Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

How to create a access rule to connect to a system using RDP


    Just started using our ASA 5505 v8.2 (1)

Trying to configure the ASA applaince to allow access into an internal resource (i.e want to be able to RDP into a system behind the ASA from the internet).

I have used a static NAT:

static (inside,outside) netmask

access-list OUTSIDE extended permit tcp any host eq 3389

When I view the logs it is reporting the following:

Inbound TCP connection denied from (external IP) to /3389 flags SYN on interface outside.

Been pulling my hair out with this one as I believe I have everything configured correctly. New to the world of ASA’s so be nice



How to create a access rule to connect to a system using RDP


It may help us if you could post your configuration.  It will help to see all the access-lists and such that could be denying this connection.



Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

How to create a access rule to connect to a system using RDP


   Here it is:

ASA Version 8.2(1)
hostname Burlington-FW
enable password Adl1Gmm8UmMZT0CS encrypted
passwd U7QyKVyA28TBRwD. encrypted
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Vlan3
nameif inside
security-level 100
ip address
interface Vlan4
nameif server
security-level 100
ip address
interface Ethernet0/0
description outside
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
description inside
switchport access vlan 3
speed 100
duplex full
interface Ethernet0/2
description server
switchport access vlan 4
speed 100
duplex full
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
banner motd
banner motd Disconnect IMMEDIATELY if you are not an authorized user!
banner motd
banner motd This system is for the use of Company authorized users only.
banner motd Individuals using this computer system without authority, or in excess of
banner motd their authority, are subject to having all of their activities on this
banner motd system monitored and recorded by system personnel.
banner motd
banner motd Anyone using this system expressly consents to such monitoring and is
banner motd advised that if such monitoring reveals possible evidence of criminal
banner motd activity or conduct, Company system personnel may provide the evidence
banner motd of such monitoring to law enforcement officials.
banner motd
banner motd Users should NOT be using this device to launch denial of service
banner motd attacks or connect unauthorized external networks and systems.
ftp mode passive

clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE extended permit tcp any host eq 3389

access-list OUTSIDE extended permit tcp any host eq ssh
pager lines 24
logging enable
logging monitor alerts
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu server 1500
no failover
icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
nat (inside) 1
static (inside,outside) netmask dns tcp 1000 100
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh X.X.X.X outside
ssh Y.Y.Y.Y outside
ssh timeout 10
console timeout 0
dhcpd dns
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username dvvc110 password 6lx6srLwcBTxdQZs encrypted
prompt hostname context
: end

New Member

How to create a access rule to connect to a system using RDP

try out by only using the following line.

static (inside,outside) netmask

remove the DNS keyword and the tcp 1000 100.

chk and reply back.

New Member

How to create a access rule to connect to a system using RDP


   Just updated the config. Received the same result when trying to RDP to


New Member

How to create a access rule to connect to a system using RDP

Hello Brandon,

try out the follwing line

static (inside,outside) tcp 3389 3389 netmask


CreatePlease to create content