Cisco
--
Questions
--
Followers
Top Experts
RDP to DMZ Servers through Cisco ASA
Hello,
I am trying to figure out how to setup my access lists to allow myself to RDP to the servers that I have in a DMZ and I am having some trouble. My guess is that I am setting up the ACL's wrong or else I do not know which direction to apply them. I am using a Cisco ASA 5510.
Can anyone give me an example of the code that I would need to use? ย I have the following interfaces:
Outside (Security level 0)
DMZ (Security level 50)
Inside (Security level 100)
Thanks,
Matt
I am trying to figure out how to setup my access lists to allow myself to RDP to the servers that I have in a DMZ and I am having some trouble. My guess is that I am setting up the ACL's wrong or else I do not know which direction to apply them. I am using a Cisco ASA 5510.
Can anyone give me an example of the code that I would need to use? ย I have the following interfaces:
Outside (Security level 0)
DMZ (Security level 50)
Inside (Security level 100)
Thanks,
Matt
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Matt,
Normally you would have Static translations as well as ACL rules to allow the traffic. The way the rules work is that you have a ย security level 50 for the DMZ, and a 100 for the inside. Which means that traffic can flow from the inside to the dmz but traffic can not flow from the dmz to the inside.
Here is a full class c example.
static (inside,DMZ) x.x.x.x x.x.x.x netmask 255.255.255.0 --> X is the inside network
This translates everything thing from the inside to the dmz that way you can just use an acl to control traffic flowing through.
I usually do things like this for the ACL:
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit udp any any eq domain
access-list acl_dmz extended permit tcp any any eq domain
access-list acl_dmz extended permit ip host x.x.x.x any --> is a host you want to allow access to the inside
access-list acl_dmz extended deny ip any 192.168.0.0 255.255.255.0 --> Make sure you dont block your dmz subnet
access-list acl_dmz extended deny ip any 172.16.0.0 255.255.0.0
access-list acl_dmz extended deny ip any 10.0.0.0 255.0.0.0
access-group acl_dmz in interface DMZ
If you want specific help please post a config.
Regards,
3nerds
Normally you would have Static translations as well as ACL rules to allow the traffic. The way the rules work is that you have a ย security level 50 for the DMZ, and a 100 for the inside. Which means that traffic can flow from the inside to the dmz but traffic can not flow from the dmz to the inside.
Here is a full class c example.
static (inside,DMZ) x.x.x.x x.x.x.x netmask 255.255.255.0 --> X is the inside network
This translates everything thing from the inside to the dmz that way you can just use an acl to control traffic flowing through.
I usually do things like this for the ACL:
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit udp any any eq domain
access-list acl_dmz extended permit tcp any any eq domain
access-list acl_dmz extended permit ip host x.x.x.x any --> is a host you want to allow access to the inside
access-list acl_dmz extended deny ip any 192.168.0.0 255.255.255.0 --> Make sure you dont block your dmz subnet
access-list acl_dmz extended deny ip any 172.16.0.0 255.255.0.0
access-list acl_dmz extended deny ip any 10.0.0.0 255.0.0.0
access-group acl_dmz in interface DMZ
If you want specific help please post a config.
Regards,
3nerds
I am assuming that you are trying to access the dmz from the inside. the two above me are assuming you want to access the dmz from the outside. If you have further questions explaining were you are trying to access the dmz from will be beneficial.
3nerds
3nerds
Thank you sooooo much for your help. ย I am a bit new at this so this is what I have so far:
Some details,
inside network - 10.1.1.x
DMZ network - 10.2.1.x
- I need to be able to send some traffic from the web to a server in the DMZ then from the DMZ to the internal network.
- I need outside users to be able to reach 10.2.1.222 in the dmz with SMTP and WWW.
I then need that DMZ server (10.2.1.222) to be able to send traffic to two internal hosts (10.1.1.204, 10.1.1.214)
- I would also like the three servers I have in the DMZ to be able to go out to the web for WWW traffic.
- I would also like to be able to RDP from my workstation to the servers in the DMZ.
Of course there is more but if I have these examples worked out then I can figure out the rest.
