×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA - cut through proxy authentication for RDP?

Unanswered Question
Feb 27th, 2014
User Badges:

I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.


OUTSIDE to INSIDE RDP is currently working.


I have 2 servers I want RDP open for..

[*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100

[*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200


What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?


Here is my current config.


[code]

ASA Version 8.2(5)

!

hostname ASA5505

names

name 10.10.0.0 LANTraffic

name 10.10.30.0 SALES

name 10.10.40.0 FoodServices

name 10.10.99.0 Management

name 10.10.20.0 Office

name 10.10.80.0 Printshop

name 10.10.60.0 Regional

name 10.10.70.0 Servers

name 10.10.50.0 ShoreTel

name 10.10.100.0 Surveillance

name 10.10.90.0 Wireless

!

interface Ethernet0/0

description TO INTERNET

switchport access vlan 11

!

interface Ethernet0/1

description TO INSIDE 3560X

switchport access vlan 10

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

no nameif

security-level 50

no ip address

!

interface Vlan10

description Cisco 3560x

nameif INSIDE

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Vlan11

description Internet Interface

nameif OUTSIDE

security-level 0

ip address 1.1.1.1 255.255.255.224

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup OUTSIDE

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.2

domain-name test.local

access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389

access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging device-id hostname

logging host INSIDE 10.10.70.100

mtu INSIDE 1500

mtu OUTSIDE 1500

ip verify reverse-path interface OUTSIDE

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 1 LANTraffic 255.255.0.0

static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255

access-group RDP-INBOUND in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http Management 255.255.255.0 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.10.70.100 255.255.255.255 INSIDE

ssh Management 255.255.255.0 INSIDE

ssh 0.0.0.0 0.0.0.0 OUTSIDE

ssh timeout 5

ssh version 2

console timeout 0


threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username scott password CNjeKgq88PLZXETE encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1e9d278ce656f22829809f4c46b04a07

: end


[/code]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marvin Rhoads Fri, 02/28/2014 - 06:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).


There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

scottjsee Fri, 02/28/2014 - 12:42
User Badges:

Thank you..


It seem's as though my current ASA 8.2(5) version does not offer the type of authentication features I'm wishing to implement?


I'm begining to think the only way to deploy a secure RDP on this 8.2(5) is through the ASA Clientless SSL VPN: RDP Plug-in.. Does that seem accurate?


Thanks for your answer..

Vasilii Mikhail... Sat, 03/01/2014 - 05:44
User Badges:
  • Gold, 750 points or more

Hello, Scott.


Microsoft RDP protocol could be protected by SSL encapsulation, that Microsoft called as "RD Gateway".

This solution allows you to control access per user/per destination at the same time using SSL for authentication and data protection.

The solution is really scalable.

Marvin Rhoads Sat, 03/01/2014 - 12:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Clientless SSL VPN with the RDP plug-in is viable. It would require Anyconnect Premium licenses though.


You could also do SSL (or IPsec) remote access VPN with access-list tied to the users (or group profile that a set of users are authorized use).

Actions

This Discussion