Port Forward or 1:1 nat??

i have a few users that need access from home and some available public ips. I am working with a hp procurve 7102dl for my router/firewall.
Here is what i have:
Eth 0/1 - private 10.0.14.0/24
Eth 0/2 - public 64.211.x.x

I would like to use a 64 address to forward to a 10 address using either pf or 1:1 nat on port 3389.

though i have deployed this in the past the same configs are not working.......:(

Any assistance would be great.....
armitdeptAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul SolovyovskySenior IT AdvisorCommented:
Either one would work but I recommend not doing this since port 3389 is RDP and is not the most secure way of accessing internal resources over the internet. I have seen this done with port forwarding and 1:1 NAT (with port forwarding you wold choose a custom port for RDP and for 1:1 NAT just straight RDP access)

I would recommend not using either.  A better solution is a VPN connection to the inside and then use RDP.  This will allow you to only use one 1:1 NAT for the VPN tunnel and once they have access the tunnel is encrypted and they can use RDP to whatever resources they need access to.

Another way to do this is to use something like logmein.com or gotomypc.  In this case you're connecting to the inside with ssl encryption

My $.02
0
ricks_vCommented:
My understanding, you are only able to do port forward to a single host on port 3389, so it's gona be something like port forward tcp/udp to 10.0.14.1.
1:1 nat  (some router call it dmz mode) will pretty much open the whole access to the inside network, thus, not recommended for security reason

try troubleshooting by port forward port 1 until 10000 for ex ample, then you can narrow down the issue stopping this from working.

you can use 1:1 nat if you have other firewall / acl setting on the router.

hope this help..
0
packetguyCommented:
the Sonicwall tz190 does exactly what you want. It has a built-in feature called viewpoint that collects detailed usage stars and sends them to a windows pc for archival and analysis. About $700 from SonicGuard.com.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

packetguyCommented:
oops. Posted to the wrong q. Sorry.
0
Paul SolovyovskySenior IT AdvisorCommented:
1:1 NAT basically connects one public IP to one private IP.  What you route to that IP is dependent on your firewall rules:  

Port Forwarding means that you use a single IP address to forward different ports to different machines, Lets say a public ip address which port 80 goes to web server, 25 goes to mail server, etc..

You can only forward one 3389 port if you're using port forwarding..BUT you can configure RDP to use different ports so that lets say

PORT 3389 goes to RDP machine1
PORT 33890 goes to RDP machine2
PORT 33891 goes to RDP machine3

As long as the source and destination know what protocol is talking on that particular port you can use RDP to talk to multiple internal machines.  It all depends on the number public IPs you have vs the number of private systems you need to access.  This usually decides what you're going to use
0
armitdeptAuthor Commented:
thanks for all the feedback, however. I am kinda force into the situation for budget reasons. I understand rdp over the internet is not best practice. I have an hp procurve 7102dl, i hesitate to mention this because it scares folks away.....:(. Procurve themselves have no clue. I have a range of public ip's 64.211.x.x with 21 available i need to use 14 for this.

64.211.x.41 > 10.0.14.24
64.211.x.42 > 10.0.14.34
etc.....

I can ping the 64 address from everywhere but the rdp traffic no matter what i try will not pass through.

0
Paul SolovyovskySenior IT AdvisorCommented:
Once you setup a 1:1 NAT you also have to create a rule in the firewall to allow port 3389 through.  

If all your other workstation are going NATing to the internet through the firewall you may need to setup these IPs for exemtption from you regular NAT otherwise when RDP comes in it will go to the correct private IP but the private IP may try to go through the firewall IP instead of the 1:1 IP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
armitdeptAuthor Commented:
This was the problem. I configured sonicwall tz180 to sit in front of the LAN using another public ip from range.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.