08-12-2008 08:53 AM - edited 03-11-2019 06:30 AM
I am using a Cisco PIX 515e with three interfaces outside, inside, DMZ. I am providing VPN access via the pix the issue I am having is when I connect to my network via VPN I cannot RDP to servers in my DMZ. I can RDP to servers on my internal network.
When I connect to the VPN I get an IP address of 192.168.10.x, My inside IP addresses are 192.168.1.x my DMZ addresses are 192.168.5.x.
I created an ACL to allow traffic over port 3389 (RDP) from 192.168.10.0 to 192.168.5.13 (server in my dmz) the acl looks like:
access-list vpn_access_dmz permit tcp host 192.168.10.0 host 192.168.5.13 eq 3389
The issue is I am not sure which interface this access list should be applied to (inside, outside, dmz?) Does anyone have an idea or can give me some pointers?
Thanks for any help!
Bill
08-12-2008 09:01 AM
Don't worry about that access list, you shouldn't need it.
You most likely need to add nat exemption for the dmz hosts.
access-list DMZ_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
08-12-2008 09:48 AM
Thanks for the help, in your access-list command what is the 'extended' command for?
08-12-2008 09:50 AM
it is used for (Outbond) connection.
08-12-2008 10:00 AM
Sorry, I had ASA on the brain, you don't need "extended".
access-list DMZ_nat0_outbound permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide