Create ACL to block port 3389


I'm trying to learn a little about ACL's on a ASA 5505 appliance. I have everthing setup in a standard way with i9nside, outside, and DMZ. I can reach all devices that I am supposed to according to securtiy levels and NAT is setup correctly.

What I'm trying to do is test some ACLs by restricting rdp port on interface dmz from inside. When I create the ACL I do not see a TCP service for RDP (3389) so I created one.

When I apply the ACL it doesn't deny the traffic.

Can someone point me in the right direction?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Are you trying to deny from inside to DMZ or DMZ to inside?

Can you post your running-config (remove IPS and passwords and anything else that could proved someone with sensitive information).
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
To deny inside to outside it would be:

object service tcp_rdp tcp
  port-object eq 3389

access-list inside_access_in extended deny any any object-group tcp_rdp

Open in new window

You can change the any any to source and destination network object groups as needed.

This us also assuming you have a access list named inside_access_in. If it is something different you will nerf to adjust
spinoza156Author Commented:
Thanks Daniel.

I got it to work. The problem wasn't so much the commands as where I was trying to enforce the ACL.

Originally I was applying the ACL to the DMZ interface. The ACL was to deny from source (inside) to destination (DMZ)

Once I figured out that the ACL needs to be applied on the inside interface everything worked fine.

I realize now that the nomenclature refers to inbound  interface traffic. In this case I want the rule to be applied on traffic going to the inside interface from the inside network and not after it leaves the inside interface.

I hope that makes sense.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
spinoza156Author Commented:
I figured out the issue myself as per the last comment.
pawan sohetraCommented:
i want to block port 3389 on my asa 5100 . i did natting to sahre a local server to internet but now i want to block its remote access via internet.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.