Solved

Cisco NATT'ing Help Please

Posted on 2014-12-23
22
136 Views
Last Modified: 2014-12-25
Hello Experts,

Can someone let me know if it’s possible to have a router forward RDP requests?

Basically, I’m trying to RDP from PC1, in London, with a private address of 192.168.1.2 to Windows Server in the Cloud in Washington, with a private address of 192.168.3.2. However, to connect to PC2 located in Washington, I need to connect via Internet router with public ip address of 74.187.125.6

At present, I’m connecting to PC2 from PC1 by simply assigning PC2 with the address 74.187.125.6/29 Gtw 74.187.125.7 and RDP directly from PC1 by putting in the address 74.187.125.6:3389 in RDP

However, I need to RDP to more than one remote PC, but I only have one public ip address. Therefore, I want to configure the router with the public address of 74.187.125.6  and have the router point my request to PC2 on port 3389.

Just so you know I have already purchased a publicly accessible router that I can assign an public ip address to.

I think it might be possible by natting the public address on the router, but not sure.

Your help will be greatly appreciated.

Cheers
0
Comment
Question by:cpatte7372
  • 15
  • 6
22 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40515125
This should work:
On your Cisco router you need to create one to one static NAT assign for each port forward. So anyone who tries to access your public IP address on port some port will be redirected to specific device.

ip nat inside source static udp 192.168.3.2 3389 74.187.125.6 3389
ip nat inside source static udp 192.168.3.3 3389 74.187.125.6 3388
ip nat inside source static udp 192.168.3.4 3389 74.187.125.6 3387

udp - protocol, which you want to forward TCP/UDP
192.168.3.3 - IP address of your private device
3389 - port on your private device which you want access
74.187.125.6 - public IP which will represent your private device in internet
3388 - public port which will be forwarded to defined port on private device
0
 
LVL 3

Expert Comment

by:IKtech
ID: 40515309
you may want to think about using a different port number as the port 3389 associated with rdp is a target if it is open on your router...
0
 

Author Comment

by:cpatte7372
ID: 40515638
Predrag,

Wicked, going to try that now....

Will let you know how i get on
0
 

Author Comment

by:cpatte7372
ID: 40515725
Hi Predag,

Unfortunately, it didn't work... I have attached the configs
nat
0
 

Author Comment

by:cpatte7372
ID: 40515820
Experts,

Please remember the router is already on the internet (which is opposite to how nat usually deployed). And the private addresses are trying to RDP to another set of private addresses that sit behind the router on the internet..

192.168.3.2----------->Gig0/1 74.187.125.6Internet Cisco Router Gig 0/2 192.168.2.1----------->192.168.2.2
0
 

Author Comment

by:cpatte7372
ID: 40515826
Experts,

Please remember the router is already on the internet (which is opposite to how nat usually deployed). And the private addresses are trying to RDP to another set of private addresses that sit behind the router on the internet..

192.168.3.2 wants to RDP to 192.168.2.2

192.168.3.2----------->Gig0/1 74.187.125.6 Internet Cisco Router Gig 0/2 192.168.2.1----------->192.168.2.2
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40516023
You have reversed logic in you network, WAN is inside.
In your case 192.168.0.2 is outside, and 64.XX.XX.XX is outside according to your configuration. So according to that
do #show ip nat translations
and rewrite nat translation according to that or change direction of NAT inside and outside interface.

ip nat inside source static udp 192.168.0.2 3389 64..XX.XX.XX 3393 extendable

interface GigabitEthernet1
 ip address [b]64..XX.XX.XX 255.255.255.248[/b]
 ip nat inside      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!              
 negotiation auto
!
interface GigabitEthernet2
 ip address 192.168.2.3 255.255.255.0
 ip nat outside  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 negotiation auto

Open in new window

0
 

Author Comment

by:cpatte7372
ID: 40516174
You have reversed logic in you network, WAN is inside.

That is correct.

The WAN interface is facing the private network.

Therefore, shouldn't the WAN be ip nat inside?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40516205
This sentence should look like :)
In your case 192.168.0.2 is outside, and 64.XX.XX.XX is inside according to your configuration.
You can set outside and  in any direction, depending in which direction you will do NAT.
Issue command #show ip nat translations and verify that NAT is operating as intended (what is inside and what is outside and adopt static NAT according to that). You can set
Router# show ip nat translation
Pro Inside global        Inside local       Outside local      Outside global
udp 10.69.233.209:1220  192.168.1.95:1220  172.16.2.132:53    172.16.2.132:53

Open in new window


I think in your case command should be (since direction is reversed).
ip nat outside source static udp 192.168.3.2 3389 74.187.125.6 3389

But again... check you translations, and adopt according for you NAT translations.
0
 

