Alexandre Takacs
asked on
zywall nat setup for RDP
Folks
I'm probably missing something fairly obvious but I would appreciate your help on this one.
I have to allow (on a temporary basis) terminal server access on one of our servers.
I have opened the RDP service (port 3389) from WAN to LAN1 but the log shows that incoming packets are actually seen as being sent form WAN to Zywall. I have added an extra rule allowing that and sure enough connections are now showing up in the log as “allowed”.
Now I presumably have a setup a NAT for Zywall to LAN1 but his is not an option. I have tried to define a NAT to LAN1 but it does not work.
I muss confess that I am somewhat confused. What should be the proper approach for such a seemingly simple problem ?
Any advice / suggestion most welcome
Regards
I'm probably missing something fairly obvious but I would appreciate your help on this one.
I have to allow (on a temporary basis) terminal server access on one of our servers.
I have opened the RDP service (port 3389) from WAN to LAN1 but the log shows that incoming packets are actually seen as being sent form WAN to Zywall. I have added an extra rule allowing that and sure enough connections are now showing up in the log as “allowed”.
Now I presumably have a setup a NAT for Zywall to LAN1 but his is not an option. I have tried to define a NAT to LAN1 but it does not work.
I muss confess that I am somewhat confused. What should be the proper approach for such a seemingly simple problem ?
Any advice / suggestion most welcome
Regards
You have to forward the traffic for port 3389 to your server.
It's on page 23 of ftp://ftp.zyxel.com/ZyWALL_USG_20/support_note/ZyWALL%20USG%2020_2.pdf
It's on page 23 of ftp://ftp.zyxel.com/ZyWALL_USG_20/support_note/ZyWALL%20USG%2020_2.pdf
all you should need for RDP to work is:
firewall rule that allows port 3389(or any that you choose to use instead) from "ANY" IP (the whole internet) or from a specific "SINGLE" IP if you know where the RDP connection is coming from.
You then need the NAT rule set to allow traffic on port 3389 (or Other) to be forwarded to the LAN IP of the server that you are trying to get to.
You also need to ensure that RDP is configured on the receiving server and that the firewall on the server is allowing 3389 to be accessed.
firewall rule that allows port 3389(or any that you choose to use instead) from "ANY" IP (the whole internet) or from a specific "SINGLE" IP if you know where the RDP connection is coming from.
You then need the NAT rule set to allow traffic on port 3389 (or Other) to be forwarded to the LAN IP of the server that you are trying to get to.
You also need to ensure that RDP is configured on the receiving server and that the firewall on the server is allowing 3389 to be accessed.
The method for acheiving this will depend on the version of Zywall you are using?
ASKER
Thanks for your responses. I believe I am pretty clear about how this should be done... but for some reason I can't seem to have it working (I have done it quite often in various other occurrences).
This is a Zywall 20 with firmware 2.21 (BDO.4) / 1.14 / 2011-05-29 09:29:31
This is a Zywall 20 with firmware 2.21 (BDO.4) / 1.14 / 2011-05-29 09:29:31
is that the firmware that means you have to set up objects or do you just get a menu with Firewall clearly listed? I used to have access to a load of Zywall and USG devices but not anymore
ASKER
> is that the firmware that means you have to set up objects
> or do you just get a menu with Firewall clearly listed?
I can both setup objects and have access to the Firewall menu.
Apparently the Firewall is not the problem as the log show packets being forwarded. However I have an issue with the Nating.
> or do you just get a menu with Firewall clearly listed?
I can both setup objects and have access to the Firewall menu.
