cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor

Noob needs help with port forwarding & translation

Hello,

New to AOS and routing generally, and need a little help.  On our old router we had defined a port translation map to match a set of arbitrary external ports to port 3389 on specific internal desktops.  I.e. we want the Remote Desktop user, from any IP address, to specify their port which the router directs to port 3389 on their office desktop.  In this way, :3389 is inaccessible from the WAN, which we want.

We want to do the same thing with our new NetVanta 3430 but I'm unable to figure this out.  I used the Firewall Wizard to set up a basic Port Forward which works.  But when I try to define an ACP/ACL to point the router to a specific private host using an arbitrary port, it does not work.

I have attached screenshots (in .XPS) of my ACP/ACLs.  "PF1" works while "rdp50" does not.  I have seen the article on setting up RDP to an arbitrary port on the desktop, but we want to do the reverse -- access the standard port on the inside using an arbitrary port from the outside.

If someone could be kind enough to offer me a clue as to what I am missing it would be very helpful.

Thanks in advance -

James

Labels (1)
0 Kudos
4 Replies
Highlighted
New Contributor II

Re: Noob needs help with port forwarding & translation

You will need to turn on port forwarding to do this and the modify your traffic selector to do this.

Under traffic selector the destination network port needs to be changed from 3389 to the arbitrary port you have selected (32750) and then port translation turned on to translate the arbitrary 32750 port to 3389.

look at this doc: 

Highlighted
Valued Contributor
Valued Contributor

Re: Noob needs help with port forwarding & translation

Hi James:

Using a variety of obscure port numbers is a good way to stack several RDS connections on a single public IP.  It's also smart to avoid 3389 for security reasons (port scanners or just manual attempts by a hacker).  VPN is superior from a security standpoint, and may increase flexibility for your remote users to reach various LAN resources directly.  Have you thought about using mobile VPN clients?  ADTRAN provides a very nice client for a low price (30 day trial available), or you can use a free IPSec client like Shrew Soft.  If you're connecting from laptops, I would strongly recommend VPN.  If you're connecting from iOS devices, I don't think this will be an option right now.  In those cases, an internal PPTP VPN server is probably the next best choice.

Best,

Chris

Highlighted
New Contributor

Re: Noob needs help with port forwarding & translation

hey jw, thanks!  I did see that document before but got a bit confused as the example uses a module interface and I am connecting to WAN via the embedded Ethernet, but I got it going.  Much appreciated!

Highlighted
New Contributor

Re: Noob needs help with port forwarding & translation

hey cj!, thanks!  I am not too familiar with VPN but have heard it can sometimes be problematic, and my users are technically-challenged as it is.  Will research and keep in mind.  Have a good one!