Solved

Cisco NATT'ing Help Please

Posted on 2014-12-23
22
145 Views
Last Modified: 2014-12-25
Hello Experts,

Can someone let me know if it’s possible to have a router forward RDP requests?

Basically, I’m trying to RDP from PC1, in London, with a private address of 192.168.1.2 to Windows Server in the Cloud in Washington, with a private address of 192.168.3.2. However, to connect to PC2 located in Washington, I need to connect via Internet router with public ip address of 74.187.125.6

At present, I’m connecting to PC2 from PC1 by simply assigning PC2 with the address 74.187.125.6/29 Gtw 74.187.125.7 and RDP directly from PC1 by putting in the address 74.187.125.6:3389 in RDP

However, I need to RDP to more than one remote PC, but I only have one public ip address. Therefore, I want to configure the router with the public address of 74.187.125.6  and have the router point my request to PC2 on port 3389.

Just so you know I have already purchased a publicly accessible router that I can assign an public ip address to.

I think it might be possible by natting the public address on the router, but not sure.

Your help will be greatly appreciated.

Cheers
0
Comment
Question by:cpatte7372
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 6
22 Comments
 
LVL 30

Expert Comment

by:Predrag Jovic
ID: 40515125
This should work:
On your Cisco router you need to create one to one static NAT assign for each port forward. So anyone who tries to access your public IP address on port some port will be redirected to specific device.

ip nat inside source static udp 192.168.3.2 3389 74.187.125.6 3389
ip nat inside source static udp 192.168.3.3 3389 74.187.125.6 3388
ip nat inside source static udp 192.168.3.4 3389 74.187.125.6 3387

udp - protocol, which you want to forward TCP/UDP
192.168.3.3 - IP address of your private device
3389 - port on your private device which you want access
74.187.125.6 - public IP which will represent your private device in internet
3388 - public port which will be forwarded to defined port on private device
0
 
LVL 3

Expert Comment

by:IKtech
ID: 40515309
you may want to think about using a different port number as the port 3389 associated with rdp is a target if it is open on your router...
0
 

Author Comment

by:cpatte7372
ID: 40515638
Predrag,

Wicked, going to try that now....

Will let you know how i get on
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:cpatte7372
ID: 40515725
Hi Predag,

Unfortunately, it didn't work... I have attached the configs
nat
0
 

Author Comment

by:cpatte7372
ID: 40515820
Experts,

Please remember the router is already on the internet (which is opposite to how nat usually deployed). And the private addresses are trying to RDP to another set of private addresses that sit behind the router on the internet..

192.168.3.2----------->Gig0/1 74.187.125.6Internet Cisco Router Gig 0/2 192.168.2.1----------->192.168.2.2
0
 

Author Comment

by:cpatte7372
ID: 40515826
Experts,

Please remember the router is already on the internet (which is opposite to how nat usually deployed). And the private addresses are trying to RDP to another set of private addresses that sit behind the router on the internet..

192.168.3.2 wants to RDP to 192.168.2.2

192.168.3.2----------->Gig0/1 74.187.125.6 Internet Cisco Router Gig 0/2 192.168.2.1----------->192.168.2.2
0
 
LVL 30

Expert Comment

by:Predrag Jovic
ID: 40516023
You have reversed logic in you network, WAN is inside.
In your case 192.168.0.2 is outside, and 64.XX.XX.XX is outside according to your configuration. So according to that
do #show ip nat translations
and rewrite nat translation according to that or change direction of NAT inside and outside interface.

ip nat inside source static udp 192.168.0.2 3389 64..XX.XX.XX 3393 extendable

interface GigabitEthernet1
 ip address [b]64..XX.XX.XX 255.255.255.248[/b]
 ip nat inside      !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!              
 negotiation auto
!
interface GigabitEthernet2
 ip address 192.168.2.3 255.255.255.0
 ip nat outside  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 negotiation auto

Open in new window

0
 

Author Comment

by:cpatte7372
ID: 40516174
You have reversed logic in you network, WAN is inside.

That is correct.

The WAN interface is facing the private network.

Therefore, shouldn't the WAN be ip nat inside?
0
 
LVL 30

Expert Comment

by:Predrag Jovic
ID: 40516205
This sentence should look like :)
In your case 192.168.0.2 is outside, and 64.XX.XX.XX is inside according to your configuration.
You can set outside and  in any direction, depending in which direction you will do NAT.
Issue command #show ip nat translations and verify that NAT is operating as intended (what is inside and what is outside and adopt static NAT according to that). You can set
Router# show ip nat translation
Pro Inside global        Inside local       Outside local      Outside global
udp 10.69.233.209:1220  192.168.1.95:1220  172.16.2.132:53    172.16.2.132:53

Open in new window


I think in your case command should be (since direction is reversed).
ip nat outside source static udp 192.168.3.2 3389 74.187.125.6 3389

But again... check you translations, and adopt according for you NAT translations.
0
 