Apparently the Firewall is not the problem as the log show packets being forwarded. However I have an issue with the Nating.
the pdf referenced by raysonlee from page 23-26 covers both versions zywall UTM and USG
Following the sample configuration in page 23, assume you are setting up the RDP service for server at 192.168.5.33 with zywall WAN IP 10.59.1.50
Select from menu Advance, NAT, Port Forwarding
WAN Interface = WAN 1
Active checkbox = Checked
Name = RDP
Incoming Ports = 3389 - 3389
Port Translation = 3389 - 3389
Server IP Address = 192.168.5.33
Define Firewall Rule for WAN to LAN:
Rule Name = RDP
Source Address = Any
Destination Address = 192.168.5.33
Service = RDP (3389) *** You have to add it if not available (you can also use Any(All) for testing)
Schedule = Check Mon - Sun and All Day for time
Action for matched = Permit
That should be everything you needed.
If you still have problem, try the connection from local workstation to make sure it's firewall's problem.
Look at the rules under LAN to WAN and see if there is any rule blocking the response.
Look at other higher priority rules (on top of the list) under WAN to LAN and see if there is any rule blocking the request before request goes to the RDP rule.
Select from menu Advance, NAT, Port Forwarding
WAN Interface = WAN 1
Active checkbox = Checked
Name = RDP
Incoming Ports = 3389 - 3389
Port Translation = 3389 - 3389
Server IP Address = 192.168.5.33
Define Firewall Rule for WAN to LAN:
Rule Name = RDP
Source Address = Any
Destination Address = 192.168.5.33
Service = RDP (3389) *** You have to add it if not available (you can also use Any(All) for testing)
Schedule = Check Mon - Sun and All Day for time
Action for matched = Permit
That should be everything you needed.
If you still have problem, try the connection from local workstation to make sure it's firewall's problem.
Look at the rules under LAN to WAN and see if there is any rule blocking the response.
Look at other higher priority rules (on top of the list) under WAN to LAN and see if there is any rule blocking the request before request goes to the RDP rule.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for atak2983's comment http:/Q_27434443.html#37110426
for the following reason:
Self solved
Accepted answer: 0 points for atak2983's comment http:/Q_27434443.html#37110426
for the following reason:
Self solved
ASKER
Self solved
Zywall supports multiple WAN interfaces. You have to specify WAN_ppp instead of WAN simply because you are using PPPoE connection to your ISP. If that was the only problem, you should not have log showing packets being forwarded for port 3389.
ASKER
I'm indeed using PPPoE. That being said it was the only thing I changed to have things working...
I know this question is done... but I want to clarify as it still took me a bit to get it working using this answer...
To clarify karllangston 's answer:
In ZyXEL ZyWALL USG 50
1) firewall rule allowing port 3389 - means go to the Firewall menu and add a new rule to allow the RDP service through [source: any, destination: any, Service: RDP, access: allow]
2) NAT rule for port forwarding - means on menu Naetwork > NAT - add Virtual Server [incoming: wan, original IP: any, Mapped IP: user defined: serverip, port mapping type: Port, protocol: any, orig port 3389, mapped port: 3389
Hope this clarifies...
To clarify karllangston 's answer:
all you should need for RDP to work is:
firewall rule that allows port 3389(or any that you choose to use instead) from "ANY" IP (the whole internet) or from a specific "SINGLE" IP if you know where the RDP connection is coming from.
You then need the NAT rule set to allow traffic on port 3389 (or Other) to be forwarded to the LAN IP of the server that you are trying to get to.
In ZyXEL ZyWALL USG 50
1) firewall rule allowing port 3389 - means go to the Firewall menu and add a new rule to allow the RDP service through [source: any, destination: any, Service: RDP, access: allow]
2) NAT rule for port forwarding - means on menu Naetwork > NAT - add Virtual Server [incoming: wan, original IP: any, Mapped IP: user defined: serverip, port mapping type: Port, protocol: any, orig port 3389, mapped port: 3389
Hope this clarifies...
Open port 3389 on WAN and have it forward to 192.168.0.x(or whatever your servers ip address is) using nat
I havent used that manufacturer before but if you could send us a print screen of the config your using and we can see if theres anything obvious there.