troubleshooting Question

Cisco ASA 5505 How to allow inbound RDP to multiple hosts?

Avatar of workforceinsight
workforceinsightFlag for United States of America asked on
9 Comments1 Solution2088 ViewsLast Modified:
We currently have one Cisco ASA 5505, configured to allow RDP from internet to one server behind the firewall; we need to allow more servers to RDP directly through firewall without requiring a user to connect to our VPN.  Current configuration below.  How can we do this?

I have removed private info from the below config:

hostname asa
name InterfaceIP
name ISA_Outside
name Sharepoint_Outside
name googdns
name PDC01
name PDC02
name rdpserver
name feedback
interface Vlan1
 nameif inside
 security-level 100
 ip address
 rip send version 2
 rip receive version 2
 no shut
interface Vlan2
 nameif outside
 security-level 0
 ip address InterfaceIP
 no shut
interface Ethernet0/0
no shut
interface Ethernet0/1
switchport access vlan 2
no shut
interface Ethernet0/2
switchport access vlan 2
no shut
interface Ethernet0/3
no shut
interface Ethernet0/4
no shut
interface Ethernet0/5
no shut
interface Ethernet0/6
no shut
interface Ethernet0/7
no shut
boot system disk0:/asa804-k8.bin
asdm image disk0:/asdm-61557.bin
no asdm history enable
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server PDC01
 name-server googdns
no same-security-traffic permit inter-interface
object-group service Demigod udp
 port-object range 6002 6022
access-list outside_access_in remark Allow ICMP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any
access-list outbound extended permit gre any any
access-list outbound extended permit tcp any any eq pptp
access-list outbound extended permit tcp any host PDC02 eq pptp
access-list acl-out extended permit gre any any
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 4400
cl config dhcpd
no dhcpd enable inside
dhcpd auto_config outside
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp Sharepoint_Outside www App04 www netmask
static (inside,outside) tcp Sharepoint_Outside https App04 https netmask
static (inside,outside) tcp Sharepoint_Outside smtp App04 smtp netmask
static (inside,outside) tcp ISA_Outside www ISA www netmask
static (inside,outside) tcp interface 3389 rdpserver 3389 netmask
static (inside,outside) tcp interface ftp wfiftp ftp netmask
static (inside,outside) tcp interface ldap PDC01 ldap netmask
static (inside,outside) tcp interface pptp PDC01 pptp netmask
static (inside,outside) tcp ISA_Outside https rdpserver https netmask
static (inside,outside) tcp interface 5067 rdpserver 5067 netmask
static (inside,outside) tcp interface 5066 rdpserver 5066 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 50
ssh outside
ssh timeout 50
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server source outside prefer
class-map Sharepoint
class-map inspection_default
 match default-inspection-traffic
class-map ef_traffic
 match dscp ef
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
policy-map outbound-qos
 class Sharepoint
 class class-default
  police input 1400000
service-policy global_policy global
prompt hostname context
Head of IT for Silk Way West Airlines

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2011

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Log in to continue reading
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform for $9.99/mo
View membership options
Unlock 1 Answer and 9 Comments.
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
The Value of Experts Exchange in My Daily IT Life

Experts Exchange (EE) has become my company's go-to resource to get answers. I've used EE to make decisions, solve problems and even save customers. OutagesIO has been a challenging project and... Keep reading >>


Owner of Outages.IO
Phoenix, Arizona, United States
Member Since 2016
Join a full scale community that combines the best parts of other tools into one platform.
Unlock 1 Answer and 9 Comments.
View membership options
“All of life is about relationships, and EE has made a virtual community a real community. It lifts everyone's boat.”
William Peck

Member since 2004