Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Block RDP that uses non-standard port

Our firewall appliance is a Cisco ASA-5510.

I manage many HP thin clients. They come with RDP built in, which is a useful admin tool in certain situations. Unfortunately I can't block certain users on the thin client from using RDP, as the only way to block them from using it is to remove it completely from the thin client.

How can I stop RDP from leaving the inside interface, except for a small group of ip's?

Also, what about RDP connections that are trying to go to non-standard ports (not 3389)?

3 REPLIES
Hall of Fame Super Blue

Re: Block RDP that uses non-standard port

Hi

When you say "leave the inside interface" do you mean traffic going out through the ASA.

If so you would need to apply an access-list in the inside interface

access-list acl_inside permit tcp host "IP allowed 1" any eq 3389

access-list acl_inside permit tcp host "IP allowed 2" any eq 3389

etc... for all allowed IP's.

access-list acl_inside deny tcp any any eq 3389

access-list permit ip any any

Note - the last entry is so you don't interfere with other non RDP traffic. i don;t know what your policy is on traffic allowed outbound.

As far as non-standard RDP connections. I don't think the pix has a fixup command for RDP so you would need to know the other ports used and add those to your access-list.

HTH

Jon

New Member

Re: Block RDP that uses non-standard port

Jon, yes, I need to block outgoing RDP for all the thin clients. However, since I found out some "rogue" users are accessing outside rdp via non-standard ports I would like to just block all outside access to those thin clients.

How could an acl block all outside access to a specific group of ip's, like 10.0.8.0 255.255.255.192?

Hall of Fame Super Blue

Re: Block RDP that uses non-standard port

Hi

Okay, using my access-list from the previous post at the very top you could put

access-list acl_inside deny ip 10.0.8.0 255.255.255.192 any

This would stop that block of IP address from being able to access anything outside.

HTH

Jon

1047
Views
0
Helpful
3
Replies