ASA - cut through proxy authentication for RDP?

scottjsee — Tue, 12 Mar 2019 03:51:32 GMT

I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.

OUTSIDE to INSIDE RDP is currently working.

I have 2 servers I want RDP open for..

[*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100

[*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200

What's required for OUTSIDE users to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?

Here is my current config.

[code]

ASA Version 8.2(5)

hostname ASA5505

names

name 10.10.0.0 LANTraffic

name 10.10.30.0 SALES

name 10.10.40.0 FoodServices

name 10.10.99.0 Management

name 10.10.20.0 Office

name 10.10.80.0 Printshop

name 10.10.60.0 Regional

name 10.10.70.0 Servers

name 10.10.50.0 ShoreTel

name 10.10.100.0 Surveillance

name 10.10.90.0 Wireless

interface Ethernet0/0

description TO INTERNET

switchport access vlan 11

interface Ethernet0/1

description TO INSIDE 3560X

switchport access vlan 10

interface Ethernet0/2

shutdown

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

no nameif

security-level 50

no ip address

interface Vlan10

description Cisco 3560x

nameif INSIDE

security-level 100

ip address 10.10.1.1 255.255.255.252

interface Vlan11

description Internet Interface

nameif OUTSIDE

security-level 0

ip address 1.1.1.1 255.255.255.224

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup OUTSIDE

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.2

domain-name test.local

access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389

access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging device-id hostname

logging host INSIDE 10.10.70.100

mtu INSIDE 1500

mtu OUTSIDE 1500

ip verify reverse-path interface OUTSIDE

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 1 LANTraffic 255.255.0.0

static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255

access-group RDP-INBOUND in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http Management 255.255.255.0 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.10.70.100 255.255.255.255 INSIDE

ssh Management 255.255.255.0 INSIDE

ssh 0.0.0.0 0.0.0.0 OUTSIDE

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username scott password CNjeKgq88PLZXETE encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1e9d278ce656f22829809f4c46b04a07

: end

[/code]

ASA - cut through proxy authentication for RDP?

Marvin Rhoads — Fri, 28 Feb 2014 14:06:38 GMT

You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).

There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

Re: ASA - cut through proxy authentication for RDP?

scottjsee — Fri, 28 Feb 2014 20:42:26 GMT

Thank you..

It seem's as though my current ASA 8.2(5) version does not offer the type of authentication features I'm wishing to implement?

I'm begining to think the only way to deploy a secure RDP on this 8.2(5) is through the ASA Clientless SSL VPN: RDP Plug-in.. Does that seem accurate?

Thanks for your answer..

Re: ASA - cut through proxy authentication for RDP?

Vasilii Mikhailovskii — Sat, 01 Mar 2014 13:44:48 GMT

Hello, Scott.

Microsoft RDP protocol could be protected by SSL encapsulation, that Microsoft called as "RD Gateway".

This solution allows you to control access per user/per destination at the same time using SSL for authentication and data protection.

The solution is really scalable.

Re: ASA - cut through proxy authentication for RDP?

Marvin Rhoads — Sat, 01 Mar 2014 20:11:44 GMT

Clientless SSL VPN with the RDP plug-in is viable. It would require Anyconnect Premium licenses though.

You could also do SSL (or IPsec) remote access VPN with access-list tied to the users (or group profile that a set of users are authorized use).

topic Re: ASA - cut through proxy authentication for RDP? in Network Security

ASA - cut through proxy authentication for RDP?

ASA - cut through proxy authentication for RDP?

Re: ASA - cut through proxy authentication for RDP?

Re: ASA - cut through proxy authentication for RDP?

Re: ASA - cut through proxy authentication for RDP?