1 PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example Document ID: Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram Configurations Configure with ASDM Verify Troubleshoot Related Information Introduction This document describes how to allow Remote Desktop Protocol (RDP) connections through a Cisco Security Appliance. RDP is a multi channel protocol that allows a user to connect to a computer that runs Microsoft Terminal Services. Clients exist for most versions of Windows, and other operating systems such as Linux, FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default. In this configuration example, the security appliance is configured to allow an RDP client on the Internet to connect to an RDP server PC on the inside interface. The security appliance performs address translation and the client connects to the host using a static mapped external IP address. Prerequisites Requirements This document assumes that the Cisco PIX Firewall is fully operational and configured. Also, all initial configurations are made and the hosts should have end to end connectivity. Components Used The information in this document is based on these software and hardware versions: Cisco Adaptive Security Appliances (ASA) 5500 Series Security Appliance with software version 8.2(1) Cisco Adaptive Security Device Manager version 6.3(5)
2 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Related Products Cisco PIX 500 Series Security Appliance with software version 7.x Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. Configure In this section, you are presented with the information to configure the security appliance to allow the Remote Desktop Protocol (RDP) traffic to pass through. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section. Network Diagram This document uses this network setup: Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment. Configurations This section shows the security appliance configuration. RDP traffic from host on the Internet is permitted to RDP Server at on the inside network which listens on port 3389 through static mapped IP address Perform these steps: Configure static NAT in order to redirect the RDP traffic received on the outside interface to the inside host.
3 Create an access control list (ACL) that permits RDP and apply it to the outside interface. Note: Because NAT is performed by the security appliance, the ACL must permit access to the mapped IP address of the RDP server; not the real IP address. Note: The IP address ( ) used for static mapping should be in the same subnet as the outside interface IP address. Refer to the Static NAT section of PIX/ASA 7.x NAT and PAT Statements in order to learn more about static NAT mapping. CiscoASA#show running config : Saved : ASA Version 8.2(1) hostname CiscoASA domain name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names Output suppressed object group service RDP tcp port object eq 3389 Output suppressed CiscoASA This access list allows the RDP traffic sourced from to destination with TCP port access list outside_access_in extended permit tcp host host object group This staic NAT statement redirects the traffic destined for IP address to host IP address static (inside,outside) netmask Output suppressed access group outside_access_in in interface outside Output is suppressed. Note: In this ACL configuration, "host " can be replaced with "any" to allow access to the RDP server from the Internet at large. This is not recommended, however, since it might open the RDP server up to attack. As a general rule, make ACL entries as specific as possible.
4 Configure with ASDM Configuration Complete these steps: 1. In order to create an access list, choose Configuration > Firewall > Access Rules, and choose Add then click Add Access Rule in the drop down menu. 2. Now, specify the action, source and the destination. Click..., the Details button, in order to choose the destination port. 3. The default port number for RDP is As this is not available in the available tcp ports, click Add and choose TCP Service Group in the drop down menu. Through this, you can group customized ports together, based on the requirement.
5 4. Now, specify a name for this service group and type in the port number in the blank given for Port/Range option and click the Add button in order to make this service as a member of the service group. Like this, you can choose a range of ports as a member of the same service group. Click OK. 5. It shows the Service group along with its members. Click OK in order to revert back to the access rule window.
6 6. Click OK in order to complete the access list configuration. 7. The access list along with its associated interface can be seen in the Configuration > Firewall > Access Rules window. 8. Now, choose Configuration > Firewall > NAT Rules > Add > Add Static NAT Rule option in order to create a static NAT entry.
7 9. Specify the original IP address and the translated IP address along with their respective associated interfaces and click OK.
8 10. The configured rule could be viewed in the NAT Rules window as shown here. Click the Apply button in order to send this configuration to the Security appliance and click Save in order to save the configuration to flash memory. Allow SSH to the same RDP server Certain applications block the Remote Desktop application because of its known vulnerabilities. In this case, you can choose to use other encrypted applications like SSH. In order to achieve this, you need to add the SSH as the destination port for the RDP server. In the previous example, the service group concept has been used in order to define the destination port. The advantage with using the service group is that you can modify the protocols/ports to the service group as per the requirement. You can add new ports to the service group or delete the existing members (ports) of the service group. In the next example, it is demonstrated how to add the SSH to the existing service group RDP. Complete these steps: 1. Right click on the Access rule of the access list and click Edit. 2. Now, in the Service category click..., the Details button, in order to edit the members of the service group.
9 3. Right click on the service group and click Edit in order to modify the service group. 4. Now, choose the SSH protocol and click Add in order to add this protocol as a member of this service group. 5. Now, both the members can be seen as in this example, and click OK.
10 6. Click OK in order to complete the modification procedure.
