• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

allowing multiple RDP from 1 IP

ok...i have another vendor that needs access to a server. I already created a static nat an access list for a vendor previously..so i need to allow another public IP in, which isn't a problem..but i want it to go to a different server..the only way i can think to do it is change the port rdp listens to on the server and create a NAT for that..can anyone think of something different?


heres my config
 
!
!
aaa authentication login USER_VPN group radius
aaa authorization network GROUP_VPN local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name xxxxx.com
ip name-server 10.1.1.10
ip name-server 10.1.1.9
ip name-server xxx.xxx.xxx.168
ip name-server xxx.xxx.xxx.169
ip name-server xxx.xxx.xxx.129
ip name-server xxx.xxx.xxx.137
!
!
!
!
username x privilege 15 secret 5 $x
username x privilege 15 secret 5 $x/
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key MW_COBVPNTunnel address xxx.xxx.xxx..69 no-xauth
crypto isakmp key REC_VPNTunnel address xxx.xxx.xxx..5 no-xauth
crypto isakmp key FD_VPNTunnel address xxx.xxx.xxx..2 no-xauth
crypto isakmp key WAT_VPNTunnel address xxx.xxx.xxx..3 no-xauth
crypto isakmp key POL_VPNTunnel address xxx.xxx.xxx..4 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address xxx.xxx.xxx..6 no-xauth
crypto isakmp key q6dxfc5q6dxfc5 address xxx.xxx.xxx..254 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15
!
crypto isakmp client configuration group COBVPN
 key COBvpn
 dns 10.1.1.10 10.1.1.9
 wins 10.1.1.10
 pool VPN_POOL
 acl ADMIN-VPN
 netmask 255.255.255.0
!
crypto isakmp client configuration group GROUP_VPN
!
crypto isakmp client configuration group CODYVPN
 key COBCodyVPN
 dns 10.1.1.9
 wins 10.1.1.10
 pool CODY_VPN_POOL
 acl CODY-VPN
 netmask 255.255.255.0
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_Clients 100
 set transform-set 3DES
 reverse-route
!
!
crypto map VPN client authentication list USER_VPN
crypto map VPN isakmp authorization list GROUP_VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp
 description Tunnel to MW
 set peer xxx.xxx.xxx.69
 set transform-set 3DES
 match address COB2MW
crypto map VPN 15 ipsec-isakmp
 description Tunnel to REC
 set peer xxx.xxx.xxx.5
 set transform-set 3DES
 match address COB2REC
crypto map VPN 20 ipsec-isakmp
 description Tunnel to FD
 set peer xxx.xxx.xxx.2
 set transform-set 3DES
 match address COB2FD
crypto map VPN 30 ipsec-isakmp
 description Tunnel to Water
 set peer xxx.xxx.xxx.3
 set transform-set 3DES
 match address COB2WATER
crypto map VPN 40 ipsec-isakmp
 description Tunnel to Pollution Control
 set peer xxx.xxx.xxx.4
 set transform-set 3DES
 match address COB2POL
crypto map VPN 60 ipsec-isakmp
 description Tunnel to HC Jail
 set peer xxx.xxx.xxx.6
 set transform-set 3DES
 match address COB2HCJAIL
crypto map VPN 70 ipsec-isakmp
 description Tunnel To SC Jail
 set peer xxx.xxx.xxx.254
 set transform-set 3DES
 match address COB2SCJAIL
crypto map VPN 65000 ipsec-isakmp dynamic VPN_Clients
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/0
 description WAN
 ip address xxx.xxx.xxx.146 255.255.255.248 secondary
 ip address xxx.xxx.xxx.150 255.255.255.248
 ip access-group FWOUT out
 ip accounting output-packets
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map VPN
!
interface GigabitEthernet0/1
 description LAN
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 duplex auto
 speed auto
!
ip local pool VPN_POOL 10.100.100.1 10.100.100.254
ip local pool CODY_VPN_POOL 10.101.101.1 10.101.101.254
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.145
ip route xxx.xxx.xxx.0 255.255.255.0 10.1.1.12
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination xxx.xxx.xxx.229 2055
!
no ip http server
no ip http secure-server
ip nat pool PAT xxx.xxx.xxx.146 xxx.xxx.xxx.146 netmask 255.255.255.248
ip nat inside source route-map NAT pool PAT overload
ip nat inside source static tcp 10.1.1.80 23 xxx.xxx.xxx.150 23 extendable
ip nat inside source static tcp 10.1.1.10 25 xxx.xxx.xxx.150 25 extendable
ip nat inside source static tcp 10.1.1.10 80 xxx.xxx.xxx.150 80 extendable
ip nat inside source static tcp 10.1.1.10 110 xxx.xxx.xxx.150 110 extendable
