02-11-2010 10:14 AM - edited 03-11-2019 10:08 AM
Hello,
I need to be able to find an errant PC on an internal network that is sending RDP traffic outbound.
Has anyone any pointers on this ?
I need to log port 3389 from inside to outside.
Thank you.
S.
02-11-2010 11:44 AM
Create an ACL that will go on the inside interface.
access-list extended find_pc permit tcp any any eq 3389 log
access-list extended find_pc permit ip any any
access-group find_pc in interface inside
This will generate a log message when an RDP packet is sent to the outside. You can view the log with
show logging
Is this what you're looking for?
02-11-2010 12:39 PM
SOmething easier
Access-list CAPIN permit tcp host PC-IPADDRESS any eq 3389
Access-list CAPIN permit tcp any eq 3389 host PC-IPADDRESS
Capture CAP access-list CAPIN interface INSIDE
Then wait until the PC uses port 3389. and whenever you can do a SHOW CAPTURE CAP
Hope it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: