Restrict RDP access with local credentials

qbakies11 · ‎03-11-2010

I have a client who is using an ASA5510 and wants to limit RDP access to a specific server by login credentials. They don't use any AAA servers for authentication now, just local accounts created on the firewall. Configuring the static NAT and the ACL to allow RDP to the server from the outside isn't an issue but I don't know how to make the firewall check for credentials before it allows the connection. Is this possible? If so, can I use local users?

Federico Coto Fajardo · ‎03-12-2010

Hi,

It seems that you're looking for the ASA Firewall Session Authentication feature (cut-through proxy features on PIX)

It requires the user to authenticate before passing any traffic through the ASA.

The only issue is that you do need a AAA server. Can't be done against the local database.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

Federico.

Federico Coto Fajardo · ‎03-12-2010

Well,

It seems that you can authenticate a user directly against a virtual server (the ASA itself), via HTTP/HTTPS, telnet or FTP to be able to redirect it to any other service.

Take a look:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html#wp1046750

Federico,