Pages

Monday, 14 May 2012

RDP to Multiple Servers with a Cisco PIX/ASA Firewall


RDP to Multiple Servers with a Cisco PIX/ASA Firewall
 
Problem
You want to connect via "Remote Desktop" to multiple servers behind your firewall. To do this you have three options.
Solution
Option 1 (Use if you have multiple free Public IP addresses)
Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode", and create a names entity for each Servers public and Private Address
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# name 192.168.1.1 Server1-Internal
Petes-ASA(config)# name 192.168.1.2 Server2-Internal
Petes-ASA(config)# name 123.123.123.123 Server1-External
Petes-ASA(config)# name 123.123.123.124 Server2-External
Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name "inbound" for yours.
Petes-ASA(config)# access-list inbound extended permit tcp any host Server1-External eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any host Server2-External eq 3389
Petes-ASA(config)# access-group inbound in interface outside
 
Option 2 (Uses Port Forwarding and uses a different port for each server).
To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port.
Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode" then allow each port you are going to use (in this case 3389 and 3390)
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
Then Port Forward those ports to the correct internal servers.
Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390 netmask 255.255.255.255
 
Option 3 (Uses Port Forwarding and uses a different port for each server).
This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.
Petes-ASA> en
Password: *********
Petes-ASA#
Petes-ASA#configure terminal
Petes-ASA(config)#
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
Then Port Forward AND TRANSLATE those ports to the correct internal servers.
Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255

1 comment:

  1. hack whatsapp phishing pageExcellent article! We are linking to this great article on our website. Keep up the good writing.Hacking BlogsHack Instagram

    ReplyDelete