static (dmz,outside) tcp 208.118.162.243 smtp 10.2.1.222 smtp netmask 255.255.255.255 0 0
static (dmz,inside) tcp 10.2.1.222 50636 10.1.1.204 50636 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 10.2.1.222 50636 10.1.1.214 50636 netmask 255.255.255.255 0 0
static (inside,dmz) 10.2.1.222 10.2.1.222 netmask 255.255.255.255 0 0
access-list acl_outside_in remark ***Traffic Entering Outside Interface***
access-list acl_outside_in permit tcp any host 208.118.162.243 eq smtp
access-list acl_outside_in permit tcp any host 208.118.162.243 eq www
access-group acl_outside_in in interface outside
access-list acl_inside_out remark ***Traffic Entering Inside Interface ***
access-list acl_inside_out permit tcp any any
access-list acl_inside_out permit udp any any
access-list acl_inside_out permit icmp any any
access-group acl_inside_out in interface inside
access-list acl_dmz_in remark ***Traffic entering DMZ interface***
access-list acl_dmz_in permit tcp 10.1.1.0 255.255.255.0 any eq 3389
access-list acl_dmz_in permit tcp host 10.2.1.221 10.1.1.204 255.255.255.255 eq 50636
access-list acl_dmz_in permit tcp host 10.2.1.221 10.1.1.214 255.255.255.255 eq 50636
access-list acl_dmz_in permit tcp host 10.2.1.220 any eq www
access-list acl_dmz_in permit tcp host 10.2.1.221 any eq www
access-list acl_dmz_in permit tcp host 10.2.1.222 any eq www
access-group acl_dmz_in in interface dmz
Some details,
inside network - 10.1.1.x
DMZ network - 10.2.1.x
- I need to be able to send some traffic from the web to a server in the DMZ then from the DMZ to the internal network.
- I need outside users to be able to reach 10.2.1.222 in the dmz with SMTP and WWW.
I then need that DMZ server (10.2.1.222) to be able to send traffic to two internal hosts (10.1.1.204, 10.1.1.214)
- I would also like the three servers I have in the DMZ to be able to go out to the web for WWW traffic.
- I would also like to be able to RDP from my workstation to the servers in the DMZ.
Of course there is more but if I have these examples worked out then I can figure out the rest.
static (dmz,outside) tcp 208.118.162.243 smtp 10.2.1.222 smtp netmask 255.255.255.255 0 0
static (dmz,inside) tcp 10.2.1.222 50636 10.1.1.204 50636 netmask 255.255.255.255 0 0
static (dmz,inside) tcp 10.2.1.222 50636 10.1.1.214 50636 netmask 255.255.255.255 0 0
static (inside,dmz) 10.2.1.222 10.2.1.222 netmask 255.255.255.255 0 0
access-list acl_outside_in remark ***Traffic Entering Outside Interface***
access-list acl_outside_in permit tcp any host 208.118.162.243 eq smtp
access-list acl_outside_in permit tcp any host 208.118.162.243 eq www
access-group acl_outside_in in interface outside
access-list acl_inside_out remark ***Traffic Entering Inside Interface ***
access-list acl_inside_out permit tcp any any
access-list acl_inside_out permit udp any any
access-list acl_inside_out permit icmp any any
access-group acl_inside_out in interface inside
access-list acl_dmz_in remark ***Traffic entering DMZ interface***
access-list acl_dmz_in permit tcp 10.1.1.0 255.255.255.0 any eq 3389
access-list acl_dmz_in permit tcp host 10.2.1.221 10.1.1.204 255.255.255.255 eq 50636
access-list acl_dmz_in permit tcp host 10.2.1.221 10.1.1.214 255.255.255.255 eq 50636
access-list acl_dmz_in permit tcp host 10.2.1.220 any eq www
access-list acl_dmz_in permit tcp host 10.2.1.221 any eq www
access-list acl_dmz_in permit tcp host 10.2.1.222 any eq www
access-group acl_dmz_in in interface dmz
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Thank you very much for all your help. ย I have access from the internal network to the DMZ working and thought I had this figured out but I am still having a little trouble.
I now need to allow SMTP traffic from the DMZ to my servers on the internal network. ย I have two servers internally that need to be able to receive SMTP traffic from my DMZ SMTP server.
Here are the lines that I have that I thought would work but alas...
DMZ Network - 10.2.1.x
Internal Network - 10.1.1.x
static (dmz,inside) 10.2.1.222 10.2.1.222 netmask 255.255.255.255
access-list acl_dmz_in permit tcp host 10.2.1.222 10.1.1.204 255.255.255.255 eq 3389
access-list acl_dmz_in permit tcp host 10.2.1.222 10.1.1.214 255.255.255.255 eq 3389
access-group acl_dmz_in in interface dmz
I now need to allow SMTP traffic from the DMZ to my servers on the internal network. ย I have two servers internally that need to be able to receive SMTP traffic from my DMZ SMTP server.
Here are the lines that I have that I thought would work but alas...
DMZ Network - 10.2.1.x
Internal Network - 10.1.1.x
static (dmz,inside) 10.2.1.222 10.2.1.222 netmask 255.255.255.255
access-list acl_dmz_in permit tcp host 10.2.1.222 10.1.1.204 255.255.255.255 eq 3389
access-list acl_dmz_in permit tcp host 10.2.1.222 10.1.1.214 255.255.255.255 eq 3389
access-group acl_dmz_in in interface dmz
Sorry I ment to have the SMTP port on there not 3389. ย I was using 3389 to test...
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Thank you all very much for your help
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Cisco
--
Questions
--
Followers
Top Experts
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).