Port Forward or 1:1 nat??

Posted on 2008-11-14
Last Modified: 2012-05-05
i have a few users that need access from home and some available public ips. I am working with a hp procurve 7102dl for my router/firewall.
Here is what i have:
Eth 0/1 - private
Eth 0/2 - public 64.211.x.x

I would like to use a 64 address to forward to a 10 address using either pf or 1:1 nat on port 3389.

though i have deployed this in the past the same configs are not working.......:(

Any assistance would be great.....
Question by:armitdept
    LVL 42

    Expert Comment

    Either one would work but I recommend not doing this since port 3389 is RDP and is not the most secure way of accessing internal resources over the internet. I have seen this done with port forwarding and 1:1 NAT (with port forwarding you wold choose a custom port for RDP and for 1:1 NAT just straight RDP access)

    I would recommend not using either.  A better solution is a VPN connection to the inside and then use RDP.  This will allow you to only use one 1:1 NAT for the VPN tunnel and once they have access the tunnel is encrypted and they can use RDP to whatever resources they need access to.

    Another way to do this is to use something like or gotomypc.  In this case you're connecting to the inside with ssl encryption

    My $.02
    LVL 6

    Expert Comment

    My understanding, you are only able to do port forward to a single host on port 3389, so it's gona be something like port forward tcp/udp to
    1:1 nat  (some router call it dmz mode) will pretty much open the whole access to the inside network, thus, not recommended for security reason

    try troubleshooting by port forward port 1 until 10000 for ex ample, then you can narrow down the issue stopping this from working.

    you can use 1:1 nat if you have other firewall / acl setting on the router.

    hope this help..
    LVL 11

    Expert Comment

    the Sonicwall tz190 does exactly what you want. It has a built-in feature called viewpoint that collects detailed usage stars and sends them to a windows pc for archival and analysis. About $700 from
    LVL 11

    Expert Comment

    oops. Posted to the wrong q. Sorry.
    LVL 42

    Expert Comment

    1:1 NAT basically connects one public IP to one private IP.  What you route to that IP is dependent on your firewall rules:  

    Port Forwarding means that you use a single IP address to forward different ports to different machines, Lets say a public ip address which port 80 goes to web server, 25 goes to mail server, etc..

    You can only forward one 3389 port if you're using port forwarding..BUT you can configure RDP to use different ports so that lets say

    PORT 3389 goes to RDP machine1
    PORT 33890 goes to RDP machine2
    PORT 33891 goes to RDP machine3

    As long as the source and destination know what protocol is talking on that particular port you can use RDP to talk to multiple internal machines.  It all depends on the number public IPs you have vs the number of private systems you need to access.  This usually decides what you're going to use

    Author Comment

    thanks for all the feedback, however. I am kinda force into the situation for budget reasons. I understand rdp over the internet is not best practice. I have an hp procurve 7102dl, i hesitate to mention this because it scares folks away.....:(. Procurve themselves have no clue. I have a range of public ip's 64.211.x.x with 21 available i need to use 14 for this.

    64.211.x.41 >
    64.211.x.42 >

    I can ping the 64 address from everywhere but the rdp traffic no matter what i try will not pass through.

    LVL 42

    Accepted Solution

    Once you setup a 1:1 NAT you also have to create a rule in the firewall to allow port 3389 through.  

    If all your other workstation are going NATing to the internet through the firewall you may need to setup these IPs for exemtption from you regular NAT otherwise when RDP comes in it will go to the correct private IP but the private IP may try to go through the firewall IP instead of the 1:1 IP.

    Author Closing Comment

    This was the problem. I configured sonicwall tz180 to sit in front of the LAN using another public ip from range.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How does your email signature look on mobiles?

    Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

    Suggested Solutions

    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now