Cisco PIX 500 Series Security Appliances

Introduction

This document describes how to allow Remote Desktop Protocol (RDP) connections through a Cisco Security Appliance.

RDP is a multi-channel protocol that allows a user to connect to a computer that runs Microsoft Terminal Services. Clients exist for most versions of Windows, and other operating systems such as Linux, FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default.

In this configuration example, the security appliance is configured to allow an RDP client on the Internet to connect to an RDP server PC on the inside interface. The security appliance performs address translation and the client connects to the host using a static mapped external IP address.

Prerequisites

Requirements

This document assumes that the Cisco PIX Firewall is fully operational and configured. Also, all initial configurations are made and the hosts should have end-to-end connectivity.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Adaptive Security Appliances (ASA) 5500 Series Security Appliance with software version 8.2(1)

• Cisco Adaptive Security Device Manager version 6.3(5)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products

• Cisco PIX 500 Series Security Appliance with software version 7.x

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the security appliance to allow the Remote Desktop Protocol (RDP) traffic to pass through.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which have been used in a lab environment.

Configurations

This section shows the security appliance configuration. RDP traffic from host 20.1.1.10 on the Internet is permitted to RDP Server at 172.16.11.10 on the inside network which listens on port 3389 through static mapped IP address 209.165.200.10.

Perform these steps:

• Configure static NAT in order to redirect the RDP traffic received on the outside interface to the inside host.

• Create an access control list (ACL) that permits RDP and apply it to the outside interface.

  Note: Because NAT is performed by the security appliance, the ACL must permit access to the mapped IP address of the RDP server; not the real IP address.

Note: The IP address (192.168.1.5) used for static mapping should be in the same subnet as the outside interface IP address. Refer to the Static NAT section of PIX/ASA 7.x NAT and PAT Statements in order to learn more about static NAT mapping.

CiscoASA#show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname CiscoASA
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
!
!--- Output suppressed

!
object-group service RDP tcp
 port-object eq 3389
!
!
!--- Output suppressed

!

!--- This access-list allows the RDP traffic sourced from 172.16.1.2
!--- to destination 192.168.1.5 with TCP port 3389.

access-list outside_access_in extended permit tcp host 20.1.1.10 host 209.165.200.10 object-group RDP




!--- This staic NAT statement redirects the traffic destined for  
!--- IP address 192.168.1.5 to host IP address 10.1.1.5. 

static (inside,outside) 209.165.200.10 172.16.11.10 netmask 255.255.255.255

!
!--- Output suppressed

access-group outside_access_in in interface outside
!

!--- Output is suppressed. 

Note:  In this ACL configuration, "host 20.1.1.10" can be replaced with "any" to allow access to the RDP server from the Internet at large. This is not recommended, however, since it might open the RDP server up to attack. As a general rule, make ACL entries as specific as possible.

Configure with ASDM

Configuration

Complete these steps:

1. In order to create an access-list, choose Configuration > Firewall > Access Rules, and choose Add then click Add Access Rule in the drop-down menu.

   

2. Now, specify the action, source and the destination. Click ..., the Details button, in order to choose the destination port.

   

3. The default port number for RDP is 3389. As this is not available in the available tcp ports, click Add and choose TCP Service Group in the drop-down menu. Through this, you can group customized ports together, based on the requirement.

   

4. Now, specify a name for this service group and type-in the port number in the blank given for Port/Range option and click the Add button in order to make this service as a member of the service group. Like this, you can choose a range of ports as a member of the same service group. Click OK.

   

5. It shows the Service group along with its members. Click OK in order to revert back to the access rule window.

   

6. Click OK in order to complete the access-list configuration.

   

7. The access-list along with its associated interface can be seen in the Configuration > Firewall > Access Rules window.

   

8. Now, choose Configuration > Firewall > NAT Rules > Add > Add Static NAT Rule option in order to create a static NAT entry.

   

9. Specify the original IP address and the translated IP address along with their respective associated interfaces and click OK.

   

10. The configured rule could be viewed in the NAT Rules window as shown here. Click the Apply button in order to send this configuration to the Security appliance and click Save in order to save the configuration to flash memory.

    

Allow SSH to the same RDP server

Certain applications block the Remote Desktop application because of its known vulnerabilities. In this case, you can choose to use other encrypted applications like SSH. In order to achieve this, you need to add the SSH as the destination port for the RDP server. In the previous example, the service-group concept has been used in order to define the destination port. The advantage with using the service-group is that you can modify the protocols/ports to the service-group as per the requirement. You can add new ports to the service-group or delete the existing members (ports) of the service group. In the next example, it is demonstrated how to add the SSH to the existing service-group RDP.

Complete these steps:

1. Right-click on the Access rule of the access-list and click Edit.

   

2. Now, in the Service category click ..., the Details button, in order to edit the members of the service group.

   

3. Right-click on the service group and click Edit in order to modify the service group.

   

4. Now, choose the SSH protocol and click Add in order to add this protocol as a member of this service group.

   

5. Now, both the members can be seen as in this example, and click OK.

   

6. Click OK in order to complete the modification procedure.

   

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

• If a certain client or range of clients is unable to connect to the RDP server, be sure that those clients are permitted in the ACL on the outside interface.

• If no clients are able to connect to the RDP server, be sure that an ACL on either the outside or the inside interface is not blocking traffic to or from port 3389.

• If no clients are able to connect to the RDP server, then check to see whether or not the packets exceed the MSS value. If so, configure the MPF to allow the exceeded MSS packets in order to resolve this issue as this example shows:

  CiscoASA(config)#access-list 110 extended permit 
  tcp host 20.1.1.10 host 209.165.200.10 eq 3389
  
  
  !--- This command is wrapped to a second line due to 
  !--- spatial reasons.
  
  CiscoASA(config)#access-list 110 extended permit 
  tcp host 20.1.1.10 host 209.165.200.10 eq 80
  
  
  !--- This command is wrapped to a second line due to 
  !--- spatial reasons.
  
  
  CiscoASA(config)#class-map rdpmss
  CiscoASA(config-cmap)#match access-list 110    
  CiscoASA(config-cmap)#exit
  CiscoASA(config)#tcp-map mss-map
  CiscoASA(config-tcp-map)#exceed-mss allow
  CiscoASA(config-tcp-map)#exit
  CiscoASA(config)#policy-map rdpmss
  CiscoASA(config-pmap)#class rdpmss
  CiscoASA(config-pmap-c)#set connection advanced-options mss-map
  CiscoASA(config-pmap-c)#exit
  CiscoASA(config-pmap)#exit
  CiscoASA(config)#service-policy rdpmss interface outside
  

  Refer to the Solutions to Fragmentation Issues section of PIX/ASA 7.x and IOS: VPN Fragmentation in order to learn about the other methods you can use to resolve the MSS problem.

• The RDP session timeout after the TCP default connection timeout value expired. In order to resolve this issue, increase the timeout as shown here:

  timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  This command sets the timeout value to ten hours.

Related Information

• Cisco PIX 500 Series Security Appliances Support Page
• PIX/ASA 7.x and FWSM: NAT and PAT Statements
• Technical Support & Documentation - Cisco Systems