Access List

James Bond · Oct 25, 2007

I have a small network set up. I need to allow an outside user to RDP into one of the servers on my network.

I have created an access list to allow the RDP traffic into the network:
access_list remote extended permit tcp host x.x.x.x host ?.?.?.? eq 3389

How can I get to the server if it is inside the network though? Do I need to create a NAT translation?

Thanks!

jlazzaro · Oct 25, 2007

indeed...something like this:

ip nat inside source static tcp <inside ip> 3389 interface <your outside interface> 3389

James Bond · Oct 25, 2007

Originally posted by: jlazzaro
indeed...something like this:

ip nat inside source static tcp <inside ip> 3389 interface <your outside interface> 3389

Thanks for the reply, I'm having a new issue now

I just created the NAT statement and it gave me an error saying there was an overlap. I attempted to RDP and got in, but it took me to the wrong host!

I went and looked at the config, and noticed that there was already an NAT created for RDP connections, which lead to a different IP. I'm a little surprised, though, because I thought the lines I put in were specific enough that a RDP connections from MY external IP, would always go to that specific server. Maybe the other NAT statement is so broad that "ANY incoming RDP connections will go to x.x.x.x"

Pre-Existing RDP NAT statement:
static (Internal-201,ELI-External) tcp interface 3389 USERS_PC_IP 3389 netmask 255.255.255.255

My new RDP NAT statement:
static (Internal-201,ELI-External) tcp MY_EXTERNAL_IP 3389 SERVER_INTERNAL_IP 3389 netmask 255.255.255.255

Is the first statement just so broad? What exactly does 'interface' mean in the first case? "Any requests coming from the outbound INTERFACE will be redirected to USERS_PC_IP?

spidey07 · Oct 25, 2007

Anything coming TO the outside interface will be translated if it's on tcp port 3389.

-edit-
to be more specific, anything coming to the outside interface IP address.

BZeto · Oct 26, 2007

Wouldn't a statement like that cause anyone connecting to the external ip on 3389 to be connected to that specific internal server? What if you needed to RDP into a different server/station from outside the network?

spidey07 · Oct 26, 2007

You would need to use a different outside IP address or use access lists to specify the source of the device connecting.

If source is A connecting to C, then use D inside address
If source is B connecting to C, then use E inside address

jlazzaro · Oct 26, 2007

Originally posted by: spidey07
You would need to use a different outside IP address or use access lists to specify the source of the device connecting.

If source is A connecting to C, then use D inside address
If source is B connecting to C, then use E inside address

alternatively, connect to a different outside port number and redirect it to your inside server over 3389

BZeto · Oct 27, 2007

Would seem easier to set up some sort of vpn solution and only give Terminal Service rights to that server for the specific user. Although that may be impractical depending on the size/type of the OP's network.

Search

Access List

James Bond

Diamond Member

jlazzaro

Golden Member

James Bond

Diamond Member

spidey07

No Lifer

BZeto

Platinum Member