ip nat inside source static tcp 10.1.1.11 3389 xxx.xxx.xxx.150 3389 extendable
ip nat inside source static tcp 10.1.1.164 5635 xxx.xxx.xxx.150 5635 extendable
ip nat inside source static udp 10.1.1.164 5635 xxx.xxx.xxx.150 5635 extendable
ip nat inside source static tcp 10.1.1.3 5659 xxx.xxx.xxx.150 5659 extendable
ip nat inside source static udp 10.1.1.3 5660 xxx.xxx.xxx.150 5660 extendable
ip nat inside source static tcp 10.1.1.10 5665 xxx.xxx.xxx.150 5665 extendable
ip nat inside source static udp 10.1.1.10 5666 xxx.xxx.xxx.150 5666 extendable
ip nat inside source static tcp 10.1.1.9 5669 xxx.xxx.xxx.150 5669 extendable
ip nat inside source static udp 10.1.1.9 5670 xxx.xxx.xxx.150 5670 extendable
ip nat inside source static tcp 10.1.1.5 5671 xxx.xxx.xxx.150 5671 extendable
ip nat inside source static udp 10.1.1.5 5672 xxx.xxx.xxx.150 5672 extendable
!
ip access-list extended ADMIN-VPN
 remark Access for Admin VPN group
 permit ip 10.1.1.0 0.0.0.255 10.100.100.0 0.0.0.255
ip access-list extended COB2FD
 remark COB VPN to FD
 permit ip 10.1.1.0 0.0.0.255 10.1.5.0 0.0.0.255
ip access-list extended COB2HCJAIL
 remark COB VPN to Huron County Jail
 permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended COB2MW
 remark COB VPN to MW
 permit ip 10.1.1.0 0.0.0.255 192.168.57.0 0.0.0.255
ip access-list extended COB2POL
 remark COB VPN to Pollution Control
 permit ip 10.1.1.0 0.0.0.255 10.1.9.0 0.0.0.255
ip access-list extended COB2REC
 remark COB VPN to REC
 permit ip 10.1.1.0 0.0.0.255 10.1.7.0 0.0.0.255
ip access-list extended COB2SCJAIL
 remark COB VPN to Sandusky Country Jail
 permit ip 10.1.1.0 0.0.0.255 192.168.200.0 0.0.0.255
ip access-list extended COB2WATER
 remark COB VPN to Water
 permit ip 10.1.1.0 0.0.0.255 10.1.11.0 0.0.0.255
ip access-list extended CODY-VPN
 permit ip host 10.1.1.9 0.0.0.255 10.101.101.0
ip access-list extended FWOUT
 permit ip any any reflect REFLECT
ip access-list extended inet-in
 permit tcp host xxx.xxx.xxx.149 host xxx.xxx.xxx.150 eq 3389
 permit tcp host xxx.xxx.xxx.116 host xxx.xxx.xxx.150 eq 3389
 deny   tcp any host xxx.xxx.xxx.150 eq 3389
 permit ip any any
ip access-list extended inet-traffic
 remark inet traffic
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended internet-in
 deny   tcp any host 70.62.43.150 eq 3389
ip access-list extended nonat
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 permit ip 10.1.1.0 0.0.0.255 any
!
snmp-server community cdhelpdot5864 RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-messa
ge
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps atm subif
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rtr
route-map NAT permit 10
 match ip address inet-traffic
!
!
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646
radius-server key cisco123
!
control-plane
!
!
banner login ^CC
*****************************************************************************
* Unauthorized access will be prosecuted to the fullest extent of the law.  *
* To avoid criminal charges, disconnect NOW!                                *
*****************************************************************************
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.1.1.10
!
end
 
COB_WAN#

Open in new window

0
jasonmichel
Asked:
jasonmichel
  • 2
  • 2
1 Solution
 
JFrederick29Commented:
You can leave the server port the same (3389) but in your static NAT statement, use 3390 (or something other than 3389) for the outside listening port.  So, when you RDP, you would specify the port in the RDP client (70.62.43.150:3390).

ip nat inside source static tcp 10.1.1..x 3389 70.62.43.150 3390 extendable

0
 
jasonmichelAuthor Commented:
well i just found out i have a few more public ips i can use..i already have a main and secondary IP added to my WAN interface...can i add another?
0
 
JFrederick29Commented:
You don't need to add it as a secondary actually.  Your ISP is routing the addresses to you.

Yeah, it looks like you have 70.62.43.145 - 151.

So, you could for example do:

ip nat inside source static tcp 10.1.1.x 3389 70.62.43.147 3389 extendable

0
 
jasonmichelAuthor Commented:
spot on...i figured after testing
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now