Veaam Backup and Replication

  KB 0000167
  Dated 09/01/10
  Revision 0.02
   

RDP to Multiple Servers with a Cisco PIX/ASA Firewall
 

Problem
You want to connect via "Remote Desktop" to multiple servers behind your firewall. To do this you have three options.

Solution

Option 1 (Use if you have multiple free Public IP addresses)

Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode", and create a names entity for each Servers public and Private Address

Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# name 192.168.1.1 Server1-Internal
Petes-ASA(config)# name 192.168.1.2 Server2-Internal
Petes-ASA(config)# name 123.123.123.123 Server1-External
Petes-ASA(config)# name 123.123.123.124 Server2-External
Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name "inbound" for yours.

Petes-ASA(config)# access-list inbound extended permit tcp any host Server1-External eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any host Server2-External eq 3389
Petes-ASA(config)# access-group inbound in interface outside
 

Option 2 (Uses Port Forwarding and uses a different port for each server).

To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port.

Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode" then allow each port you are going to use (in this case 3389 and 3390)

Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
Then Port Forward those ports to the correct internal servers.
Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390 netmask 255.255.255.255
 

Option 3 (Uses Port Forwarding and uses a different port for each server).

This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
Then Port Forward AND TRANSLATE those ports to the correct internal servers.
Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255

 
Related Articles, References, Credits, Or External Links
Wrote in Answer to This