Announcement

Collapse
No announcement yet.

Forward RDP to 2 different internal IP's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forward RDP to 2 different internal IP's

    Right now the ASA 5505 is setup to let through 3389/RDP to 192.168.1.4. I'm going to setup another computer to be a terminal server of sorts and would like to be able to use RDP to connect to this machine as well. Can this be accomplished by adding a new network object with the IP of the terminal server machine and by adding a new static NAT with PAT to forward 3389 to the port of my choosing on the terminal server? I'm doing this all via the ASDM. I'm not familiar with the console. Any help is greatly appreciated.

  • #2
    Re: Forward RDP to 2 different internal IP's

    I would recommend against publishing a TS server directly through the ASA box or as a minimum restrict it to a specific External IP address and also use port translation.
    Although outside the scope of your question, there are more secure ways to publish RDS/TS servers though.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Forward RDP to 2 different internal IP's

      Yep you can do that.

      You would need an ACL on the outside interface permitting tcp on 3389. If it is an ASA pre 8.3 then you use the public address in the ACL if it is 8.3 or newer you use the private ip address in your ACL. Then you just a static port translation to the chosen port.

      Do you have multiple public ip's or just one? If just one you would need to change the port coming inbound for RDP for the new server and then translate the private ip to the requested port. If you keep both ports at 3389 coming inbound there is no way the ASA can figure out what nat rule to use and forward it properly.


      access-list OUTSIDE_IN extended permit tcp any host x.x.x.x eq 3389
      access-list OUTSIDE_IN extended permit tcp any host x.x.x.x eq 3390

      nat (inside,outside) tcp interface 3389 192.168.1.4 3389
      nat (inside,outside) tcp interface 3390 192.168.1.5 3389

      or

      nat (inside,outside) tcp interface 3389 192.168.1.4 3389
      nat (inside,outside) tcp interface 3390 192.168.1.5 3390


      These nats are pre 8.3 code.
      Last edited by auglan; 9th March 2012, 15:56.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: Forward RDP to 2 different internal IP's

        L4ndy, thank you for the advice.

        auglan, thanks for the input. I'm going to give it a shot. I thought it would work like that but I'm very to Cisco. I'm going to change the port on the TS to 3390 and go from there. I'll post back the results. Oh and this ASDM I'm working on is 5.2(4) and ASA 7.2(4).

        Comment


        • #5
          Re: Forward RDP to 2 different internal IP's

          It worked great. I already had 3389 done. So, I created the new access list for 3390 then a new network object for the IP of the PC i wanted to use. Created the static nat with pat and changed the port on the machine to use 3390 instead of 3389 and it worked great. I also had to open the port on the internal machines firewall as well. Thank you very much for your help.

          Comment

          Working...
          X