.10.37 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3406 10.10.10.38 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3407 10.10.10.39 3389 netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 3408 10.10.10.40 3389 netmask 255.255.255.255
!
access-list outside_access_in extended permit tcp any host 2.2.2.2 eq 3389
access-group outside_access_in in interface outside
Click to expand...

It looks much more similar to my config.. I will mess with it and see what happens.
 
As I recall from the last time I used the GUI, you will get that message because your rules do overlap with the general NAT config.
 
Nate7311 said:
It's less of an error and more of a notification.
Click to expand...

I am dumb... I got it to work by first removing the conflicting NAT and clicking Apply.
Then I was able to add the new ones with no errors.. I am kicking myself for missing such a simple step.
 
scottatwittenberg said:
I am dumb... I got it to work by first removing the conflicting NAT and clicking Apply.
Then I was able to add the new ones with no errors.. I am kicking myself for missing such a simple step.
Click to expand...

Tis how we all learn! So it's all good now?
 
Thanks for all of your help previously..
I was able to get it to work on our device.

Now I am trying to do the same thing on another firewall running ASA 8.4(3)
It is all different.

Here is what it currently has:
nat (inside,outside) source static obj-10.10.10.0 obj-10.10.10.0 destination static obj-10.0.4.0 obj-10.0.4.0 route-lookup
!
object network obj-10.10.10.5
nat (inside,outside) static obj-22.22.22.213 dns
!
nat (inside,outside) after-auto source static obj-10.10.10.6 obj-22.22.22.212 dns
nat (inside,outside) after-auto source dynamic any interface
Click to expand...

How can I make it do the same thing I did on our firewall? with "22.22.22.211"

The thing that utilmately worked on our firewall running ASA 7.2(4)
static (inside,outside) tcp 70.70.70.61 3389 Scott 3389 netmask 255.255.255.255
static (inside,outside) tcp 70.70.70.61 5000 Michael 3389 netmask 255.255.255.255
static (inside,outside) tcp 70.70.70.61 5001 George 3389 netmask 255.255.255.255
Click to expand...
 
You need to create network objects and NAT those.

object network WEBSRV-HTTP_W1
host X.X.X.X
nat (DMZ,WAN1) static Y.Y.Y.Y service tcp www www
!
object network WEBSRV-HTTPS_W1
host X.X.X.X
nat (DMZ,WAN1) static Y.Y.Y.Y service tcp https https
!
Where X = Internal IP and Y = WAN/External IP
 
You must log in or register to reply here.
Back
Top