Cisco ASA 5505 How to allow inbound RDP to multiple hosts?
We currently have one Cisco ASA 5505, configured to allow RDP from internet to one server behind the firewall; we need to allow more servers to RDP directly through firewall without requiring a user to connect to our VPN. Current configuration below. How can we do this?
I have removed private info from the below config:
!
hostname asa
!
names
name xxx.xxx.xxx.xxx InterfaceIP
name xxx.xxx.xxx.xxx ISA_Outside
name xxx.xxx.xxx.xxx Sharepoint_Outside
name 8.8.8.8 googdns
name 10.0.0.70 PDC01
name 10.0.0.80 PDC02
name 10.0.0.55 rdpserver
name 10.0.0.48 feedback
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
rip send version 2
rip receive version 2
no shut
!
interface Vlan2
nameif outside
security-level 0
ip address InterfaceIP 255.255.255.248
no shut
!
interface Ethernet0/0
no shut
!
interface Ethernet0/1
switchport access vlan 2
no shut
!
interface Ethernet0/2
switchport access vlan 2
no shut
!
interface Ethernet0/3
no shut
!
!
interface Ethernet0/4
no shut
!
!
interface Ethernet0/5
no shut
!
!
interface Ethernet0/6
no shut
!
!
interface Ethernet0/7
no shut
!
!
boot system disk0:/asa804-k8.bin
asdm image disk0:/asdm-61557.bin
no asdm history enable
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
!
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server PDC01
name-server googdns
!
no same-security-traffic permit inter-interface
object-group service Demigod udp
port-object range 6002 6022
access-list outside_access_in remark Allow ICMP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any
access-list outbound extended permit gre any any
access-list outbound extended permit tcp any any eq pptp
access-list outbound extended permit tcp any host PDC02 eq pptp
access-list acl-out extended permit gre any any
!
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 4400
!
cl config dhcpd
no dhcpd enable inside
dhcpd auto_config outside
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
static (inside,outside) tcp Sharepoint_Outside www App04 www netmask 255.255.255.255
static (inside,outside) tcp Sharepoint_Outside https App04 https netmask 255.255.255.255
static (inside,outside) tcp Sharepoint_Outside smtp App04 smtp netmask 255.255.255.255
static (inside,outside) tcp ISA_Outside www ISA www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 rdpserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp wfiftp ftp netmask 255.255.255.255
static (inside,outside) tcp interface ldap PDC01 ldap netmask 255.255.255.255
static (inside,outside) tcp interface pptp PDC01 pptp netmask 255.255.255.255
static (inside,outside) tcp ISA_Outside https rdpserver https netmask 255.255.255.255
static (inside,outside) tcp interface 5067 rdpserver 5067 netmask 255.255.255.255
static (inside,outside) tcp interface 5066 rdpserver 5066 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
!
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 50
console timeout 0
!
!
priority-queue outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 72.18.205.156 source outside prefer
!
!
xxx.xxx.xxx.xxx CONTENT REMOVED
!
!
class-map Sharepoint
class-map inspection_default
match default-inspection-traffic
class-map ef_traffic
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map outbound-qos
class Sharepoint
priority
class class-default
police input 1400000
!
service-policy global_policy global
prompt hostname context
!END
I have removed private info from the below config:
!
hostname asa
!
names
name xxx.xxx.xxx.xxx InterfaceIP
name xxx.xxx.xxx.xxx ISA_Outside
name xxx.xxx.xxx.xxx Sharepoint_Outside
name 8.8.8.8 googdns
name 10.0.0.70 PDC01
name 10.0.0.80 PDC02
name 10.0.0.55 rdpserver
name 10.0.0.48 feedback
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
rip send version 2
rip receive version 2
no shut
!
interface Vlan2
nameif outside
security-level 0
ip address InterfaceIP 255.255.255.248
no shut
!
interface Ethernet0/0
no shut
!
interface Ethernet0/1
switchport access vlan 2
no shut
!
interface Ethernet0/2
switchport access vlan 2
no shut
!
interface Ethernet0/3
no shut
!
!
interface Ethernet0/4
no shut
!
!
interface Ethernet0/5
no shut
!
!
interface Ethernet0/6
no shut
!
!
interface Ethernet0/7
no shut
!
!
boot system disk0:/asa804-k8.bin
asdm image disk0:/asdm-61557.bin
no asdm history enable
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
!
