PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example



Similar documents
PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

How To: Configure a Cisco ASA 5505 for Video Conferencing

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

PIX/ASA 7.x with Syslog Configuration Example

Configuring the Cisco Secure PIX Firewall with a Single Intern

IOS NAT Load Balancing for Two ISP Connections

Configuring Static and Dynamic NAT Simultaneously

IOS NAT Load Balancing with Optimized Edge Routing for Two Internet Connections

ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example

Sample Configuration Using the ip nat outside source static

ASA 8.x: VPN Access with the AnyConnect VPN Client Using Self Signed Certificate Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Sample Configuration Using the ip nat outside source list C

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Configuring the PIX Firewall with PDM

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Cisco Secure PIX Firewall with Two Routers Configuration Example

Scenario: Remote-Access VPN Configuration

The information in this document is based on these software and hardware versions:

Securing Networks with PIX and ASA

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Global Knowledge MEA Remote Labs. Remote Lab Access Procedure

Troubleshooting the Firewall Services Module

Unity Error Message: Your voic box is almost full

Configure Backup Server for Cisco Unified Communications Manager

Microsoft Windows 2003 DNS Server for Wireless LAN Controller (WLC) Discovery Configuration Example

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

F-SECURE MESSAGING SECURITY GATEWAY

Catalyst Layer 3 Switch for Wake On LAN Support Across VLANs Configuration Example

MilsVPN VPN Tunnel Port Translation. Table of Contents Introduction VPN Tunnel Settings...2

Scenario: IPsec Remote-Access VPN Configuration

Configuring NetFlow Secure Event Logging (NSEL)

Guideline for setting up a functional VPN

PIX/ASA: Upgrade a Software Image using ASDM or CLI Configuration Example

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

ASA 8.x: Renew and Install the SSL Certificate with ASDM

Configuring DNS on Cisco Routers

Using Remote Desktop Software with the LAN-Cell 3

Troubleshooting the Firewall Services Module

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

1 PC to WX64 direction connection with crossover cable or hub/switch

- Introduction to PIX/ASA Firewalls -

ipad Installation and Setup

VPN Configuration Guide. Cisco ASA 5500 Series

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Lab Configuring Access Policies and DMZ Settings

Appendix D: Configuring Firewalls and Network Address Translation

TREK HOSC PAYLOAD ETHERNET GATEWAY (HPEG) USER GUIDE

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

Controlling Ashly Products From a Remote PC Location

Implementing Core Cisco ASA Security (SASAC)

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

DIGIPASS Authentication for Cisco ASA 5500 Series

Network Load Balancing

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

How To Create A Virtual Private Cloud On Amazon.Com

TABLE OF CONTENTS NETWORK SECURITY 1...1

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Cisco AnyConnect Secure Mobility Solution Guide

Lab Organizing CCENT Objectives by OSI Layer

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Cisco Configuring Commonly Used IP ACLs

Firewall Defaults and Some Basic Rules

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Setting Up Scan to SMB on TaskALFA series MFP s.

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Protecting the Home Network (Firewall)

Table of Contents. Cisco Cisco VPN Client FAQ

NATed Network Testing IxChariot

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

ASDM Troubleshooting. Contents. Document ID: Introduction Prerequisites

Using Remote Desktop Software with the LAN-Cell

A Model Design of Network Security for Private and Public Data Transmission

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Network Address Translation Commands

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Cisco Which VPN Solution is Right for You?

Lab Configuring Access Policies and DMZ Settings

Tunnels and Redirectors

nappliance misa Server 2006 Standard Edition Users Guide For use with misa Appliances 2006 nappliance Networks, Inc.

M2M Series Routers. Port Forwarding / DMZ Setup

Transcription:

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example Document ID: 77869 Contents Introduction Prerequisites Requirements Components Used Related Products Conventions Configure Network Diagram Configurations Configure with ASDM Verify Troubleshoot Related Information Introduction This document describes how to allow Remote Desktop Protocol (RDP) connections through a Cisco Security Appliance. RDP is a multi channel protocol that allows a user to connect to a computer that runs Microsoft Terminal Services. Clients exist for most versions of Windows, and other operating systems such as Linux, FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default. In this configuration example, the security appliance is configured to allow an RDP client on the Internet to connect to an RDP server PC on the inside interface. The security appliance performs address translation and the client connects to the host using a static mapped external IP address. Prerequisites Requirements This document assumes that the Cisco PIX Firewall is fully operational and configured. Also, all initial configurations are made and the hosts should have end to end connectivity. Components Used The information in this document is based on these software and hardware versions: Cisco Adaptive Security Appliances (ASA) 5500 Series Security Appliance with software version 8.2(1) Cisco Adaptive Security Device Manager version 6.3(5)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Related Products Cisco PIX 500 Series Security Appliance with software version 7.x Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. Configure In this section, you are presented with the information to configure the security appliance to allow the Remote Desktop Protocol (RDP) traffic to pass through. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section. Network Diagram This document uses this network setup: Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment. Configurations This section shows the security appliance configuration. RDP traffic from host 20.1.1.10 on the Internet is permitted to RDP Server at 172.16.11.10 on the inside network which listens on port 3389 through static mapped IP address 209.165.200.10. Perform these steps: Configure static NAT in order to redirect the RDP traffic received on the outside interface to the inside host.

Create an access control list (ACL) that permits RDP and apply it to the outside interface. Note: Because NAT is performed by the security appliance, the ACL must permit access to the mapped IP address of the RDP server; not the real IP address. Note: The IP address (192.168.1.5) used for static mapping should be in the same subnet as the outside interface IP address. Refer to the Static NAT section of PIX/ASA 7.x NAT and PAT Statements in order to learn more about static NAT mapping. CiscoASA#show running config : Saved : ASA Version 8.2(1) hostname CiscoASA domain name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names Output suppressed object group service RDP tcp port object eq 3389 Output suppressed CiscoASA This access list allows the RDP traffic sourced from 172.16.1.2 to destination 192.168.1.5 with TCP port 3389. access list outside_access_in extended permit tcp host 20.1.1.10 host 209.165.200.10 object group This staic NAT statement redirects the traffic destined for IP address 192.168.1.5 to host IP address 10.1.1.5. static (inside,outside) 209.165.200.10 172.16.11.10 netmask 255.255.255.255 Output suppressed access group outside_access_in in interface outside Output is suppressed. Note: In this ACL configuration, "host 20.1.1.10" can be replaced with "any" to allow access to the RDP server from the Internet at large. This is not recommended, however, since it might open the RDP server up to attack. As a general rule, make ACL entries as specific as possible.

Configure with ASDM Configuration Complete these steps: 1. In order to create an access list, choose Configuration > Firewall > Access Rules, and choose Add then click Add Access Rule in the drop down menu. 2. Now, specify the action, source and the destination. Click..., the Details button, in order to choose the destination port. 3. The default port number for RDP is 3389. As this is not available in the available tcp ports, click Add and choose TCP Service Group in the drop down menu. Through this, you can group customized ports together, based on the requirement.

4. Now, specify a name for this service group and type in the port number in the blank given for Port/Range option and click the Add button in order to make this service as a member of the service group. Like this, you can choose a range of ports as a member of the same service group. Click OK. 5. It shows the Service group along with its members. Click OK in order to revert back to the access rule window.

6. Click OK in order to complete the access list configuration. 7. The access list along with its associated interface can be seen in the Configuration > Firewall > Access Rules window. 8. Now, choose Configuration > Firewall > NAT Rules > Add > Add Static NAT Rule option in order to create a static NAT entry.

9. Specify the original IP address and the translated IP address along with their respective associated interfaces and click OK.

10. The configured rule could be viewed in the NAT Rules window as shown here. Click the Apply button in order to send this configuration to the Security appliance and click Save in order to save the configuration to flash memory. Allow SSH to the same RDP server Certain applications block the Remote Desktop application because of its known vulnerabilities. In this case, you can choose to use other encrypted applications like SSH. In order to achieve this, you need to add the SSH as the destination port for the RDP server. In the previous example, the service group concept has been used in order to define the destination port. The advantage with using the service group is that you can modify the protocols/ports to the service group as per the requirement. You can add new ports to the service group or delete the existing members (ports) of the service group. In the next example, it is demonstrated how to add the SSH to the existing service group RDP. Complete these steps: 1. Right click on the Access rule of the access list and click Edit. 2. Now, in the Service category click..., the Details button, in order to edit the members of the service group.

3. Right click on the service group and click Edit in order to modify the service group. 4. Now, choose the SSH protocol and click Add in order to add this protocol as a member of this service group. 5. Now, both the members can be seen as in this example, and click OK.

6. Click OK in order to complete the modification procedure.

Verify There is currently no verification procedure available for this configuration. Troubleshoot If a certain client or range of clients is unable to connect to the RDP server, be sure that those clients are permitted in the ACL on the outside interface. If no clients are able to connect to the RDP server, be sure that an ACL on either the outside or the inside interface is not blocking traffic to or from port 3389. If no clients are able to connect to the RDP server, then check to see whether or not the packets exceed the MSS value. If so, configure the MPF to allow the exceeded MSS packets in order to resolve this issue as this example shows: CiscoASA(config)#access list 110 extended permit tcp host 20.1.1.10 host 209.165.200.10 eq 3389 This command is wrapped to a second line due to spatial reasons. CiscoASA(config)#access list 110 extended permit tcp host 20.1.1.10 host 209.165.200.10 eq 80 This command is wrapped to a second line due to spatial reasons.

CiscoASA(config)#class map rdpmss CiscoASA(config cmap)#match access list 110 CiscoASA(config cmap)#exit CiscoASA(config)#tcp map mss map CiscoASA(config tcp map)#exceed mss allow CiscoASA(config tcp map)#exit CiscoASA(config)#policy map rdpmss CiscoASA(config pmap)#class rdpmss CiscoASA(config pmap c)#set connection advanced options mss map CiscoASA(config pmap c)#exit CiscoASA(config pmap)#exit CiscoASA(config)#service policy rdpmss interface outside Refer to the Solutions to Fragmentation Issues section of PIX/ASA 7.x and IOS: VPN Fragmentation in order to learn about the other methods you can use to resolve the MSS problem. The RDP session timeout after the TCP default connection timeout value expired. In order to resolve this issue, increase the timeout as shown here: timeout conn 10:00:00 half closed 0:10:00 udp 0:02:00 icmp 0:00:02 This command sets the timeout value to ten hours. Related Information Cisco PIX 500 Series Security Appliances Support Page PIX/ASA 7.x and FWSM: NAT and PAT Statements Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2012 2013 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Feb 24, 2011 Document ID: 77869

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information