Forward RDP to 2 different internal IP's

laytoncy · #1 9th March 2012, 07:06

Right now the ASA 5505 is setup to let through 3389/RDP to 192.168.1.4. I'm going to setup another computer to be a terminal server of sorts and would like to be able to use RDP to connect to this machine as well. Can this be accomplished by adding a new network object with the IP of the terminal server machine and by adding a new static NAT with PAT to forward 3389 to the port of my choosing on the terminal server? I'm doing this all via the ASDM. I'm not familiar with the console. Any help is greatly appreciated.

L4ndy · #2 9th March 2012, 16:21

I would recommend against publishing a TS server directly through the ASA box or as a minimum restrict it to a specific External IP address and also use port translation.
Although outside the scope of your question, there are more secure ways to publish RDS/TS servers though.

auglan · #3 9th March 2012, 17:46

Yep you can do that.

You would need an ACL on the outside interface permitting tcp on 3389. If it is an ASA pre 8.3 then you use the public address in the ACL if it is 8.3 or newer you use the private ip address in your ACL. Then you just a static port translation to the chosen port.

Do you have multiple public ip's or just one? If just one you would need to change the port coming inbound for RDP for the new server and then translate the private ip to the requested port. If you keep both ports at 3389 coming inbound there is no way the ASA can figure out what nat rule to use and forward it properly.

access-list OUTSIDE_IN extended permit tcp any host x.x.x.x eq 3389
access-list OUTSIDE_IN extended permit tcp any host x.x.x.x eq 3390

nat (inside,outside) tcp interface 3389 192.168.1.4 3389
nat (inside,outside) tcp interface 3390 192.168.1.5 3389

or

nat (inside,outside) tcp interface 3389 192.168.1.4 3389
nat (inside,outside) tcp interface 3390 192.168.1.5 3390

These nats are pre 8.3 code.

laytoncy · #4 9th March 2012, 18:50

L4ndy, thank you for the advice.

auglan, thanks for the input. I'm going to give it a shot. I thought it would work like that but I'm very to Cisco. I'm going to change the port on the TS to 3390 and go from there. I'll post back the results. Oh and this ASDM I'm working on is 5.2(4) and ASA 7.2(4).

laytoncy · #5 9th March 2012, 20:13

It worked great. I already had 3389 done. So, I created the new access list for 3390 then a new network object for the IP of the PC i wanted to use. Created the static nat with pat and changed the port on the machine to use 3390 instead of 3389 and it worked great. I also had to open the port on the internal machines firewall as well. Thank you very much for your help.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hosting Optus internal DNS sites on our internal DNS server not working for Win7	JDMils	Windows 7	0	11th February 2011 01:07
Cisco 877 with NAT - can I forward TWO external ports to ONE internal port?	jimwillsher	Cisco Routers & Switches How-to	0	28th July 2009 14:36
Ex2003 Internal Pop Account not Identified as Internal Account	Smile2me	Exchange 2000 / 2003	1	27th June 2007 14:49
Set WWW address to an internal server for internal users	JDMils	Windows Server 2000 / 2003	12	26th July 2006 03:58
Exchange 2003 -- forward "unknown" emails to internal account?	Ossian	Exchange 2000 / 2003	5	24th February 2006 17:04

	Contact Us - Petri.co.il forums - Archive - Top
Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced		Powered by vBulletin® Version 3.8.4 Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.