Block RDP that uses non-standard port

Unanswered Question

Our firewall appliance is a Cisco ASA-5510.


I manage many HP thin clients. They come with RDP built in, which is a useful admin tool in certain situations. Unfortunately I can't block certain users on the thin client from using RDP, as the only way to block them from using it is to remove it completely from the thin client.


How can I stop RDP from leaving the inside interface, except for a small group of ip's?


Also, what about RDP connections that are trying to go to non-standard ports (not 3389)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/05/2007 - 12:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


When you say "leave the inside interface" do you mean traffic going out through the ASA.


If so you would need to apply an access-list in the inside interface


access-list acl_inside permit tcp host "IP allowed 1" any eq 3389

access-list acl_inside permit tcp host "IP allowed 2" any eq 3389

etc... for all allowed IP's.

access-list acl_inside deny tcp any any eq 3389

access-list permit ip any any


Note - the last entry is so you don't interfere with other non RDP traffic. i don;t know what your policy is on traffic allowed outbound.


As far as non-standard RDP connections. I don't think the pix has a fixup command for RDP so you would need to know the other ports used and add those to your access-list.


HTH


Jon

Jon, yes, I need to block outgoing RDP for all the thin clients. However, since I found out some "rogue" users are accessing outside rdp via non-standard ports I would like to just block all outside access to those thin clients.


How could an acl block all outside access to a specific group of ip's, like 10.0.8.0 255.255.255.192?

Jon Marshall Thu, 04/05/2007 - 21:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Okay, using my access-list from the previous post at the very top you could put


access-list acl_inside deny ip 10.0.8.0 255.255.255.192 any


This would stop that block of IP address from being able to access anything outside.


HTH


Jon

Actions

This Discussion