RDP to Multiple Servers with a Cisco PIX/ASA Firewall

KB ID 0000167 

Problem

WARNING: Allowing RDP traffic from ‘any’ IP this is a monumentally bad idea, ONLY allow RDP traffic from trusted hosts/networks, or better still, limit RDP to clients/locations the have their traffic protected by VPN.

You want to connect via “Remote Desktop” to multiple servers behind your firewall. To do this you have three options.

Note: This is an old article that refers to ‘pre 8.3’ code, for modern firewalls see this article.

Solution

Option 1 (Use if you have multiple free Public IP addresses)

Connect to the firewall, go to enable mode, then go to “Configure Terminal Mode”, and create a names entity for each Servers public and Private Address.

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# name 192.168.1.1 Server1-Internal
Petes-ASA(config)# name 192.168.1.2 Server2-Internal
Petes-ASA(config)# name 123.123.123.123 Server1-External
Petes-ASA(config)# name 123.123.123.124 Server2-External

[/box]

Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name “inbound” for yours.

[box]

Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 host Server1-External eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 host Server2-External eq 3389
Petes-ASA(config)# access-group inbound in interface outside

[/box]

 

Option 2 (Uses Port Forwarding and uses a different port for each server).

To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port.

Connect to the firewall, go to enable mode, then go to “Configure Terminal Mode” then allow each port you are going to use (in this case 3389 and 3390).

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3390

[/box]

Then Port Forward those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389
 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390
 netmask 255.255.255.255

[/box]

 

Option 3 (Uses Port Forwarding and uses a different port for each server).

This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.

[box]

Petes-ASA> en
Password: *********
Petes-ASA#configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3389
Petes-ASA(config)# access-list inbound extended permit tcp host 123.123.123.123 interface outside eq 3390

[/box]

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389
 netmask 255.255.255.255
Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 
netmask 255.255.255.255

[/box]

Related Articles, References, Credits, or External Links

NA