Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Port Forward or 1:1 nat??

Posted on 2008-11-14
8
Medium Priority
?
402 Views
Last Modified: 2012-05-05
i have a few users that need access from home and some available public ips. I am working with a hp procurve 7102dl for my router/firewall.
Here is what i have:
Eth 0/1 - private 10.0.14.0/24
Eth 0/2 - public 64.211.x.x

I would like to use a 64 address to forward to a 10 address using either pf or 1:1 nat on port 3389.

though i have deployed this in the past the same configs are not working.......:(

Any assistance would be great.....
0
Comment
Question by:armitdept
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 42

Expert Comment

by:Paul Solovyovsky
ID: 22965988
Either one would work but I recommend not doing this since port 3389 is RDP and is not the most secure way of accessing internal resources over the internet. I have seen this done with port forwarding and 1:1 NAT (with port forwarding you wold choose a custom port for RDP and for 1:1 NAT just straight RDP access)

I would recommend not using either.  A better solution is a VPN connection to the inside and then use RDP.  This will allow you to only use one 1:1 NAT for the VPN tunnel and once they have access the tunnel is encrypted and they can use RDP to whatever resources they need access to.

Another way to do this is to use something like logmein.com or gotomypc.  In this case you're connecting to the inside with ssl encryption

My $.02
0
 
LVL 6

Expert Comment

by:ricks_v
ID: 22966318
My understanding, you are only able to do port forward to a single host on port 3389, so it's gona be something like port forward tcp/udp to 10.0.14.1.
1:1 nat  (some router call it dmz mode) will pretty much open the whole access to the inside network, thus, not recommended for security reason

try troubleshooting by port forward port 1 until 10000 for ex ample, then you can narrow down the issue stopping this from working.

you can use 1:1 nat if you have other firewall / acl setting on the router.

hope this help..
0
 
LVL 11

Expert Comment

by:packetguy
ID: 22966349
the Sonicwall tz190 does exactly what you want. It has a built-in feature called viewpoint that collects detailed usage stars and sends them to a windows pc for archival and analysis. About $700 from SonicGuard.com.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
LVL 11

Expert Comment

by:packetguy
ID: 22966356
oops. Posted to the wrong q. Sorry.
0
 
LVL 42

Expert Comment

by:Paul Solovyovsky
ID: 22966367
1:1 NAT basically connects one public IP to one private IP.  What you route to that IP is dependent on your firewall rules:  

Port Forwarding means that you use a single IP address to forward different ports to different machines, Lets say a public ip address which port 80 goes to web server, 25 goes to mail server, etc..

You can only forward one 3389 port if you're using port forwarding..BUT you can configure RDP to use different ports so that lets say

PORT 3389 goes to RDP machine1
PORT 33890 goes to RDP machine2
PORT 33891 goes to RDP machine3

As long as the source and destination know what protocol is talking on that particular port you can use RDP to talk to multiple internal machines.  It all depends on the number public IPs you have vs the number of private systems you need to access.  This usually decides what you're going to use
0
 

Author Comment

by:armitdept
ID: 22968027
thanks for all the feedback, however. I am kinda force into the situation for budget reasons. I understand rdp over the internet is not best practice. I have an hp procurve 7102dl, i hesitate to mention this because it scares folks away.....:(. Procurve themselves have no clue. I have a range of public ip's 64.211.x.x with 21 available i need to use 14 for this.

64.211.x.41 > 10.0.14.24
64.211.x.42 > 10.0.14.34
etc.....

I can ping the 64 address from everywhere but the rdp traffic no matter what i try will not pass through.

0
 
LVL 42

Accepted Solution

by:
Paul Solovyovsky earned 375 total points
ID: 22970890
Once you setup a 1:1 NAT you also have to create a rule in the firewall to allow port 3389 through.  

If all your other workstation are going NATing to the internet through the firewall you may need to setup these IPs for exemtption from you regular NAT otherwise when RDP comes in it will go to the correct private IP but the private IP may try to go through the firewall IP instead of the 1:1 IP.
0
 

Author Closing Comment

by:armitdept
ID: 31517038
This was the problem. I configured sonicwall tz180 to sit in front of the LAN using another public ip from range.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
It is a real story and is one of my scariest tech experiences. Most users think that IT experts like us know how to fix all computer problems. However, if there is a time constraint and you MUST not fail the task or you will lose your job, a simple …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question