11 Verify There is currently no verification procedure available for this configuration. Troubleshoot If a certain client or range of clients is unable to connect to the RDP server, be sure that those clients are permitted in the ACL on the outside interface. If no clients are able to connect to the RDP server, be sure that an ACL on either the outside or the inside interface is not blocking traffic to or from port If no clients are able to connect to the RDP server, then check to see whether or not the packets exceed the MSS value. If so, configure the MPF to allow the exceeded MSS packets in order to resolve this issue as this example shows: CiscoASA(config)#access list 110 extended permit tcp host host eq 3389 This command is wrapped to a second line due to spatial reasons. CiscoASA(config)#access list 110 extended permit tcp host host eq 80 This command is wrapped to a second line due to spatial reasons.
Configuration Example Use NAT for Public Access to Servers with Private IP Addresses on the Private Network Example configuration files created with WSM v11.7.2 Revised 5/10/2013 Use Case In this use case,
TeamViewer 7 Manual Remote Control TeamViewer GmbH Kuhnbergstraße 16 D-73037 Göppingen www.teamviewer.com Table of Contents 1 About TeamViewer... 5 1.1 About the software... 5 1.2 About the manual... 5
DeviceLinx XPort Direct/XChip Direct SoC User Guide Part Number 900-468 Revision C August 2007 Patents, Copyright and Trademark 2007, Lantronix. All rights reserved. No part of the contents of this book
ADMINISTRATION GUIDE Cisco Small Business WAP4410N Wireless-N Access Point with Power Over Ethernet Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the
WS_FTP Server WS_FTP Server Installation and Configuration Guide Contents CHAPTER 1 Introduction What is WS_FTP Server?...1 WS_FTP Server product family...1 New in WS_FTP Server 7.5...2 For more assistance...3
DameWare Mini Remote Control Contact Information Team Contact Information Sales 1.866.270.1449 General Support Technical Support Customer Service User Forums http://www.dameware.com/customers.aspx Submit
Connecting Remote Offices by Setting Up VPN Tunnels Cisco RV0xx Series Routers Overview As your business expands to additional sites, you need to ensure that all employees have access to the network resources
CHAPTER 15 This chapter describes the security appliance failover feature, which lets you configure two security appliances so that one takes over operation if the other one fails. This chapter includes
CHAPTER 2 Point-to-Point GRE over IPsec Design and Implementation In designing a VPN deployment for a customer, it is essential to integrate broader design considerations such as high availability, resiliency,
ProfileUnity with FlexApp Technology Help Manual Introduction This guide has been authored by experts at Liquidware Labs in order to provide information and guidance concerning ProfileUnity with FlexApp.
FileMaker Server 13 FileMaker Server Help 2010-2013 FileMaker, Inc. All Rights Reserved. FileMaker, Inc. 5201 Patrick Henry Drive Santa Clara, California 95054 FileMaker and Bento are trademarks of FileMaker,
Using Avaya one-x Agent Release 2.0 November 2009 2009 Avaya Inc. All Rights Reserved. Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate
CHAPTER114 The window in Cisco Unified Communications Manager Administration allows the administrator to add, search, display, and maintain information about Cisco Unified Communications Manager end users.
GE Measurement & Control Remote Comms System Installation and User Reference Guide Contents BENEFITS OF REMOTE COMMS SYSTEM... 1 HOW THE REMOTE COMMS SYSTEM WORKS... 3 COMPONENTS OF REMOTE COMMS SYSTEM...
Server Management with Lenovo ThinkServer System Manager For next-generation Lenovo ThinkServer systems Lenovo Enterprise Product Group Version 1.0 September 2014 2014 Lenovo. All rights reserved. LENOVO
Reference Manager Windows Version Import Filter Editor User s Guide April 7, 1999 Research Information Systems COPYRIGHT NOTICE This software product and accompanying documentation is copyrighted and all
CHAPTER 6 Setting up Support for CiscoWorks ANI Server The CiscoWorks Server includes tools required to properly set up the server to support other CiscoWorks applications. These features include: Configuring
OS X Support Essentials 10.10 Exam Preparation Guide Updated January 2015 1 Contents About This Guide... 3 Exam Details... 4 Recommended Exam Preparation... 4 Part One: Installation and Configuration...
Dominion KX II User Guide Release 2.0.5 Copyright 2007 Raritan, Inc. DKX2-0E-E September 2007 255-62-4023-00 This document contains proprietary information that is protected by copyright. All rights reserved.
Copyright 2014 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole
Help Desk Using Cisco UCCX TECHNOLOGY DESIGN GUIDE February 2014 Table of Contents Preface...3 CVD Navigator...4 Use Cases... 4 Scope... 4 Proficiency... 4 Introduction...1 Technology Use Case IP-based
24 CHAPTER same-security-traffic through show asdm sessions Commands 24-1 same-security-traffic Chapter 24 same-security-traffic To permit communication between interfaces with equal security levels, or
Payment Card Industry (PCI) Data Security Standard Approved Scanning Vendors Program Guide Version 2.0 May 2013 Document Changes Date Version Description February 11, 2010 1.0 May 2013 2.0 Approved Scanning