https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829887#M960545 <HTML><HEAD></HEAD><BODY><P>it nats it to itself. you could have just as easily nat'ed it to a dmz IP.</P><P></P><P>static (inside,dmz) dmz_ip ws-vwright-01</P></BODY></HTML> Thu, 15 Nov 2007 19:01:40 GMT srue 2007-11-15T19:01:40Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829882#M960540 <P>When I add a rule for an internal user to rdp into a server in our dmz, the implicit deny does not allow the rule. Below are the rules I currently have for traffic entering the DMZ.</P><P></P><P>access-list DMZ extended permit tcp host 172.16.110.4 any eq www </P><P>access-list DMZ extended permit tcp host 172.16.110.4 any eq https </P><P>access-list DMZ extended permit tcp host 172.16.110.4 any eq ftp </P><P>access-list DMZ extended permit tcp host 172.16.110.10 host 10.0.22.229 </P><P>access-list DMZ extended permit tcp host 172.16.110.10 host 10.0.22.11 eq www </P><P>access-list DMZ extended permit tcp host ws-vwright-01 host 172.16.110.10 eq 3389 </P> Mon, 11 Mar 2019 11:31:48 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829882#M960540 jgorman1977 2019-03-11T11:31:48Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829883#M960541 <HTML><HEAD></HEAD><BODY><P>so that acl is applied to the dmz interface? egress or ingress?</P><P></P><P>what pix/asa OS?</P><P>is nat-control enabled?</P><P>do you have an inside/dmz nat rule for ws-vwright-01?</P></BODY></HTML> Thu, 15 Nov 2007 18:19:32 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829883#M960541 srue 2007-11-15T18:19:32Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829884#M960542 <HTML><HEAD></HEAD><BODY><P>It's an ASA5510. This is applied on the ingress side. Nat-control is enabled, but do not have a nat rule for the workstation. Not sure how to implement that.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 15 Nov 2007 18:37:13 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829884#M960542 jgorman1977 2007-11-15T18:37:13Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829885#M960543 <HTML><HEAD></HEAD><BODY><P>see if this works:</P><P></P><P>static (inside,dmz) ws-vwright-01 ws-vwright-01</P></BODY></HTML> Thu, 15 Nov 2007 18:50:59 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829885#M960543 srue 2007-11-15T18:50:59Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829886#M960544 <HTML><HEAD></HEAD><BODY><P>That was it. Thank you. Does this command just NAT his workstation to a DMZ ip address?</P></BODY></HTML> Thu, 15 Nov 2007 18:54:27 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829886#M960544 jgorman1977 2007-11-15T18:54:27Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829887#M960545 <HTML><HEAD></HEAD><BODY><P>it nats it to itself. you could have just as easily nat'ed it to a dmz IP.</P><P></P><P>static (inside,dmz) dmz_ip ws-vwright-01</P></BODY></HTML> Thu, 15 Nov 2007 19:01:40 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829887#M960545 srue 2007-11-15T19:01:40Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829888#M960546 <HTML><HEAD></HEAD><BODY><P>Dynamic NAT (or PAT) is also a possibility. For example:</P><P></P><P>nat (inside) 1 0 0</P><P>global(dmz) 1 interface</P><P></P><P>This will allow any machine on the inside (not just one) to access anything on the DMZ.</P></BODY></HTML> Thu, 15 Nov 2007 19:07:38 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829888#M960546 elparis 2007-11-15T19:07:38Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829889#M960547 <HTML><HEAD></HEAD><BODY><P>his original acl still only allows one host rdp access: ws-vwright-01</P></BODY></HTML> Thu, 15 Nov 2007 20:11:08 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829889#M960547 srue 2007-11-15T20:11:08Z https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829890#M960548 <HTML><HEAD></HEAD><BODY><P>It doesn't matter - the ACE the original poster included is:</P><P></P><P>access-list DMZ extended permit tcp host ws-vwright-01 host 172.16.110.10 eq 3389</P><P></P><P>This ACE is not doing anything and can actually be removed - there is no 172.16.110.10 outside of the DMZ network, and since the original poster mentioned this is an ingress ACL ("access-group DMZ in interface DMZ"), this ACE will never be hit.</P><P></P><P>If the original poster wants to only allow the machine ws-vwright-01 to contact 172.16.110.10 on TCP port 3398 in the DMZ then an egress ACL on the DMZ interface or an ingress ACL on the inside interface that only allows this flow needs to be applied.</P><P></P><P>As it is right now the original poster can add the dynamic NAT statements that I mentioned and any machine on the inside will be able to RDP into 172.16.110.10, and this without changes to any ACL since traffic from high security interfaces going to lower security interfaces is allowed by default.</P></BODY></HTML> Thu, 15 Nov 2007 20:28:24 GMT https://community.cisco.com/t5/network-security/allowing-rdp-into-dmz/m-p/829890#M960548 elparis 2007-11-15T20:28:24Z