Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » NAT Problem (Unable to get NAT working with incoming RDP Connection)
  •  
spazzma

Messages: 4
Karma: 0
Send a private message to this user
Hi,
I want to create a RDP connection from outside our company to inside our company, but am unable to do so. We already have a Mikrotik Routerboard that performs NAT before you get to the Kerio Machine.
So here is the scenario:
From external client connects to the public ip of the router on port 3391. The Mikrotik RB NATs to the internal Kerio Firewall which in turn NATs it to the correct private PC on port 3389. This means that NATting occurs twice. I did this with Endian firewall and it worked correctly so I cannot understand why I cannot get it working with Kerio. This also means that NATting on the RB is correct.

Below is the rule that I created:
Position: Top
Source: Any
Destination: Firewall
Service: UDP3391 & TCP3391
Action: Allow
Translation: MAP X.X.X.X:3389

Below is a diagram of my network setup
./fa/3271/0/

  • Attachment: Natting.png
    (Size: 140.91KB, Downloaded 1400 times)
  •  
markt

Messages: 56
Karma: 4
Send a private message to this user
Very similar to my setup (we are still on 7.3.2 however), you should only need the service 3391 on TCP, not UDP.
Are all the other elements the same as your previous setup (apart from Kerio). i.e. the target machines OS & IP configuration? If you turn connection logging on are seeing any attempt at all?

I add this only because I have tripped myself up before - have you actually enabled the rule.

[Updated on: Wed, 08 January 2014 17:25]

  •  
Ernesto (Kerio)

Messages: 90
Karma: 7
Send a private message to this user
I think the destination NAT entry in Mikrotik RB device must be set to translate the destination IP address to 10.0.1.254 *instead of* 10.0.0.254

Sales Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
spazzma

Messages: 4
Karma: 0
Send a private message to this user
Hi,
I checked all the logs again and found that loads of packets are being dropped due to Anti-Spoofing. My packets were among those. I disabled Anti-spoofing and now it works. Any idea how I can whitelist some addresses from Anti-Spoofing?
Thanks
  •  
Ernesto (Kerio)

Messages: 90
Karma: 7
Send a private message to this user
There is no white-listing feature for the anti-spoofing module in Kerio Control.

Usually all is needed is to create static routes and traffic rules to specifically allow traffic from/to the "unknown" IP addresses or subnets.

However, I suspect that in this setup, the anti-spoofing errors are triggered by packets with the wrong source/destination IP address coming through the wrong interface in Kerio Control.

Sales Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
spazzma

Messages: 4
Karma: 0
Send a private message to this user
Thanks. Will check later today and revert
  •  
spazzma

Messages: 4
Karma: 0
Send a private message to this user
Hi,
I changed the RB natting to the "internet interface" of the firewall (10.0.1.254) and that fixed the Anti-Spoofing problem.
Thanks
  •  
mahdi

Messages: 1
Karma: 0
Send a private message to this user
hi

i have a problam such as this
in my lan i have a kwf and a valid IP and i set the inbound rule as the below for access to my servers (5 server) from anywhere at internet

name : rdp
src : internet
dest : firewall
port tcp 52300(or any other)
permit (allow)
translation map x.x.x.1 : 3389

this rule is work for 3 of servers but 2 of them not work and i cant access to those servers
all servers are 2008r2 and kwf installed on win 7
can anybody help me ?

thanks
  •  
markt

Messages: 56
Karma: 4
Send a private message to this user
Can you confirm all servers are configured with a correct gateway IP? Have the correct firewall rules on the 2008R2 boxes been set (if firewall active).
Previous Topic: Licence warning
Next Topic: Lost password administrator on winroute 4.2
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 16 23:59:45 CEST 2017

Total time taken to generate the page: 0.00435 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.