Author Comment

by:cpatte7372
ID: 40516285
Predrag,

Thanks again for responding,.. see below (I have changed the private to 10.16.1)


ip nat inside source static tcp 10.16.1.153 3389 64.XX.XX.XX 3389 extendable
ip nat inside source static tcp 10.16.1.153 3389 64.XX.XX.XX 3390 extendable

csr1001#show ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
tcp  64.XX.XX.XX:3389     10.16.1.153:3389      ---                   ---
tcp  64.XX.XX.XX:3390     10.16.1.153:3389      ---                   ---
0
 

Author Comment

by:cpatte7372
ID: 40516287
And I think the protocol should be TCP instead of UDP....
0
 

Author Comment

by:cpatte7372
ID: 40516334
Do  I need to configure some kind of routing protocol?
0
 
LVL 30

Expert Comment

by:Predrag Jovic
ID: 40516419
RDP uses both protocols (at least both are reserved  for RDP).
:)
You don't need routing protocol (at least you should not need it).
I just tested NAT rules and redirection in GNS3 for telnet from port 3389 and 3388 to  port23. This worked, I was redirected to different routers and I was able to log in.  Some filtering on interfaces could interfere, but basically this should work.

Main parts of config:
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0/1
 ip address 100.0.0.1 255.255.255.0
 ip nat outside
!
ip nat inside source static tcp 192.168.0.101 23 100.0.0.1 3388 extendable
ip nat inside source static tcp 192.168.0.100 23 100.0.0.1 3389 extendable
!

Open in new window


Output from #show ip nat translation
R1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 100.0.0.1:3389     192.168.0.100:23   100.0.0.2:24983    100.0.0.2:24983
tcp 100.0.0.1:3388     192.168.0.101:23   100.0.0.2:57969    100.0.0.2:57969
tcp 100.0.0.1:3388     192.168.0.101:23   ---                ---
tcp 100.0.0.1:3389     192.168.0.100:23   ---                ---

Open in new window


Telnet from 100.0.0.2 (as shown in output from #show ip nat translation)
#telnet 100.0.0.1 3389
#telnet 100.0.0.1 3388

And also, advice from IKtech is a good one
You may want to think about using a different port number as the port 3389 associated with rdp is a target if it is open on your router...
0
 

Author Comment

by:cpatte7372
ID: 40516734
Hi Pred,

We've almost cracked it. I have changed my configs, see attached. Now, when I try to RDP to remote desktop I get the following:
show ip nat translations
tcp  64.XX.XX.XX:3389     192.168.0.2:3389      86.6.44.221:5959      86.6.44.221:5959

Can you let me know where I might be going wrong?
0
 

Author Comment

by:cpatte7372
ID: 40516742
Pred

You need to understand the the address on your inside interface, 192.168.0.1,  match that  of the addresses of your private LAN, 192.168.0.101. Therefore, this will always work.

However, in my case the address of my inside interface 64.XX.XX.XX do not match the addresses of my private LAN 192.168.3.2.

Does that make sense?

This is reverse logic.

Regards
0
 

Author Comment

by:cpatte7372
ID: 40516852
So Pred

I tried to follow your logic and added the following line

ip nat inside source static tcp 192.168.0.2 23 64.XX.XX.XX 3388 extendable

I then tried to telnet from 192.168.0.2 to 64.xx.xx.xx

I didn't quite make it but I got the following output from show ip nat translations:

#tcp  64.xx.xx.xx:3388     192.168.0.2:23        86.6.44.221:14372     86.6.44.221:14372

I'm not sure where the ip address 86.6.44.221 comes from but do you thinks preventing the connection?

Cheers
0
 
LVL 30

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40516999
ip nat inside source static tcp 192.168.0.2 23 64.XX.XX.XX 3388 extendable
is for telnet (port 23)
you need to replace that with
ip nat inside source static tcp 192.168.0.2 3398 64.XX.XX.XX 3388 extendable

ip address 86.6.44.221should be your WAN address for your network that you are using to access remote location

in this case you should RDP to 64.x.x.x port 3388 and get connection to 192.168.0.2 on port 3389
0
 

Author Comment

by:cpatte7372
ID: 40517031
Pred

U B D MAN.

It worked!

I seriously can't thank you enough ..
0
 

Author Comment

by:cpatte7372
ID: 40517078
Pred,

I've added another PC that I want RDP (192.168.2.4), see below. However, I can't RDP to it.

Can you think of any reason why?

ip nat inside source static tcp 192.168.2.2 3389 64.x.x.x. 3389 extendable
ip nat inside source static tcp 192.168.2.4 3389 64.x.x.x. 3390 extendable

tcp  64.x.x.x:3389     192.168.2.2:3389      86.6.44.221:23147     86.6.44.221:23147
tcp  64.x.x.x:3390     192.168.2.4:3389      86.6.44.221:23280     86.6.44.221:23280

Again, really appreciate you help
0
 

Author Comment

by:cpatte7372
ID: 40517098
Pred,

It worked as you suggested.

Thank you...
0
 
LVL 30

Expert Comment

by:Predrag Jovic
ID: 40517141
I am glad that I could help.
0
 

Author Closing Comment

by:cpatte7372
ID: 40517607
Thanks a lot
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question