Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA - cut through proxy authentication for RDP?

I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.

OUTSIDE to INSIDE RDP is currently working.

I have 2 servers I want RDP open for..



What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?

Here is my current config.


ASA Version 8.2(5)


hostname ASA5505


name LANTraffic

name SALES

name FoodServices

name Management

name Office

name Printshop

name Regional

name Servers

name ShoreTel

name Surveillance

name Wireless


interface Ethernet0/0

description TO INTERNET

switchport access vlan 11


interface Ethernet0/1

description TO INSIDE 3560X

switchport access vlan 10


interface Ethernet0/2



interface Ethernet0/3



interface Ethernet0/4



interface Ethernet0/5



interface Ethernet0/6



interface Ethernet0/7



interface Vlan1

no nameif

security-level 50

no ip address


interface Vlan10

description Cisco 3560x

nameif INSIDE

security-level 100

ip address


interface Vlan11

description Internet Interface

nameif OUTSIDE

security-level 0

ip address


ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup OUTSIDE

dns server-group DefaultDNS



domain-name test.local

access-list RDP-INBOUND extended permit tcp any host eq 3389

access-list RDP-INBOUND extended permit tcp any host eq 3389

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging device-id hostname

logging host INSIDE

mtu INSIDE 1500

mtu OUTSIDE 1500

ip verify reverse-path interface OUTSIDE

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 1 LANTraffic

static (INSIDE,OUTSIDE) tcp interface 3389 3389 netmask

static (INSIDE,OUTSIDE) tcp 3389 3389 netmask

access-group RDP-INBOUND in interface OUTSIDE

route OUTSIDE 1

route INSIDE LANTraffic 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http Management INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5


ssh Management INSIDE


ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


username scott password CNjeKgq88PLZXETE encrypted privilege 15


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp


service-policy global_policy global

prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end


Hall of Fame Super Silver

ASA - cut through proxy authentication for RDP?

You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).

There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

Community Member

Re: ASA - cut through proxy authentication for RDP?

Thank you..

It seem's as though my current ASA 8.2(5) version does not offer the type of authentication features I'm wishing to implement?

I'm begining to think the only way to deploy a secure RDP on this 8.2(5) is through the ASA Clientless SSL VPN: RDP Plug-in.. Does that seem accurate?

Thanks for your answer..

Re: ASA - cut through proxy authentication for RDP?

Hello, Scott.

Microsoft RDP protocol could be protected by SSL encapsulation, that Microsoft called as "RD Gateway".

This solution allows you to control access per user/per destination at the same time using SSL for authentication and data protection.

The solution is really scalable.

Hall of Fame Super Silver

Re: ASA - cut through proxy authentication for RDP?

Clientless SSL VPN with the RDP plug-in is viable. It would require Anyconnect Premium licenses though.

You could also do SSL (or IPsec) remote access VPN with access-list tied to the users (or group profile that a set of users are authorized use).

CreatePlease to create content