We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

WAN PAT RDP

Medium Priority
59 Views
Last Modified: 2020-04-20
I have a network of 15 windows machines that currently have RDP port forwarded through a mikrotik RouterOS using Dst-nat (destination - nat's) that forward port 3389 to each workstation using the syntax of WAN IP : "unique port number" in the Remote Desktop Connection dialog.  E.g.,  215.93.43.43:60001  lands the RDP protcol on one local workstation, 215.93.43.43:60002 lands the RDP protocol on another, etc....
I thought it would be straight forward to implement this on a Cisco RV 260, but am not seeing a way to tie the RDP svc (port 3389) into port forwarding rules associated with dynamic port numbers that are then forwarded.
Thank you for your help.
Comment
Watch Question

KimputerIT Manager
CERTIFIED EXPERT

Commented:
https://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/RV260/Admin_Guide/b_RV260x_AG.pdf 

Go to the PDF page 89 (printed as page 81). Firewall > Port Forwarding
It's EXACTLY the same principle, External service (you need to add 15 custom ones, starting with 60001, all the way up to 600015).Internal service is RDP (or port 3389). The rest should be quite obvious.  
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Note that it is not safe to port forward RDP. RDP really needs to be protected by VPN or RDP Gateway. RDP is a major ransomware vector.

If you insist on opening naked RDP to the world, be sure that the but in administrator account is disabled or has a long random password. Make sure machines are automatically patching. Make sure that account lockout policies are enabled. Be sure all accounts have long strong passwords.
KimputerIT Manager
CERTIFIED EXPERT

Commented:
Truedat, but if possible, just have each machine available to a small whitelist of allowed IP numbers. You're already in the Firewall section anyway :)
vernaldrichnetwork engineer

Author

Commented:
I examined this prior to posting, and don't see it working, It doesn't provide for interpreting the syntax 215.93.43.43:60001?  The GUI doesn't allow using colons, so where is 60001 interpreted as 3389?

Although I can label the custom Service rule as 60001, and assign any port as the port start and another as the port end, the issue is to allow external devices to be able to enter the same WAN IP  with a colon and distinct port number that then routes RDP (port 3389) to a specific internal workstation.

If you think it will work, please provide executable steps.  Thank you.
vernaldrichnetwork engineer

Author

Commented:
VPN implementation is the next step (within a few weeks). All the steps mentioned by Kevinhsieh are in play. Thanks for the input Kevin. What am I missing on the ability to associate the dynamic port number tacked onto the external IP with routing a specific protocol (port 3389) to a specific internal address?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Have not accessed RV or the Cisco small business, models.
It used to have wan port ton the external is the same port on the internal to which it is forwarding.

ypu could alter the Port on which each workstation listens to match the wan port you are setting.

Note, you would need to change when the VPn functionality is setup.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Sorry, I don't have access to any SMB Cisco gear. All my experience is with their enterprise kit.
IT Manager
CERTIFIED EXPERT
Commented:
Although I can label the custom Service rule as 60001, and assign any port as the port start and another as the port end, the issue is to allow external devices to be able to enter the same WAN IP  with a colon and distinct port number that then routes RDP (port 3389) to a specific internal workstation.

It's as I said, add FIFTEEN services, named RDP60001 with start port 60001 and end port 60001, all the way up to RDP60015
Add FIFTEEN rules, each with one newly added service, as external service, and select the correct internal IP and correct internal service (RDP) or port (3389)
Your syntax 215.93.43.43:60001 has NOTHING to do with the Cisco config (or any router config for that matter), so it will just work, because the CIsco knows you need to connect the WAN to the internal IP address. Unless you have more WAN IP addresses configured, then you adjust the correct interface in the same screen.
GUIs are meant to be straightforward and should NEVER let you fill in something according to some syntax. Only when strictly necessary. That's why you have the service/ports etc, so you don't have to guess at all. Learning to recognize that will mean you can configure other routers as well.
Why is it automatically bound to the WAN IP (or other selected interface)? Because if the WAN IP changes, it would mean suddenly all your MANUALLY INPUT SYNTAX wouldn't work either anymore.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
vernaldrichnetwork engineer

Author

Commented:
Wow.  Thank you for your explanation Kimputer.  My mind wasn't wrapped around the OSI model.

Now I must thank you for your indulgence as I reveal my (prior?) ignorance and attempt to solidify my understanding with 2 questions:

1) If 215.93.43.43:60001  is entered in the RDC dialog, will the application/session data be encapsulated and routed on port 60001 rather than 3389? 2) Would that mean that the RDP would not be recognized as RDP until it is PAT'd back onto port 3389 and received on that port by the endpoint?
 
Thanks again. Whatever the maximum reward is on Experts Exchange, you've earned it!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Have not seen the interface for the rv router you are using,
Commonly they had a
WAN port, local IP, local port
60001.        192.168.0.3 3389
The formatting of this rule might differ.

In an smb, retail type router, the WAN ip is implied.
KimputerIT Manager
CERTIFIED EXPERT

Commented:
When using 215.93.43.43:60001 in your RDP Window,
The Cisco RV will accept it, as your rule states 60001 should go to internal IP nr xxx (which you've input in one of the FIFTEEN rules), to port 3389. If your rule doesn't exist, nothing will happen with the RDP connection. 


vernaldrichnetwork engineer

Author

Commented:
Right. I was over-complicating things. Conflating the need for data payload recognition ( port 3389 ), which doesn't need to happen until the endpoint with routing/transporting that payload.

Thanks again for your patience.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.