Author Comment

by:cpatte7372
ID: 40516285
Predrag,

Thanks again for responding,.. see below (I have changed the private to 10.16.1)


ip nat inside source static tcp 10.16.1.153 3389 64.XX.XX.XX 3389 extendable
ip nat inside source static tcp 10.16.1.153 3389 64.XX.XX.XX 3390 extendable

csr1001#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
tcp  64.XX.XX.XX:3389     10.16.1.153:3389      ---                   ---
tcp  64.XX.XX.XX:3390     10.16.1.153:3389      ---                   ---
0
 

Author Comment

by:cpatte7372
ID: 40516287
And I think the protocol should be TCP instead of UDP....
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:cpatte7372
ID: 40516334
Do  I need to configure some kind of routing protocol?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40516419
RDP uses both protocols (at least both are reserved  for RDP).
:)
You don't need routing protocol (at least you should not need it).
I just tested NAT rules and redirection in GNS3 for telnet from port 3389 and 3388 to  port23. This worked, I was redirected to different routers and I was able to log in.  Some filtering on interfaces could interfere, but basically this should work.

Main parts of config:
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0/1
 ip address 100.0.0.1 255.255.255.0
 ip nat outside
!
ip nat inside source static tcp 192.168.0.101 23 100.0.0.1 3388 extendable
ip nat inside source static tcp 192.168.0.100 23 100.0.0.1 3389 extendable
!

Open in new window


Output from #show ip nat translation
R1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 100.0.0.1:3389     192.168.0.100:23   100.0.0.2:24983    100.0.0.2:24983
tcp 100.0.0.1:3388     192.168.0.101:23   100.0.0.2:57969    100.0.0.2:57969
tcp 100.0.0.1:3388     192.168.0.101:23   ---                ---
tcp 100.0.0.1:3389     192.168.0.100:23   ---                ---

Open in new window


Telnet from 100.0.0.2 (as shown in output from #show ip nat translation)
#telnet 100.0.0.1 3389
#telnet 100.0.0.1 3388

And also, advice from IKtech is a good one
You may want to think about using a different port number as the port 3389 associated with rdp is a target if it is open on your router...
0
 

Author Comment

by:cpatte7372
ID: 40516734
Hi Pred,

We've almost cracked it. I have changed my configs, see attached. Now, when I try to RDP to remote desktop I get the following:
show ip nat translations
tcp  64.XX.XX.XX:3389     192.168.0.2:3389      86.6.44.221:5959      86.6.44.221:5959

Can you let me know where I might be going wrong?
0
 

Author Comment

by:cpatte7372
ID: 40516742
Pred

You need to understand the the address on your inside interface, 192.168.0.1,  match that  of the addresses of your private LAN, 192.168.0.101. Therefore, this will always work.

However, in my case the address of my inside interface 64.XX.XX.XX do not match the addresses of my private LAN 192.168.3.2.

Does that make sense?

This is reverse logic.

Regards
0
 

Author Comment

by:cpatte7372
ID: 40516852
So Pred

I tried to follow your logic and added the following line

ip nat inside source static tcp 192.168.0.2 23 64.XX.XX.XX 3388 extendable

I then tried to telnet from 192.168.0.2 to 64.xx.xx.xx

I didn't quite make it but I got the following output from show ip nat translations:

#tcp  64.xx.xx.xx:3388     192.168.0.2:23        86.6.44.221:14372     86.6.44.221:14372

I'm not sure where the ip address 86.6.44.221 comes from but do you thinks preventing the connection?

Cheers
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40516999
ip nat inside source static tcp 192.168.0.2 23 64.XX.XX.XX 3388 extendable
is for telnet (port 23)
you need to replace that with
ip nat inside source static tcp 192.168.0.2 3398 64.XX.XX.XX 3388 extendable

ip address 86.6.44.221should be your WAN address for your network that you are using to access remote location

in this case you should RDP to 64.x.x.x port 3388 and get connection to 192.168.0.2 on port 3389
0
 

Author Comment

by:cpatte7372
ID: 40517031
Pred

U B D MAN.

It worked!

I seriously can't thank you enough ..
0
 

Author Comment

by:cpatte7372
ID: 40517078
Pred,

I've added another PC that I want RDP (192.168.2.4), see below. However, I can't RDP to it.

Can you think of any reason why?

ip nat inside source static tcp 192.168.2.2 3389 64.x.x.x. 3389 extendable
ip nat inside source static tcp 192.168.2.4 3389 64.x.x.x. 3390 extendable

tcp  64.x.x.x:3389     192.168.2.2:3389      86.6.44.221:23147     86.6.44.221:23147
tcp  64.x.x.x:3390     192.168.2.4:3389      86.6.44.221:23280     86.6.44.221:23280

Again, really appreciate you help
0
 

Author Comment

by:cpatte7372
ID: 40517098
Pred,

It worked as you suggested.

Thank you...
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40517141
I am glad that I could help.
0
 

Author Closing Comment

by:cpatte7372
ID: 40517607
Thanks a lot
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now