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server PDC01
name-server googdns
!
no same-security-traffic permit inter-interface
object-group service Demigod udp
port-object range 6002 6022
access-list outside_access_in remark Allow ICMP
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any
access-list outbound extended permit gre any any
access-list outbound extended permit tcp any any eq pptp
access-list outbound extended permit tcp any host PDC02 eq pptp
access-list acl-out extended permit gre any any
!
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 4400
!
cl config dhcpd
no dhcpd enable inside
dhcpd auto_config outside
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
static (inside,outside) tcp Sharepoint_Outside www App04 www netmask 255.255.255.255
static (inside,outside) tcp Sharepoint_Outside https App04 https netmask 255.255.255.255
static (inside,outside) tcp Sharepoint_Outside smtp App04 smtp netmask 255.255.255.255
static (inside,outside) tcp ISA_Outside www ISA www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 rdpserver 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp wfiftp ftp netmask 255.255.255.255
static (inside,outside) tcp interface ldap PDC01 ldap netmask 255.255.255.255
static (inside,outside) tcp interface pptp PDC01 pptp netmask 255.255.255.255
static (inside,outside) tcp ISA_Outside https rdpserver https netmask 255.255.255.255
static (inside,outside) tcp interface 5067 rdpserver 5067 netmask 255.255.255.255
static (inside,outside) tcp interface 5066 rdpserver 5066 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
!
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 50
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 50
console timeout 0
!
!
priority-queue outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 72.18.205.156 source outside prefer
!
!
xxx.xxx.xxx.xxx CONTENT REMOVED
!
!
class-map Sharepoint
class-map inspection_default
match default-inspection-traffic
class-map ef_traffic
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map outbound-qos
class Sharepoint
priority
class class-default
police input 1400000
!
service-policy global_policy global
prompt hostname context
!END
What are the ip addresses of the servers?
ASKER
fgasimzade:
If referring to the internal servers, they are:
10.0.0.55 (currently tcp port 3389 routes here)
and 10.0.0.48 (one of the desired target servers for tcp port 3389)
If referring to the internal servers, they are:
10.0.0.55 (currently tcp port 3389 routes here)
and 10.0.0.48 (one of the desired target servers for tcp port 3389)
When you get fed up answering queries on your question let me know and we can move on with the option you choose to pursue.
ASKER
keith_alabaster:
Option 2: alternate RDP Port... I've configured 10.0.0.48 to listen for incoming RDP connections on port 3390. I confirmed that from inside the firewall this works fine by adding ":3390" to my servername/ip string in Remote Desktop client.
So how do I configure ASA to allow remote user to do the same thing?
Option 2: alternate RDP Port... I've configured 10.0.0.48 to listen for incoming RDP connections on port 3390. I confirmed that from inside the firewall this works fine by adding ":3390" to my servername/ip string in Remote Desktop client.
So how do I configure ASA to allow remote user to do the same thing?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
While the above should work, I would recommend leaving the servers configured for 3389 and simply use the ASA to do port redirection. This would keep internal RDP access to the servers on the normal port, simplifying access and reducing confusion should the servers be retasked or someone else takes over.
Only one small change to the example would be needed to the translated port (3389):
Static (inside,outside) tcp interface 3390 10.0.0.48 3389 netmask 255.255.255.255
Static (inside,outside) tcp interface 3391 10.0.0.49 3389 netmask 255.255.255.255
Static (inside,outside) tcp interface 3392 10.0.0.50 3389 netmask 255.255.255.255
...etc
KuoH
Only one small change to the example would be needed to the translated port (3389):
Static (inside,outside) tcp interface 3390 10.0.0.48 3389 netmask 255.255.255.255
Static (inside,outside) tcp interface 3391 10.0.0.49 3389 netmask 255.255.255.255
Static (inside,outside) tcp interface 3392 10.0.0.50 3389 netmask 255.255.255.255
...etc
KuoH
Absolutely - don't mess with the servers else everyone internally will have to redirect their internal clients also.
Alter the external access to server.extdomain.com:3390 etc and use the ASA to port forward to 3389 on the internal address.
Job done
Alter the external access to server.extdomain.com:3390 etc and use the ASA to port forward to 3389 on the internal address.
Job done
Oh well, sorry I was of no help to you.
OR
use a port other than 3389 for system no 2, 3 and 4 such as 3390, 3391 and 3392
OR
look at providing a terminal services server to do it for you....