PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Transcription

1 PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example Document ID: Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram Configurations Configure with ASDM Verify Troubleshoot Related Information Introduction This document describes how to allow Remote Desktop Protocol (RDP) connections through a Cisco Security Appliance. RDP is a multi channel protocol that allows a user to connect to a computer that runs Microsoft Terminal Services. Clients exist for most versions of Windows, and other operating systems such as Linux, FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default. In this configuration example, the security appliance is configured to allow an RDP client on the Internet to connect to an RDP server PC on the inside interface. The security appliance performs address translation and the client connects to the host using a static mapped external IP address. Prerequisites Requirements This document assumes that the Cisco PIX Firewall is fully operational and configured. Also, all initial configurations are made and the hosts should have end to end connectivity. Components Used The information in this document is based on these software and hardware versions: Cisco Adaptive Security Appliances (ASA) 5500 Series Security Appliance with software version 8.2(1) Cisco Adaptive Security Device Manager version 6.3(5)

2 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Related Products Cisco PIX 500 Series Security Appliance with software version 7.x Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. Configure In this section, you are presented with the information to configure the security appliance to allow the Remote Desktop Protocol (RDP) traffic to pass through. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section. Network Diagram This document uses this network setup: Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment. Configurations This section shows the security appliance configuration. RDP traffic from host on the Internet is permitted to RDP Server at on the inside network which listens on port 3389 through static mapped IP address Perform these steps: Configure static NAT in order to redirect the RDP traffic received on the outside interface to the inside host.

3 Create an access control list (ACL) that permits RDP and apply it to the outside interface. Note: Because NAT is performed by the security appliance, the ACL must permit access to the mapped IP address of the RDP server; not the real IP address. Note: The IP address ( ) used for static mapping should be in the same subnet as the outside interface IP address. Refer to the Static NAT section of PIX/ASA 7.x NAT and PAT Statements in order to learn more about static NAT mapping. CiscoASA#show running config : Saved : ASA Version 8.2(1) hostname CiscoASA domain name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names Output suppressed object group service RDP tcp port object eq 3389 Output suppressed CiscoASA This access list allows the RDP traffic sourced from to destination with TCP port access list outside_access_in extended permit tcp host host object group This staic NAT statement redirects the traffic destined for IP address to host IP address static (inside,outside) netmask Output suppressed access group outside_access_in in interface outside Output is suppressed. Note: In this ACL configuration, "host " can be replaced with "any" to allow access to the RDP server from the Internet at large. This is not recommended, however, since it might open the RDP server up to attack. As a general rule, make ACL entries as specific as possible.

4 Configure with ASDM Configuration Complete these steps: 1. In order to create an access list, choose Configuration > Firewall > Access Rules, and choose Add then click Add Access Rule in the drop down menu. 2. Now, specify the action, source and the destination. Click..., the Details button, in order to choose the destination port. 3. The default port number for RDP is As this is not available in the available tcp ports, click Add and choose TCP Service Group in the drop down menu. Through this, you can group customized ports together, based on the requirement.

5 4. Now, specify a name for this service group and type in the port number in the blank given for Port/Range option and click the Add button in order to make this service as a member of the service group. Like this, you can choose a range of ports as a member of the same service group. Click OK. 5. It shows the Service group along with its members. Click OK in order to revert back to the access rule window.

6 6. Click OK in order to complete the access list configuration. 7. The access list along with its associated interface can be seen in the Configuration > Firewall > Access Rules window. 8. Now, choose Configuration > Firewall > NAT Rules > Add > Add Static NAT Rule option in order to create a static NAT entry.

7 9. Specify the original IP address and the translated IP address along with their respective associated interfaces and click OK.

8 10. The configured rule could be viewed in the NAT Rules window as shown here. Click the Apply button in order to send this configuration to the Security appliance and click Save in order to save the configuration to flash memory. Allow SSH to the same RDP server Certain applications block the Remote Desktop application because of its known vulnerabilities. In this case, you can choose to use other encrypted applications like SSH. In order to achieve this, you need to add the SSH as the destination port for the RDP server. In the previous example, the service group concept has been used in order to define the destination port. The advantage with using the service group is that you can modify the protocols/ports to the service group as per the requirement. You can add new ports to the service group or delete the existing members (ports) of the service group. In the next example, it is demonstrated how to add the SSH to the existing service group RDP. Complete these steps: 1. Right click on the Access rule of the access list and click Edit. 2. Now, in the Service category click..., the Details button, in order to edit the members of the service group.

9 3. Right click on the service group and click Edit in order to modify the service group. 4. Now, choose the SSH protocol and click Add in order to add this protocol as a member of this service group. 5. Now, both the members can be seen as in this example, and click OK.

10 6. Click OK in order to complete the modification procedure.

11 Verify There is currently no verification procedure available for this configuration. Troubleshoot If a certain client or range of clients is unable to connect to the RDP server, be sure that those clients are permitted in the ACL on the outside interface. If no clients are able to connect to the RDP server, be sure that an ACL on either the outside or the inside interface is not blocking traffic to or from port If no clients are able to connect to the RDP server, then check to see whether or not the packets exceed the MSS value. If so, configure the MPF to allow the exceeded MSS packets in order to resolve this issue as this example shows: CiscoASA(config)#access list 110 extended permit tcp host host eq 3389 This command is wrapped to a second line due to spatial reasons. CiscoASA(config)#access list 110 extended permit tcp host host eq 80 This command is wrapped to a second line due to spatial reasons.

12 CiscoASA(config)#class map rdpmss CiscoASA(config cmap)#match access list 110 CiscoASA(config cmap)#exit CiscoASA(config)#tcp map mss map CiscoASA(config tcp map)#exceed mss allow CiscoASA(config tcp map)#exit CiscoASA(config)#policy map rdpmss CiscoASA(config pmap)#class rdpmss CiscoASA(config pmap c)#set connection advanced options mss map CiscoASA(config pmap c)#exit CiscoASA(config pmap)#exit CiscoASA(config)#service policy rdpmss interface outside Refer to the Solutions to Fragmentation Issues section of PIX/ASA 7.x and IOS: VPN Fragmentation in order to learn about the other methods you can use to resolve the MSS problem. The RDP session timeout after the TCP default connection timeout value expired. In order to resolve this issue, increase the timeout as shown here: timeout conn 10:00:00 half closed 0:10:00 udp 0:02:00 icmp 0:00:02 This command sets the timeout value to ten hours. Related Information Cisco PIX 500 Series Security Appliances Support Page PIX/ASA 7.x and FWSM: NAT and PAT Statements Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Feb 24, 2011 Document ID: 77869