• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

Create ACL to block port 3389


I'm trying to learn a little about ACL's on a ASA 5505 appliance. I have everthing setup in a standard way with i9nside, outside, and DMZ. I can reach all devices that I am supposed to according to securtiy levels and NAT is setup correctly.

What I'm trying to do is test some ACLs by restricting rdp port on interface dmz from inside. When I create the ACL I do not see a TCP service for RDP (3389) so I created one.

When I apply the ACL it doesn't deny the traffic.

Can someone point me in the right direction?
  • 2
  • 2
1 Solution
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Are you trying to deny from inside to DMZ or DMZ to inside?

Can you post your running-config (remove IPS and passwords and anything else that could proved someone with sensitive information).
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
To deny inside to outside it would be:

object service tcp_rdp tcp
  port-object eq 3389

access-list inside_access_in extended deny any any object-group tcp_rdp

Open in new window

You can change the any any to source and destination network object groups as needed.

This us also assuming you have a access list named inside_access_in. If it is something different you will nerf to adjust
spinoza156Author Commented:
Thanks Daniel.

I got it to work. The problem wasn't so much the commands as where I was trying to enforce the ACL.

Originally I was applying the ACL to the DMZ interface. The ACL was to deny from source (inside) to destination (DMZ)

Once I figured out that the ACL needs to be applied on the inside interface everything worked fine.

I realize now that the nomenclature refers to inbound  interface traffic. In this case I want the rule to be applied on traffic going to the inside interface from the inside network and not after it leaves the inside interface.

I hope that makes sense.
spinoza156Author Commented:
I figured out the issue myself as per the last comment.
pawan sohetraCommented:
i want to block port 3389 on my asa 5100 . i did natting to sahre a local server to internet but now i want to block its remote access via internet.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now