ASA Static route for RDP

Posted on 2009-02-22
Last Modified: 2012-05-07
Im having trouble setting up access to a internal server for RDP.

I have a Block of IPs on a /27.  .97-126
The router is on

I have a Internal server on, i want access to it from the internet on To begin I want to add RDP access on 3389 to start, but i am stumped. I plan to open up other ports for web server...etc

For this i created these 3 config lines:
access-list rdp extended permit tcp any host eq 3389
static (inside,outside) netmask
access-group rdp in interface outside

When i ping the outside ip I am not seeing any activity in the syslog. I must have something wrong.
ASA Version 7.2(3)


hostname B-ASA


enable password eQWIsP.AIf4tBrGw encrypted



interface Vlan1

 nameif inside

 security-level 100

 ip address


interface Vlan2

 nameif outside

 security-level 0

 ip address


interface Ethernet0/0

 switchport access vlan 2

 speed 100

 duplex full


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd eQWIsP.AIf4tBrGw encrypted

ftp mode passive

dns server-group DefaultDNS


access-list rdp extended permit tcp any host eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 1

static (inside,outside) netmask

access-group rdp in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh inside

ssh outside

ssh timeout 20

ssh version 2

console timeout 0



class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp


service-policy global_policy global

prompt hostname context


: end

Open in new window

Question by:gbosko
    LVL 29

    Accepted Solution

    Hello gbosko,
        Config looks fine, can you confirm if can be RDPed from an inside host? If any software firewall enabled like windows firewall, please make sure you set the exceptions accordingly.
        If you have access to router,run "telnet 3389" and check if it says open


    Author Comment

    I do not have access to the Router. It is part of the managed T1 line.

    The firewall on the OS is disabled.
    I can RDP from the inside.
    LVL 9

    Assisted Solution

    Since ping isnt a part of tcp but IP you need to explicit allow ICMP.

    This is the config I use to make ICMP traverse the ASA.
    object-group icmp-type Good-ICMP
     icmp-object echo
     icmp-object echo-reply
     icmp-object time-exceeded
     icmp-object traceroute
     icmp-object unreachable

    access-list rdp extended permit icmp any any object-group Good-ICMP

    Author Comment

    Donboo, thanks for the icmp config. however im still not able to connect. Its like the ASA doesnt know that it is supposto see outside IP

    When i PING or try to RDP nothing shows up in the sys log.

    Author Comment

    Fixed. Another firewall was unknowingly using the external IP was was trying to use.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now