02-11-2010 10:14 AM - edited 03-11-2019 10:08 AM
Hello,
I need to be able to find an errant PC on an internal network that is sending RDP traffic outbound.
Has anyone any pointers on this ?
I need to log port 3389 from inside to outside.
Thank you.
S.
02-11-2010 11:44 AM
Create an ACL that will go on the inside interface.
access-list extended find_pc permit tcp any any eq 3389 log
access-list extended find_pc permit ip any any
access-group find_pc in interface inside
This will generate a log message when an RDP packet is sent to the outside. You can view the log with
show logging
Is this what you're looking for?
02-11-2010 12:39 PM
SOmething easier
Access-list CAPIN permit tcp host PC-IPADDRESS any eq 3389
Access-list CAPIN permit tcp any eq 3389 host PC-IPADDRESS
Capture CAP access-list CAPIN interface INSIDE
Then wait until the PC uses port 3389. and whenever you can do a SHOW CAPTURE CAP
Hope it helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide