04-05-2007 11:05 AM
Our firewall appliance is a Cisco ASA-5510.
I manage many HP thin clients. They come with RDP built in, which is a useful admin tool in certain situations. Unfortunately I can't block certain users on the thin client from using RDP, as the only way to block them from using it is to remove it completely from the thin client.
How can I stop RDP from leaving the inside interface, except for a small group of ip's?
Also, what about RDP connections that are trying to go to non-standard ports (not 3389)?
04-05-2007 12:41 PM
Hi
When you say "leave the inside interface" do you mean traffic going out through the ASA.
If so you would need to apply an access-list in the inside interface
access-list acl_inside permit tcp host "IP allowed 1" any eq 3389
access-list acl_inside permit tcp host "IP allowed 2" any eq 3389
etc... for all allowed IP's.
access-list acl_inside deny tcp any any eq 3389
access-list permit ip any any
Note - the last entry is so you don't interfere with other non RDP traffic. i don;t know what your policy is on traffic allowed outbound.
As far as non-standard RDP connections. I don't think the pix has a fixup command for RDP so you would need to know the other ports used and add those to your access-list.
HTH
Jon
04-05-2007 02:11 PM
Jon, yes, I need to block outgoing RDP for all the thin clients. However, since I found out some "rogue" users are accessing outside rdp via non-standard ports I would like to just block all outside access to those thin clients.
How could an acl block all outside access to a specific group of ip's, like 10.0.8.0 255.255.255.192?
04-05-2007 09:35 PM
Hi
Okay, using my access-list from the previous post at the very top you could put
access-list acl_inside deny ip 10.0.8.0 255.255.255.192 any
This would stop that block of IP address from being able to access anything outside.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: