Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 8669 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RDP Inbound NAT Not Working

Darwin Lambeth

I cannot seem to get inbound DNAT to work for RDP. Simple setup.

DNAT
From: IPV4 Any (Will filter later)
Going To     : WAN IP Address
Using: Microsoft Terminal Services (RDP 3389)
Destination (Internal Windows Terminal Server)

 

I have tried for days to get this to work. It's NAT'd just like all of my other NAT's for web server email etc... I have tried this on both the home edition and the Enterprise edition with now luck, it seems the Sophos UTM has a hard block on 3389. I even tried to rewrite the port and that did not work either. The Firewall log is showing the connection being dropped although NAT and firewall rules are set to allow and turned on. I tried rebooting that did not work. The only thing weird about my setup is that my internal LAN is using trunked/vlans, but the other NAT services are working just fine leading me to believe that's not related. I have tried disabling all threat detection modules as well.

Any help would be appreciated.

Thanks,



This thread was automatically locked due to age.
Parents
  • 0

    Likely the local firewall on the host denying the traffic.

  • 0 in reply to darrellr

    The local firewall has been disabled, it's not the cause. 

    Thanks,

  • 0 in reply to Darwin Lambeth

    The firewall certainly does not have a block on port 3389 for forwarding.  In my experience, though, it is sometimes difficult to disable a windows firewall and it is not intuitive.  From an admin command prompt, netsh firewall set opmode=Disable and then try again.

    If you are listening and 3389 and forwarding the same port, do not select a service in the lower portion (I know the example you provided is for a different port).  Also, once you create the NAT rule, you are turning it on, right?  It is not enabled, IIRC, until you tell it to be.  For grins, perhaps try a full nat and use the src nat address as the firewall internal address.

Reply
  • 0 in reply to Darwin Lambeth

    The firewall certainly does not have a block on port 3389 for forwarding.  In my experience, though, it is sometimes difficult to disable a windows firewall and it is not intuitive.  From an admin command prompt, netsh firewall set opmode=Disable and then try again.

    If you are listening and 3389 and forwarding the same port, do not select a service in the lower portion (I know the example you provided is for a different port).  Also, once you create the NAT rule, you are turning it on, right?  It is not enabled, IIRC, until you tell it to be.  For grins, perhaps try a full nat and use the src nat address as the firewall internal address.

Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML