Allow Remote Desktop Protocol Connection through the Security Appliance

Allow Remote Desktop Protocol Connection through the Security Appliance

RDP is a multi−channel protocol that allows a user to connect to a computer that runs Microsoft Terminal Services. Clients exist for most versions of Windows, and other operating systems such as Linux, FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default.


In this configuration example, the security appliance is configured to allow an RDP client on the Internet to connect to an RDP server PC on the inside interface. The security appliance performs address translation and the client connects to the host using a static mapped external IP address.


Configurations
This section shows the security appliance configuration. RDP traffic from host 172.16.1.2 on the Internet is permitted to host 10.1.1.5 on the inside network which listens on port 3389 through static mapped IP address 192.168.1.5.





Perform these steps:
· Configure static NAT in order to redirect the RDP traffic received on the outside interface to the inside host.
· Create an access control list (ACL) that permits RDP and apply it to the outside interface.


Note:- Because NAT is performed by the security appliance, the ACL must permit access to the
mapped IP address of the RDP server; not the real IP address.
·
Note: The IP address (192.168.1.5) used for static mapping should be in the same subnet as the outside interface IP address.




ASA#show running−config
: Saved
:
ASA Version 7.2(1)
!
hostname ASAfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif inside
security−level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet1
nameif outside
security−level 0
ip address 192.168.1.2 255.255.255.0
access−group 110 in interface outside
!
!−−− This access−list allows the RDP traffic sourced from 172.16.1.2
!−−− to destination 192.168.1.5 with TCP port 3389.


access−list 110 extended permit tcp host 172.16.1.2 host 192.168.1.5 eq 3389
!−−− This staic NAT statement redirects the traffic destined for
!−−− IP address 192.168.1.5 to host IP address 10.1.1.5.


static (inside,outside) 192.168.1.5 10.1.1.5 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!−−− Output is suppressed.