Block RDP that uses non-standard port

Unanswered Question

Our firewall appliance is a Cisco ASA-5510.

I manage many HP thin clients. They come with RDP built in, which is a useful admin tool in certain situations. Unfortunately I can't block certain users on the thin client from using RDP, as the only way to block them from using it is to remove it completely from the thin client.

How can I stop RDP from leaving the inside interface, except for a small group of ip's?

Also, what about RDP connections that are trying to go to non-standard ports (not 3389)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 04/05/2007 - 12:41


When you say "leave the inside interface" do you mean traffic going out through the ASA.

If so you would need to apply an access-list in the inside interface

access-list acl_inside permit tcp host "IP allowed 1" any eq 3389

access-list acl_inside permit tcp host "IP allowed 2" any eq 3389

etc... for all allowed IP's.

access-list acl_inside deny tcp any any eq 3389

access-list permit ip any any

Note - the last entry is so you don't interfere with other non RDP traffic. i don;t know what your policy is on traffic allowed outbound.

As far as non-standard RDP connections. I don't think the pix has a fixup command for RDP so you would need to know the other ports used and add those to your access-list.



Jon, yes, I need to block outgoing RDP for all the thin clients. However, since I found out some "rogue" users are accessing outside rdp via non-standard ports I would like to just block all outside access to those thin clients.

How could an acl block all outside access to a specific group of ip's, like

Jon Marshall Thu, 04/05/2007 - 21:35


Okay, using my access-list from the previous post at the very top you could put

access-list acl_inside deny ip any

This would stop that block of IP address from being able to access anything outside.




This Discussion